[Samba] NT_STATUS_IO_TIMEOUT at open_socket_out_send due to firewall

Mike Ely me at mikeely.org
Thu Jun 23 19:26:56 UTC 2016 

Bump.

On 06/15/2016 11:42 AM, Mike Ely wrote:
> Hi,
>
> We've got a few layers of firewall between our DCs and a domain guest 
> providing winbind services. What I've noticed is that on first run 
> winbind tries to use the high ports to set up part of the 
> communication. During that process, the winbindd process runs at 100% 
> CPU, and it takes about two minutes to time out. After that time 
> things settle down and winbind works perfectly.
>
> For various reasons we're not eager to open a wide range of ports 
> across all the firewalls, and would like to know if there's a way in 
> smb.conf to skip the step that's hanging.
>
> I've validated that opening the port in the below log (49155) allows 
> winbind to start cleanly and work without hanging for two minutes, but 
> this was only for testing purposes and the port had to be closed back 
> up after.
>
> Here's loglevel 10 from where the thing happens on a Centos7 box 
> running Samba 4.2.10:
>
> [2016/06/15 11:23:34.554465,  3, pid=6383, effective(0, 0), real(0, 
> 0)] ../source3/lib/util_sock.c:636(open_socket_out_send)
>   Connecting to [redacted IP of DC on different segment] at port 49155
> [2016/06/15 11:25:41.772517, 10, pid=6383, effective(0, 0), real(0, 
> 0), class=winbind] 
> ../source3/winbindd/winbindd_cm.c:2698(cm_connect_lsa_tcp)
>   cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_IO_TIMEOUT
>
>
>
> smb:conf:
> [global]
>    workgroup = TEST
>    realm = TEST.EXAMPLE.COM
>    security = ads
>    idmap config * : range = 16777216-33554431
>    template shell = /bin/false
>    kerberos method = secrets and keytab
>    winbind use default domain = true
>    winbind offline logon = false
>    log file = /var/log/samba/%m.log
>    log level = 10
>    netbios name = TESTWB
>    server string = WB server
>    invalid users = root
>    socket options = TCP_NODELAY
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind max domain connections = 5
>    winbind max clients = 1000

More information about the samba mailing list