[Samba] winbindd losing track of RFC2307 UIDs

Rob rj_t1 at redglow.org
Fri Oct 7 03:20:35 UTC 2016

On Thu, 6 Oct 2016, Rob wrote:

> On Wed, 5 Oct 2016, Rowland Penny wrote:
>> Could the '...wait a few hours...' be about 10 hours ??
> I'll let you know... in about 10 hours!

Turns out it's far less than 10 hours in some cases.  In fact, I've been 
able to more-or-less reproduce it on demand!

The member server in question provides SMB file service as well as SSH 
login.  If a particular user logs in via SSH (using a keypair rather than 
password, if that matters) and does some SVN operations, then logs out and 
does some file system operations (not explicitly on the SMB shares, but 
Wireshark shows Windows is making queries on them anyway), the UID resets 
to 2xxx within a few seconds.

Other users (17 of 20) don't have this problem and subsequent lookups or 
SSH sessions for other users work fine (so it's not that winbindd has 
somehow lost contact with the DC).

I recognize I need to isolate exactly what parts of this scenario cause 
the problem... will report back.  Meanwhile, I have a 15,000 line -d10 log 
file from winbindd while this happens, but it's interspersed with 
unrelated lookup traffic.  I'll try to make a more compact log.  Is there 
anything specific I should look for in the log?

>> Try adding these lines to smb.conf:
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>    winbind refresh tickets = Yes
>> Leave the domain and rejoin, this should create the /etc/krb5.keytab

It turns out smb.conf already has both "kerberos method = secrets and 
keytab" and "winbind refresh tickets = yes", but not the "dedicated keytab 
file" line.  (The system does have an /etc/krb5.keytab that appears to 
have been created when it joined the domain.)

Still, I can try re-joining the domain if that may help.


More information about the samba mailing list