[Samba] winbindd hangs and makes the system unuseable when DC is offline

Felix Matouschek felix.matouschek at vipco.de
Wed Jul 1 08:24:19 MDT 2015

Hello Rowland,

yes, indeed, "idmap_ldb:use rfc2307 = yes" can be removed.

As for the templates, I need those lines on the DC since it won't apply the values for login shell and home dir automatically via rfc2307.
I just copied the basic config over... hence they are in my member config, although theoretically everything gets pulled from AD.

The socket options never made any problems so far...

Anyhow... i figured out how to solve this problem. Your advice to use "winbind offline logon" is correct.
However, it should be noted that offline logon won't work if either "map untrusted to domain = yes" or "winbind normalize names = yes" is set.
I had a fair struggle with that... I guess thats a bug?!

I solved the problem by letting winbind use ist own config file where both these options are disabled.
Note that when having "map untrusted to domain = yes" in the main smb.conf you have to explicitly overwrite it in with no the winbind config file.

Very strange behaviour if you ask me... I'm glad I've sorted it out.


-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Mittwoch, 1. Juli 2015 15:57
An: samba at lists.samba.org
Betreff: Re: [Samba] winbindd hangs and makes the system unuseable when DC is offline

On 01/07/15 12:59, Felix Matouschek wrote:
> Hello,
> I am using winbindd to map users via the idmap_ad backend from a Samba 4.2.2 AD to another machine in the network.
> Everything works fine unless I shutdown the DC.
> I would expect winbindd to realize the DC is offline and shutdown or 
> something, however instead of realizing something is wrong It goes into some kind of reconnection loop and makes the whole system unuseable.
> As soon as I kill winbindd or the DC comes online again everything goes back to normal.
> Is there any option to limit the count of reconnection tries when a DC is offline? Or have I overlooked something perhaps?
> My smb.conf looks like this:
> [global]
>      netbios name = MyServer
>      server string = Fileserver (%h V:%v)
>      workgroup = INTRANET
>      security = ADS
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind expand groups = 1
>      winbind nested groups = yes
>      winbind use default domain = yes
>      winbind normalize names = yes
>      winbind refresh tickets = yes
>      winbind nss info = rfc2307:INTRANET, template
>      template shell = /bin/bash
>      template homedir = /home/users/%U
>      idmap_ldb:use rfc2307 = yes
>      idmap config * : backend = tdb
>      idmap config * : range = 1000000 - 1999999
>      idmap config INTRANET : backend = ad
>      idmap config INTRANET : schema_mode = rfc2307
>      idmap config INTRANET : range = 5000 - 40000
>      map untrusted to domain = yes
>      unix extensions = no
>      invalid users = root, vipco-admin
>      acl allow execute always = yes
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>      load printers = no
>      deadtime = 10
>      use sendfile = yes
> Greetings,
> Felix

You could try 'winbind offline logon' , have a look here: 

Whilst you are adding the line to smb.conf, I would suggest you make the following changes:

     winbind nss info = rfc2307:INTRANET, template
     winbind nss info = rfc2307

     idmap_ldb:use rfc2307 = yes

It should only be on an AD DC


You could be making things worse, just allow the kernel to sort these things.

Finally, why are you using templates ? you can and should have these in AD.

     template shell = /bin/bash
     template homedir = /home/users/%U


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list