[Samba] winbindd hangs and makes the system unuseable when DC is offline
Felix Matouschek
felix.matouschek at vipco.de
Wed Jul 1 08:24:19 MDT 2015
Hello Rowland,
yes, indeed, "idmap_ldb:use rfc2307 = yes" can be removed.
As for the templates, I need those lines on the DC since it won't apply the values for login shell and home dir automatically via rfc2307.
I just copied the basic config over... hence they are in my member config, although theoretically everything gets pulled from AD.
The socket options never made any problems so far...
Anyhow... i figured out how to solve this problem. Your advice to use "winbind offline logon" is correct.
However, it should be noted that offline logon won't work if either "map untrusted to domain = yes" or "winbind normalize names = yes" is set.
I had a fair struggle with that... I guess thats a bug?!
I solved the problem by letting winbind use ist own config file where both these options are disabled.
Note that when having "map untrusted to domain = yes" in the main smb.conf you have to explicitly overwrite it in with no the winbind config file.
Very strange behaviour if you ask me... I'm glad I've sorted it out.
Greetings,
Felix
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Mittwoch, 1. Juli 2015 15:57
An: samba at lists.samba.org
Betreff: Re: [Samba] winbindd hangs and makes the system unuseable when DC is offline
On 01/07/15 12:59, Felix Matouschek wrote:
> Hello,
>
> I am using winbindd to map users via the idmap_ad backend from a Samba 4.2.2 AD to another machine in the network.
> Everything works fine unless I shutdown the DC.
> I would expect winbindd to realize the DC is offline and shutdown or
> something, however instead of realizing something is wrong It goes into some kind of reconnection loop and makes the whole system unuseable.
> As soon as I kill winbindd or the DC comes online again everything goes back to normal.
>
> Is there any option to limit the count of reconnection tries when a DC is offline? Or have I overlooked something perhaps?
>
> My smb.conf looks like this:
>
> [global]
> netbios name = MyServer
> server string = Fileserver (%h V:%v)
>
> workgroup = INTRANET
> realm = INTRANET.MYDOMAIN.DE
> security = ADS
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind expand groups = 1
> winbind nested groups = yes
> winbind use default domain = yes
> winbind normalize names = yes
> winbind refresh tickets = yes
> winbind nss info = rfc2307:INTRANET, template
> template shell = /bin/bash
> template homedir = /home/users/%U
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> idmap config * : range = 1000000 - 1999999
> idmap config INTRANET : backend = ad
> idmap config INTRANET : schema_mode = rfc2307
> idmap config INTRANET : range = 5000 - 40000
>
> map untrusted to domain = yes
>
> unix extensions = no
> invalid users = root, vipco-admin
>
> acl allow execute always = yes
>
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> load printers = no
>
> deadtime = 10
> use sendfile = yes
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>
> Greetings,
> Felix
You could try 'winbind offline logon' , have a look here:
https://wiki.samba.org/index.php/PAM_Offline_Authentication
Whilst you are adding the line to smb.conf, I would suggest you make the following changes:
Change:
winbind nss info = rfc2307:INTRANET, template
To:
winbind nss info = rfc2307
Remove:
idmap_ldb:use rfc2307 = yes
It should only be on an AD DC
Remove:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
You could be making things worse, just allow the kernel to sort these things.
Finally, why are you using templates ? you can and should have these in AD.
template shell = /bin/bash
template homedir = /home/users/%U
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list