[Samba] samba 4.8 client and 4.9 AD DC: Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
Kacper Wirski
kacper.wirski at gmail.com
Tue Jul 16 15:31:34 UTC 2019
Hello,
I have an issue as stated in topic. My samba 4.8.3 file server, which is AD
member frequently shows winbind errors (pasted below). From user
perspective it seems to work fine, but I'm worried that I have something
misconfigured and in the long run, I might run into some errors.
My AD DC are running on samba 4.9.x (two of them), compiled from source
with BIND as DNS backend (running on the DC's)
Both file server and DC are on centos, both are virtual machines running on
same host.
It seems that every time that samba using file server account tries to
authenticate it logs errors, but eventually succeeds. Below i'm pasting
entries from samba file server and from my dc1.
Looking at timestamps it seems that first samba client announces failure
then some mere milliseconds later finally succeeds. And it repeats itself
every 60 minutes or so (between 30 to 90 minutes it seems)
I have had similar error, also unsolved on another samba file server
(4.9.6, compiled from source), and that server had this error exactly every
60 minutes. Also no noticeable issues for the users.
Hopefully someone can give me some pointers, where to look for potential
causes of this error.
Below my configuration and log entries from file server and domain
controller.
My settings are pretty basic, I've rechecked:
/etc/resolv.conf (points to DNS on AD DC)
/etc/nsswitch.conf (files winbind for passwd and groups)
/etc/krb5.conf is according to samba wiki for AD DC and samba member
my smb.conf for fileserver is:
[global]
netbios name = MYFILESERVER
security = ADS
workgroup = MYDOMAIN
realm = MY.REALM
log level = 1 winbind:5
log file = /var/log/samba/%m.log
max log size = 2000
logging = syslog at 2 file
idmap config *:backend = tdb
idmap config *:range = 2000-7000
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 100000-110000
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind expand groups = 3
winbind refresh tickets = yes
winbind use default domain = no
winbind offline logon = yes
template shell = /bin/bash
template homedir = /home/%U@%D
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
vfs objects = acl_xattr full_audit recycle
full_audit:prefix = %u|%I|%M|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write rename pwrite unlink
full_audit:priority = NOTICE
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:touch_mtime = yes
recycle:exclude = *.tmp, *.TMP
recycle:exclude_dir = .recycle
recycle:maxsize = 1073741824
smb.conf for DC:
[global]
netbios name = DC1
realm = MY.REALM
workgroup = MYDOMAIN
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1 auth_audit:5 auth_json_audit:5 smb:2 winbind:5
log file = /var/log/samba/samba.log.%m
#logging = file
logging = syslog at 3
max log size = 10000
allow dns updates = secure
server services = -dns
tls enabled = yes
tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
apply group policies = yes
winbind log from file server:
[2019/07/16 16:45:38.693115, 1]
../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
[2019/07/16 16:45:38.758657, 1]
../source3/libads/ldap_utils.c:111(ads_do_search_retry_internal)
ads_search_retry: failed to reconnect (No logon servers are currently
available to service the logon request.)
domain controller authentication log:
dc1 samba[150641]:
JSON Authentication: {"timestamp": "2019-07-16T16:45:38.816108+0200",
"type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 0},
"status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
"ipv4:192.168.xx.xx:37442",
"serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccount": "MYFILESERVER$@MY.REALM", "workstation": null,
"becameAccount": "MYFILESERVER$",
"becameDomain": "MYDOMAIN", "becameSid": "S-1-5-21-SOME-SID-NUMBER",
"mappedAccount": "MYFILESERVER$", "mappedDomain": "MYDOMAIN",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5",
"duration": 6660}}
Regards,
Kacper
More information about the samba
mailing list