[Samba] winbindd hangs and makes the system unuseable when DC is offline

[Rowland Penny]

On 01/07/15 12:59, Felix Matouschek wrote:
> Hello,
>   
> I am using winbindd to map users via the idmap_ad backend from a Samba 4.2.2 AD to another machine in the network.
> Everything works fine unless I shutdown the DC.
> I would expect winbindd to realize the DC is offline and shutdown or something, however instead of realizing something is wrong
> It goes into some kind of reconnection loop and makes the whole system unuseable.
> As soon as I kill winbindd or the DC comes online again everything goes back to normal.
>   
> Is there any option to limit the count of reconnection tries when a DC is offline? Or have I overlooked something perhaps?
>   
> My smb.conf looks like this:
>   
> [global]
>      netbios name = MyServer
>      server string = Fileserver (%h V:%v)
>   
>      workgroup = INTRANET
>      realm = INTRANET.MYDOMAIN.DE
>      security = ADS
>   
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind expand groups = 1
>      winbind nested groups = yes
>      winbind use default domain = yes
>      winbind normalize names = yes
>      winbind refresh tickets = yes
>      winbind nss info = rfc2307:INTRANET, template
>      template shell = /bin/bash
>      template homedir = /home/users/%U
>      idmap_ldb:use rfc2307 = yes
>      idmap config * : backend = tdb
>      idmap config * : range = 1000000 - 1999999
>      idmap config INTRANET : backend = ad
>      idmap config INTRANET : schema_mode = rfc2307
>      idmap config INTRANET : range = 5000 - 40000
>   
>      map untrusted to domain = yes
>   
>      unix extensions = no
>      invalid users = root, vipco-admin
>   
>      acl allow execute always = yes
>   
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>      load printers = no
>   
>      deadtime = 10
>      use sendfile = yes
>      socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>   
> Greetings,
> Felix

You could try 'winbind offline logon' , have a look here: 
https://wiki.samba.org/index.php/PAM_Offline_Authentication

Whilst you are adding the line to smb.conf, I would suggest you make the 
following changes:

Change:
     winbind nss info = rfc2307:INTRANET, template
To:
     winbind nss info = rfc2307

Remove:
     idmap_ldb:use rfc2307 = yes

It should only be on an AD DC

Remove:
     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

You could be making things worse, just allow the kernel to sort these 
things.

Finally, why are you using templates ? you can and should have these in AD.

     template shell = /bin/bash
     template homedir = /home/users/%U

Rowland