[Samba] Winbind timeouts/hangs(?)

Rowland penny rpenny at samba.org
Fri Aug 23 11:12:52 UTC 2019 

On 23/08/2019 11:22, Heiko Wundram via samba wrote:
> Hey,
>
> Am 23.08.2019 11:13, schrieb L.P.H. van Belle via samba:
>> Your where running Debian buster 4.9.5, you could try my 4.9.11/4.10.6
>> package of debian sid/testing, its 4.9.11 package.
>
> same behaviour with testing (4.9.11), tested that already. As I 
> already wrote, I've definitely checked the networking, and that's all 
> fine. There are no network packets generated by winbind when the hangs 
> occur, and there is no explicit correlation between network activity 
> of winbind and the hangs.
>
> From what I can see (after having some sleep, my google-fu seems to be 
> better), I'm probably hitting an interoperability problem with sssd:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13815
>
> The description of the original CentOS bug doesn't contain log 
> messages similar to mine, but describes pretty much the same behaviour 
> (i.e., lookup of non-existant local accounts, in my case from ssh 
> brute-forces on a webserver, causing winbind timeouts eventually due 
> to recursive nss calls). The RedHat bug for sssd isn't open, so I 
> can't check whether the referenced patch has already been integrated 
> into Debian (I guess not...), but switching the order of winbind and 
> sssd and putting the latter last (which is fine in the environment 
> that I use winbind in) seems to at least cause the timeouts to 
> disappear; I'm not 100% certain that the problems are fixed, because 
> ps auxf sometimes still "hangs" for a while, but at least it looks 
> better than before.
>
> I'll try to get some more info on the sssd fix; possibly opening a 
> Debian bug report for that should be worth it. Thanks for the hints 
> and I'm hoping that this fixes things for now!
>
Do not bother, I take it you missed that red-hat (who produces sssd) no 
longer supports using sssd with Winbind. So your cure is obvious: 
apt-get purge sssd

This would also explain why winbind seems to be doing nothing, because 
it is doing nothing, sssd is doing the authentication.

Rowland

More information about the samba mailing list