[Samba] samba AD problem after re-join domain
Rowland penny
rpenny at samba.org
Mon Oct 12 15:51:23 UTC 2020
On 12/10/2020 16:11, Jason Keltz wrote:
>
>> Hi Rowland,
>>
>> I did not leave the domain, but I did delete the entry by either the
>> Windows AD tool or "samba-tool computer delete" option. I can't
>> remember which one at this point. I think that clears up all the
>> bits. Is that correct? On the local host, I also deleted the
>> /etc/krb5.keytab, and deleted all the samba bits so that the join was
>> fresh.
I would always 'leave' the domain first, before doing anything else.
>>
>>
>> By the way, at one point, I rebooted the DC, and I noticed that all
>> the AD clients showed something like this:
>>
>> [2020/10/12 09:25:19.183616, 1, pid=36145, effective(0, 0), real(0,
>> 0)]
>> ../../source3/rpc_client/cli_pipe.c:422(cli_pipe_validate_current_pdu)
>> ../../source3/rpc_client/cli_pipe.c:422: Bind NACK received from
>> host dc1.ad.eecs.yorku.ca!
>> [2020/10/12 09:44:11.598150, 1, pid=36145, effective(0, 0), real(0,
>> 0)] ../../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>> Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
>>
>> (Which is strange because this means that if you reboot he DC, then
>> the clients start talking slower to it when it comes back up? I
>> don't think the number ever increases unless you restart winbind
>> everywhere?)
'page size' refers to the number of records returned, I would be more
worried about the 'IO_TIMEOUT'
>>
>> and since that reboot, I've seen a few of them do this:
>>
>> [2020/10/12 10:00:19.814381, 1, pid=36145, effective(0, 0), real(0,
>> 0)] ../../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>> Reducing LDAP page size from 500 to 250 due to IO_TIMEOUT
>> [2020/10/12 10:16:19.557261, 1, pid=36145, effective(0, 0), real(0,
>> 0)] ../../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>> Reducing LDAP page size from 250 to 125 due to IO_TIMEOUT
>>
>> Two of them are virtualbox VMs, so I figured maybe it's some kind of
>> virtualbox thing, but one of them is an actual machine and still has
>> the same error. The DC is very lightly loaded. How would I debug
>> what is causing this reduction in IO?
I would be checked your network connections etc.
>>
>> I know that various errors in the Samba logs are not "issues" but
>> this one seems to be an issue. I don't like seeing IO_TIMEOUTs.
>>
>> Another distracting error in the log included:
>>
>> [2020/10/11 22:43:29.843630, 1, pid=969, effective(0, 0), real(0,
>> 0)] ../../source3/libads/ldap.c:565(ads_find_dc)
>> ads_find_dc: name resolution for realm 'AD.EECS.YORKU.CA' (domain
>> 'EECSYORKUCA') failed: NT_STATUS_NO_LOGON_SERVERS
That make me think of dns/network problems.
>>
>> ... after boot which sounds serious but it turns out if I try to
>> authenticate before everything is up and running, that's what I get.
>> The error makes sense but there's no "follow up" to say: "Ok ok - I
>> found it now - Sorry to give you a heart attack.". It's all a
>> learning experience.
>>
>> <snipped>
>> Jason
>
>
>
> I wonder if this a regular error and everyone is seeing this in their
> logs? Just for fun, I tried to change the permission of
> /etc/krb5.keytab temporarily to 644, and sure enough, the error goes
> away.... so somehow when the user is logging in, it seems that
> winbind is trying to read the keytab as user. It's not clear why that
> would be, but while a google search hasn't revealed the reason for
> this error, I do see it in a whole lot of log files. It's just that
> when I'm trying to ensure there are no problems with my setup, and
> trying to understand the errors that do show up, it can cause panic.
> Whether it's a problem or not, I do not know
The keytab shouldn't be a problem, what are the permissions on
/etc/krb5.conf ?
Rowland
The permissio
More information about the samba
mailing list