[Samba] Winbind timeouts/hangs(?)

[Heiko Wundram]

Hey,

Am 23.08.2019 11:13, schrieb L.P.H. van Belle via samba:
> Your where running Debian buster 4.9.5, you could try my 4.9.11/4.10.6
> package of debian sid/testing, its 4.9.11 package.

same behaviour with testing (4.9.11), tested that already. As I already 
wrote, I've definitely checked the networking, and that's all fine. 
There are no network packets generated by winbind when the hangs occur, 
and there is no explicit correlation between network activity of winbind 
and the hangs.

 From what I can see (after having some sleep, my google-fu seems to be 
better), I'm probably hitting an interoperability problem with sssd:

https://bugzilla.samba.org/show_bug.cgi?id=13815

The description of the original CentOS bug doesn't contain log messages 
similar to mine, but describes pretty much the same behaviour (i.e., 
lookup of non-existant local accounts, in my case from ssh brute-forces 
on a webserver, causing winbind timeouts eventually due to recursive nss 
calls). The RedHat bug for sssd isn't open, so I can't check whether the 
referenced patch has already been integrated into Debian (I guess 
not...), but switching the order of winbind and sssd and putting the 
latter last (which is fine in the environment that I use winbind in) 
seems to at least cause the timeouts to disappear; I'm not 100% certain 
that the problems are fixed, because ps auxf sometimes still "hangs" for 
a while, but at least it looks better than before.

I'll try to get some more info on the sssd fix; possibly opening a 
Debian bug report for that should be worth it. Thanks for the hints and 
I'm hoping that this fixes things for now!

-- 
--- Heiko Wundram.