[Samba] samba 4.8 client and 4.9 AD DC: Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT

Kacper Wirski kacper.wirski at gmail.com
Tue Jul 16 15:31:34 UTC 2019


I have an issue as stated in topic. My samba 4.8.3 file server, which is AD
member frequently shows winbind errors (pasted below). From user
perspective it seems to work fine, but I'm worried that I have something
misconfigured and in the long run, I might run into some errors.

My AD DC are running on samba 4.9.x (two of them), compiled from source
with BIND as DNS backend (running on the DC's)
Both file server and DC are on centos, both are virtual machines running on
same host.

It seems that every time that samba using file server account tries to
authenticate it logs errors, but eventually succeeds. Below i'm pasting
entries from samba file server and from my dc1.
Looking at timestamps it seems that first samba client announces failure
then some mere milliseconds later finally succeeds. And it repeats itself
every 60 minutes or so (between 30 to 90 minutes it seems)

I have had similar error, also unsolved on another samba file server
(4.9.6, compiled from source), and that server had this error exactly every
60 minutes. Also no noticeable issues for the users.

Hopefully someone can give me some pointers, where to look for potential
causes of this error.

Below my configuration and log entries from file server and domain

My settings are pretty basic, I've rechecked:
/etc/resolv.conf (points to DNS on AD DC)
/etc/nsswitch.conf (files winbind for passwd and groups)
/etc/krb5.conf is according to samba wiki for AD DC and samba member

my smb.conf for fileserver is:

       netbios name = MYFILESERVER
       security = ADS
       workgroup = MYDOMAIN
       realm = MY.REALM

       log level = 1 winbind:5
       log file = /var/log/samba/%m.log
        max log size = 2000
        logging = syslog at 2 file
       idmap config *:backend = tdb
       idmap config *:range = 2000-7000

       idmap config MYDOMAIN:backend = rid
       idmap config MYDOMAIN:range = 100000-110000

        winbind enum users = no
        winbind enum groups = no
        winbind nested groups = yes
        winbind expand groups = 3
        winbind refresh tickets = yes
        winbind use default domain = no
        winbind offline logon = yes

        template shell = /bin/bash
        template homedir = /home/%U@%D

        kerberos method = secrets and keytab

        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        vfs objects = acl_xattr full_audit recycle

        full_audit:prefix = %u|%I|%M|%S
        full_audit:failure = connect
        full_audit:success =  mkdir rmdir write rename pwrite unlink
        full_audit:priority = NOTICE

        recycle:repository = .recycle
        recycle:keeptree = yes
        recycle:versions = yes
        recycle:touch_mtime = yes
        recycle:exclude = *.tmp, *.TMP
        recycle:exclude_dir = .recycle
        recycle:maxsize = 1073741824

smb.conf for DC:
        netbios name = DC1
        realm = MY.REALM
        workgroup = MYDOMAIN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        log level = 1 auth_audit:5 auth_json_audit:5 smb:2 winbind:5
        log file = /var/log/samba/samba.log.%m
        #logging = file
        logging = syslog at 3
        max log size = 10000

        allow dns updates = secure

        server services = -dns

        tls enabled = yes
        tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
        tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
        tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem

        apply group policies = yes

winbind log from file server:

[2019/07/16 16:45:38.693115,  1]
  Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
[2019/07/16 16:45:38.758657,  1]
  ads_search_retry: failed to reconnect (No logon servers are currently
available to service the logon request.)

domain controller authentication log:
dc1 samba[150641]:
JSON Authentication: {"timestamp": "2019-07-16T16:45:38.816108+0200",
"type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 0},
"status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
"serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccount": "MYFILESERVER$@MY.REALM", "workstation": null,
"becameAccount": "MYFILESERVER$",
"becameDomain": "MYDOMAIN", "becameSid": "S-1-5-21-SOME-SID-NUMBER",
"mappedAccount": "MYFILESERVER$", "mappedDomain": "MYDOMAIN",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5",
"duration": 6660}}


More information about the samba mailing list