[Samba] Winbind eventually locks "forever" if one of ActiveDirectory refuses all connections
in [Samba]
|
Prev: Samba 3.5.1 net ads join Centos 3
Next: Winbind eventually locks "forever" if one of ActiveDirectory refuses all connections
From: Andrew Tranquada on 26 Mar 2010 11:00 I see this was created as bug 7259 but I did not see anything in the mailing list about this problem. Does anyone else have a problem like this? Is there something in my configuration that is incorrect? We have two domain controllers, and if we reboot either one of them, winbind hangs, and we cannot lookup any ids, and since logins are requiring group lookups, it makes logging in as a local user hang, effectively locking us out of the box. If we continue to try as a local user we can eventually get in, but it is less than ideal and scares everyone when you cannot log in. Not rebooting the AD servers is not an option, we do keep our boxes patched with updates. What appears to happen is that rebooting one of the AD servers causes winbind to get some kind of error, and stop listening on /tmp/.winbind/pipe when we do an lsof of /tmp/.winbind/pipe and then strace -p any of the winbind processes,none of them are looking (in their select) at the file descriptor(s) listed by lsof. So it seems that when one ad server is restarted, winbind does not like it and errors, and stops listening on that pipe, and when any communication happens (sid-uid lookups), since no one is responding on that pipe/socket, it hangs. This is with samba 3.4.5 our samba config: netbios name = nimdev-afs1 workgroup = <redacted> security = ads realm = <redacted> kerberos method = system keytab idmap backend = hash idmap uid = 4000-100000000 idmap gid = 4000-100000000 winbind enum users = yes winbind enum groups = yes auth methods = winbind template shell = /bin/bash template homedir = /home/%U winbind normalize names = yes winbind use default domain = yes allow trusted domains = no winbind cache time = 3600 What more information can I provide that would be helpful? Thank you -- Andrew Tranquada -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |