[Samba] NT_STATUS_IO_TIMEOUT at open_socket_out_send due to firewall

Mike Ely me at mikeely.org
Wed Jun 15 18:42:49 UTC 2016


We've got a few layers of firewall between our DCs and a domain guest 
providing winbind services. What I've noticed is that on first run 
winbind tries to use the high ports to set up part of the communication. 
During that process, the winbindd process runs at 100% CPU, and it takes 
about two minutes to time out. After that time things settle down and 
winbind works perfectly.

For various reasons we're not eager to open a wide range of ports across 
all the firewalls, and would like to know if there's a way in smb.conf 
to skip the step that's hanging.

I've validated that opening the port in the below log (49155) allows 
winbind to start cleanly and work without hanging for two minutes, but 
this was only for testing purposes and the port had to be closed back up 

Here's loglevel 10 from where the thing happens on a Centos7 box running 
Samba 4.2.10:

[2016/06/15 11:23:34.554465,  3, pid=6383, effective(0, 0), real(0, 0)] 
   Connecting to [redacted IP of DC on different segment] at port 49155
[2016/06/15 11:25:41.772517, 10, pid=6383, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_cm.c:2698(cm_connect_lsa_tcp)
   cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_IO_TIMEOUT

    workgroup = TEST
    realm = TEST.EXAMPLE.COM
    security = ads
    idmap config * : range = 16777216-33554431
    template shell = /bin/false
    kerberos method = secrets and keytab
    winbind use default domain = true
    winbind offline logon = false
    log file = /var/log/samba/%m.log
    log level = 10
    netbios name = TESTWB
    server string = WB server
    invalid users = root
    socket options = TCP_NODELAY
    winbind enum users = yes
    winbind enum groups = yes
    winbind max domain connections = 5
    winbind max clients = 1000

More information about the samba mailing list