[Samba] Strange problem with winbind on linux domain member (works for 2 minutes...)
Jakob Curdes
jc at info-systems.de
Thu Feb 5 15:15:34 UTC 2026
Am 05.02.2026 um 14:57 schrieb Rowland Penny via samba:
> On Thu, 5 Feb 2026 14:19:40 +0100
> Jakob Curdes via samba<samba at lists.samba.org> wrote:
>
>> Hello, after upgrading a samba4 AD domain member server on ubuntu24
>> (Re-joined with same name, but probably unrelated), I expreience a
>> strange behavior.
>>
>> When starting all three services smbd,nmbd,winbind, everything works.
>> Then after about 2 minutes, the shares are not accessible any more,
>> and winbind shows an error message on systemctl status:
>>
>> Feb 05 13:35:01 *** winbindd[3131]: [2026/02/05 13:35:01.392619, 0]
>> source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn)
>> Feb 05 13:35:01 *** winbindd[3131]: open_internal_samr_conn: Could
>> not connect to samr pipe: NT_STATUS_CONNECTION_DISCONNECTED
>>
>> I first had the time sync as idea, but the server is in sync with DC
>> and the workstations which are also domain members.
>> Time zone is also the same.
>> Other than this error I find no clues. All wbinfo tests succeed,
>> kerberos is fine, etc.
>>
>> Probably relevant part of smb.conf (but this config is exactly the
>> same as before the upgrade):
>>
>> winbind refresh tickets = Yes
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind use default domain = no
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind nested groups = Yes
>> winbind expand groups = 4
>>
>> Any idea what could cause this? The DCs are also Ubuntu 24. We have
>> no other known issues in the domain, but this actually the only LINUX
>> member server.
>> I now restart winbind every minute via cron, but this is obviously a
>> workaround....
>>
>> Best regards, Jakob
> The entire smb.conf may be relevant, so can you please post the output
> (sanitised if you must) of 'testparm -s'.
>
> Rowland
Hello Rowland, here ist the entire smb.conf (some identical shares
omitted for length)
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "server schannel" option is
deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
interfaces = lo AAA.BBB.CCC.DDD
kerberos method = secrets and keytab
load printers = No
log file = /var/log/samba/%m.log
printcap name = /dev/null
realm = XX.YYYYY.LOCAL
security = ADS
template homedir = /home/%U
template shell = /bin/nologin
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 4
winbind refresh tickets = Yes
workgroup = WW
recycle:minsize = 167
recycle:exclude =
*.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb,
~s*, Backup*, AUTOBACKUP*
recycle:exclude_dir = /tmp /temp /cache /.Cache /.cache
recycle:versions = yes
recycle:keeptree = no
recycle:subdir_mode = 0700
recycle:directory_mode = 0770
idmap config ov : range = 300000-400000
idmap config ov : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
access based share enum = Yes
hide files = /.*/
map readonly = yes
printing = bsd
store dos attributes = No
veto files = /lost+found/
vfs objects = recycle
[xyz]
access based share enum = No
create mask = 0770
directory mask = 0770
force group = WW\ww-staff
hide files = /._moved/*._moved/
path = /xxxxxxxxx
read only = No
valid users = @WW\ww-staff
(many more shares with identical config, no further non-share items below)
Best regards, Jakob
More information about the samba
mailing list