[Samba] winbindd losing track of RFC2307 UIDs
rj_t1 at redglow.org
Fri Oct 7 03:20:35 UTC 2016
On Thu, 6 Oct 2016, Rob wrote:
> On Wed, 5 Oct 2016, Rowland Penny wrote:
>> Could the '...wait a few hours...' be about 10 hours ??
> I'll let you know... in about 10 hours!
Turns out it's far less than 10 hours in some cases. In fact, I've been
able to more-or-less reproduce it on demand!
The member server in question provides SMB file service as well as SSH
login. If a particular user logs in via SSH (using a keypair rather than
password, if that matters) and does some SVN operations, then logs out and
does some file system operations (not explicitly on the SMB shares, but
Wireshark shows Windows is making queries on them anyway), the UID resets
to 2xxx within a few seconds.
Other users (17 of 20) don't have this problem and subsequent lookups or
SSH sessions for other users work fine (so it's not that winbindd has
somehow lost contact with the DC).
I recognize I need to isolate exactly what parts of this scenario cause
the problem... will report back. Meanwhile, I have a 15,000 line -d10 log
file from winbindd while this happens, but it's interspersed with
unrelated lookup traffic. I'll try to make a more compact log. Is there
anything specific I should look for in the log?
>> Try adding these lines to smb.conf:
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = Yes
>> Leave the domain and rejoin, this should create the /etc/krb5.keytab
It turns out smb.conf already has both "kerberos method = secrets and
keytab" and "winbind refresh tickets = yes", but not the "dedicated keytab
file" line. (The system does have an /etc/krb5.keytab that appears to
have been created when it joined the domain.)
Still, I can try re-joining the domain if that may help.
More information about the samba