[Samba] samba 4.8 client and 4.9 AD DC: Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT

Rowland penny rpenny at samba.org
Tue Jul 16 15:54:07 UTC 2019 

On 16/07/2019 16:31, Kacper Wirski via samba wrote:
> Hello,
>
> I have an issue as stated in topic. My samba 4.8.3 file server, which is AD
> member frequently shows winbind errors (pasted below). From user
> perspective it seems to work fine, but I'm worried that I have something
> misconfigured and in the long run, I might run into some errors.
>
> My AD DC are running on samba 4.9.x (two of them), compiled from source
> with BIND as DNS backend (running on the DC's)
> Both file server and DC are on centos, both are virtual machines running on
> same host.
>
> It seems that every time that samba using file server account tries to
> authenticate it logs errors, but eventually succeeds. Below i'm pasting
> entries from samba file server and from my dc1.
> Looking at timestamps it seems that first samba client announces failure
> then some mere milliseconds later finally succeeds. And it repeats itself
> every 60 minutes or so (between 30 to 90 minutes it seems)
>
> I have had similar error, also unsolved on another samba file server
> (4.9.6, compiled from source), and that server had this error exactly every
> 60 minutes. Also no noticeable issues for the users.
>
> Hopefully someone can give me some pointers, where to look for potential
> causes of this error.
>
> Below my configuration and log entries from file server and domain
> controller.
>
> My settings are pretty basic, I've rechecked:
> /etc/resolv.conf (points to DNS on AD DC)
> /etc/nsswitch.conf (files winbind for passwd and groups)
> /etc/krb5.conf is according to samba wiki for AD DC and samba member
>
> my smb.conf for fileserver is:
>
> [global]
>         netbios name = MYFILESERVER
>         security = ADS
>         workgroup = MYDOMAIN
>         realm = MY.REALM
>
>         log level = 1 winbind:5
>         log file = /var/log/samba/%m.log
>          max log size = 2000
>          logging = syslog at 2 file
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-7000
>
>         idmap config MYDOMAIN:backend = rid
>         idmap config MYDOMAIN:range = 100000-110000
>
>          winbind enum users = no
>          winbind enum groups = no
>          winbind nested groups = yes
>          winbind expand groups = 3
>          winbind refresh tickets = yes
>          winbind use default domain = no
>          winbind offline logon = yes
>
>          template shell = /bin/bash
>          template homedir = /home/%U@%D
>
>          kerberos method = secrets and keytab
>
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>          vfs objects = acl_xattr full_audit recycle
>
>          full_audit:prefix = %u|%I|%M|%S
>          full_audit:failure = connect
>          full_audit:success =  mkdir rmdir write rename pwrite unlink
>          full_audit:priority = NOTICE
>
>          recycle:repository = .recycle
>          recycle:keeptree = yes
>          recycle:versions = yes
>          recycle:touch_mtime = yes
>          recycle:exclude = *.tmp, *.TMP
>          recycle:exclude_dir = .recycle
>          recycle:maxsize = 1073741824
>
>
> smb.conf for DC:
> [global]
>          netbios name = DC1
>          realm = MY.REALM
>          workgroup = MYDOMAIN
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>
>
>          log level = 1 auth_audit:5 auth_json_audit:5 smb:2 winbind:5
>          log file = /var/log/samba/samba.log.%m
>          #logging = file
>          logging = syslog at 3
>          max log size = 10000
>
>          allow dns updates = secure
>
>          server services = -dns
>
>          tls enabled = yes
>          tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
>          tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
>          tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
>
>          apply group policies = yes
>
>
> winbind log from file server:
>
> [2019/07/16 16:45:38.693115,  1]
> ../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>    Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
> [2019/07/16 16:45:38.758657,  1]
> ../source3/libads/ldap_utils.c:111(ads_do_search_retry_internal)
>    ads_search_retry: failed to reconnect (No logon servers are currently
> available to service the logon request.)
>
> domain controller authentication log:
> dc1 samba[150641]:
> JSON Authentication: {"timestamp": "2019-07-16T16:45:38.816108+0200",
> "type": "Authentication",
> "Authentication": {"version": {"major": 1, "minor": 0},
> "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
> "ipv4:192.168.xx.xx:37442",
> "serviceDescription": "Kerberos KDC",
> "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
> "clientAccount": "MYFILESERVER$@MY.REALM", "workstation": null,
> "becameAccount": "MYFILESERVER$",
> "becameDomain": "MYDOMAIN", "becameSid": "S-1-5-21-SOME-SID-NUMBER",
> "mappedAccount": "MYFILESERVER$", "mappedDomain": "MYDOMAIN",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
> "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5",
> "duration": 6660}}
>
> Regards,
> Kacper

Are you having actual problems on the Unix domain member ?

If not, why do have this in smb.conf:

log level = 1 winbind:5

I would change it to:

log level = 0

The message is coming from this block of code:

             DEBUG(1, ("Reducing LDAP page size from %d to %d due to 
IO_TIMEOUT\n",
                   ads->config.ldap_page_size, new_page_size));

As you can see, it is just a debug message, that is printed if log level 
is set to '1' or above.

Rowland

More information about the samba mailing list