[Samba] Windind (Samba 4.2.*, 4.5.2) recurring resolving failure for some specific users
Alain-Pierre Perrin
alain-pierre.perrin at efs.sante.fr
Wed Jan 25 08:45:25 UTC 2017
Hello.
I'm facing an seemingly unsolvable problem on the Samba servers I
administer (on Debian stable). Those servers are registered on a
AD domain. They only serve files and are not registered as domain
controllers. For some idendified users (always the same), Winbind
periodically (but unpredicably) becomes unable to resolve their names,
making their shares unavailable. A "net cache flush" temporarily
solves the problem. Purging all caches doesn't help. Removing then
adding again the servers on the domain doesn't help either. The
problem appeared on Samba 4.2.10 (on Debian) and persisted on 4.2.14
and 4.5.2 (testing).
The only solution, for now, is more a "patch" and consists to run
a "net cache flush" every 10 minutes. It helps, even if it is not
perfect but it doesn't explain why those identified users suffer from
this weird Samba behavior.
It is a IDMAP RID bug ? Does the impacted users share some common
AD/LDAP attributes making winbind choke ? What kind of log would be
the most enlightening do study this hard to reproduce bug ?
Thanks in advance for your collective help / wisdom.
Alain-Pierre Perrin
PS: Some configuration details :
# Samba config, through testparm and anonymized
# cat /etc/samba/smb.conf
[global]
bind interfaces only = Yes
dos charset = 850
interfaces = 127.0.0.1 10.100.0.1
realm = OURDOMAIN.PARENTDOMAIN
server string = ""
workgroup = OURDOMAIN
domain master = No
local master = No
preferred master = No
machine password timeout = 0
debug prefix timestamp = Yes
log file = /var/log/samba/log.%m
max log size = 100
disable spoolss = Yes
load printers = No
printcap name = /dev/null
name resolve order = host bcast
map untrusted to domain = Yes
ntlm auth = Yes
security = ADS
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind refresh tickets = Yes
winbind use default domain = Yes
dns proxy = No
idmap config otherdomain:range = 480000-509999
idmap config otherdomain:backend = rid
idmap config ourdomain:range = 30000-59999
idmap config ourdomain:backend = rid
idmap config *:range = 2000-29999
full_audit:priority = NOTICE
full_audit:facility = local6
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir pwrite write
full_audit:prefix = Audit - USER=%u | IP=%I | MACHINE=%m | VOLUME=%S
idmap config * : backend = tdb
map archive = No
map readonly = permissions
printing = bsd
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 0770
inherit acls = Yes
read only = No
vfs objects = full_audit
[share1]
path = /home/share1
hosts allow = 127. 10.
# cat /etc/krb5.conf :
[libdefaults]
default_realm = OURDOMAIN.PARENTDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
OURDOMAIN.PARENTDOMAIN = {
kdc = dc01.ourdomain.parentdomain:88
kdc = dc02.ourdomain.parentdomain:88
kdc = dc03.ourdomain.parentdomain:88
kdc = dc04.ourdomain.parentdomain:88
default_domain = ourdomain.parentdomain
}
OTHERDOMAIN.PARENTDOMAIN = {
kdc = dc01.otherdomain.parentdomain:88
kdc = dc02.otherdomain.parentdomain:88
default_domain = otherdomain.parentdomain
}
[domain_realm]
.ourdomain.parentdomain = OURDOMAIN.PARENTDOMAIN
ourdomain.parentdomain = OURDOMAIN.PARENTDOMAIN
.otherdomain.parentdomain = OTHERDOMAIN.PARENTDOMAIN
otherdomain.parentdomain = OTHERDOMAIN.PARENTDOMAIN
# cat /proc/version
Linux version 4.8.0-0.bpo.2-amd64 (debian-kernel at lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10) ) #1 SMP Debian 4.8.11-1~bpo8+1 (2016-12-14)
# dpkg -l | grep -i samba
ii libnss-winbind:amd64 2:4.5.2+dfsg-2 amd64 Samba nameservice integration plugins
ii libwbclient0:amd64 2:4.5.2+dfsg-2 amd64 Samba winbind client library
ii python-samba 2:4.5.2+dfsg-2 amd64 Python bindings for Samba
ii samba 2:4.5.2+dfsg-2 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.2+dfsg-2 all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.2+dfsg-2 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.2+dfsg-2 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.2+dfsg-2 amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.2+dfsg-2 amd64 Samba Virtual FileSystem plugins
# cat /etc/debian_version
8.6
More information about the samba
mailing list