[Samba] samba AD problem after re-join domain

Rowland penny rpenny at samba.org
Mon Oct 12 15:51:23 UTC 2020 

On 12/10/2020 16:11, Jason Keltz wrote:
>
>> Hi Rowland,
>>
>> I did not leave the domain, but I did delete the entry by either the 
>> Windows AD tool or "samba-tool computer delete" option.  I can't 
>> remember which one at this point.  I think that clears up all the 
>> bits.  Is that correct?  On the local host, I also deleted the 
>> /etc/krb5.keytab, and deleted all the samba bits so that the join was 
>> fresh.
I would always 'leave' the domain first, before doing anything else.
>>
>>
>> By the way, at one point, I rebooted the DC, and I noticed that all 
>> the AD clients showed something like this:
>>
>> [2020/10/12 09:25:19.183616,  1, pid=36145, effective(0, 0), real(0, 
>> 0)] 
>> ../../source3/rpc_client/cli_pipe.c:422(cli_pipe_validate_current_pdu)
>>   ../../source3/rpc_client/cli_pipe.c:422: Bind NACK received from 
>> host dc1.ad.eecs.yorku.ca!
>> [2020/10/12 09:44:11.598150,  1, pid=36145, effective(0, 0), real(0, 
>> 0)] ../../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>>   Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
>>
>> (Which is strange because this means that if you reboot he DC, then 
>> the clients start talking slower to it when it comes back up?  I 
>> don't think the number ever increases unless you restart winbind 
>> everywhere?)
'page size' refers to the number of records returned, I would be more 
worried about the 'IO_TIMEOUT'
>>
>> and since that reboot, I've seen a few of them do this:
>>
>> [2020/10/12 10:00:19.814381,  1, pid=36145, effective(0, 0), real(0, 
>> 0)] ../../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>>   Reducing LDAP page size from 500 to 250 due to IO_TIMEOUT
>> [2020/10/12 10:16:19.557261,  1, pid=36145, effective(0, 0), real(0, 
>> 0)] ../../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>>   Reducing LDAP page size from 250 to 125 due to IO_TIMEOUT
>>
>> Two of them are virtualbox VMs, so I figured maybe it's some kind of 
>> virtualbox thing, but one of them is an actual machine and still has 
>> the same error.  The DC is very lightly loaded. How would I debug 
>> what is causing this reduction in IO?
I would be checked your network connections etc.
>>
>> I know that various errors in the Samba logs are not "issues" but 
>> this one seems to be an issue.  I don't like seeing IO_TIMEOUTs.
>>
>> Another distracting error in the log included:
>>
>> [2020/10/11 22:43:29.843630,  1, pid=969, effective(0, 0), real(0, 
>> 0)] ../../source3/libads/ldap.c:565(ads_find_dc)
>>   ads_find_dc: name resolution for realm 'AD.EECS.YORKU.CA' (domain 
>> 'EECSYORKUCA') failed: NT_STATUS_NO_LOGON_SERVERS

That make me think of dns/network problems.


>>
>> ... after boot which sounds serious but it turns out if I try to 
>> authenticate before everything is up and running, that's what I get. 
>> The error makes sense but there's no "follow up" to say: "Ok ok - I 
>> found it now - Sorry to give you a heart attack.". It's all a 
>> learning experience.
>>
>> <snipped>
>> Jason
>
>
>
> I wonder if this a regular error and everyone is seeing this in their 
> logs?  Just for fun, I tried to change the permission of 
> /etc/krb5.keytab temporarily to 644, and sure enough, the error goes 
> away....  so somehow when the user is logging in, it seems that 
> winbind is trying to read the keytab as user.  It's not clear why that 
> would be, but while a google search hasn't revealed the reason for 
> this error, I do see it in a whole lot of log files. It's just that 
> when I'm trying to ensure there are no problems with my setup, and 
> trying to understand the errors that do show up, it can cause panic.  
> Whether it's a problem or not, I do not know

The keytab shouldn't be a problem, what are the permissions on 
/etc/krb5.conf ?

Rowland


The permissio

More information about the samba mailing list