samba - Jan 2007 - net rpc group members timeout

Hello,

Occasionally when I perform "net rpc group members (group a)," I get a
timeout. When I do "net rpc group members (group b)," I always get a
timeout.

I get the following error:

[2007/01/05 16:36:18, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine 127.0.0.1 pipe \samr fnum
0x72cdreturned critical error. Error was Call timed out: server did
not respond after 10000 milliseconds
[2007/01/05 16:36:18, 0] libsmb/clientgen.c:cli_rpc_pipe_close(375)
  cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x72cd to
machine 127.0.0.1.  Error was Call timed out: server did not respond
after 10000 milliseconds

Everything looks appropriate when looking at "net groupmap list."

We are using NIS (I have begun a phased transition to LDAP and
Kerberos), and NIS sometimes times out. Still, I overrode nsswitch and
PAM to use LDAP and Kerberos respectively and no NIS, but this only
marginally helps things.

Can this timeout be raised? Is there some other underlying problem? We
are using NSCD. There are a lot of user accounts.

I have seen this problem discussed elsewhere, but nobody has proffered
any solutions.

Version: 3.0.22-1ubuntu3.1

Here's a copy of the Samba configuration:

[global]
   netbios name = COPPER
   workgroup = blah
   server string = %h via SAMBA

#   passdb backend = smbpasswd
   passdb backend = tdbsam:/var/lib/samba/passdb.tdb
   security = user
   username map = /etc/samba/smbusers

   name resolve order = wins bcast hosts lmhosts
   wins support = yes

   domain master = yes
   local master = yes
   domain logons = yes
   preferred master = yes
   os level = 255

   printcap = cups
   printing = cups
   load printers = yes

   #logon drive = H:
   logon script = logon.bat
   logon path = ""
   #logon path = \\%N\profile\%U
   #logon home = \\%L\

   #log level = 0 printdrivers:10 rpc_srv:10 rpc_cli:10 smb:10
   #log level = 0 smb:10 passdb:10 tbd:10 lanman:10 acls:10
   log level = 10
   log file = /var/log/samba/log.%m
   debug timestamp = yes

   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
   deadtime = 120

   time server = yes

   hide dot files = yes
   hide unreadable = yes

   guest ok = no
   guest account = nobody

   admin users = @newadm
   #domain admin group = @newadm
   #domain admin users = root

   encrypt passwords = yes
   null passwords = yes
   #unix password sync = yes
   #passwd program = /usr/bin/yppasswd %u
   #passwd chat = *old\spassword:* %o\n *new\spassword:** %n\n
*new\spassword:** %n *changed* .
   #obey pam restrictions = yes

   unix charset = ISO8859-1

   add machine script = /var/lib/samba/scripts/smb-add-machine %u

   map to guest = nobody

   preserve case = yes
   short preserve case = yes
   #All blah subnets should be enumerated here.
   #remote announce = 128.101.10.252/NT_blah 192.168.116.192/NT_blah

   enable privileges = yes

   printer admin = "blah\Domain Admins"

# Experimental
# These settings should either be inverted to the formerly noted defaults
# or removed entirely.
   strict locking = no
# Was no
   kernel oplocks = no
# Was no
   oplocks = no
# Was unset
   locking = no


[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = yes
   writeable = no
   create mode = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   writeable = no
   public = yes
   write list = root, @newadm

[netlogon]
   comment = Remote Login
   path = /var/lib/samba/netlogon
   writeable = no
   browseable = no
   admin users = root, @newadm
   write list = root, @newadm

#[profile]
#   comment = Roaming Profiles
#   path = /var/lib/samba/profiles
#   create mode = 0600
#   directory mode = 0700
#   writable = yes
#   default case = lower
#   preserve case = no
#   short preserve case = no
#   case sensitive = no
#   #write list = root @blah
#   csc policy = disable
#   browseable = no
#   force user = %U
#   #profile acls = yes
#   #valid users = %U@"Domain Admins"

[homes]
   comment = UNIX Home Directory
   volume = %u
   browseable = no
   writeable = yes
   guest ok = no
   inherit permissions = yes
   #valid users = root @blah
   valid users = %S
   invalid users = guest nobody
   create mask = 0644
   directory mask = 0755
   public = no
   locking = no

[staff]
   comment = blah Staff Files --- Privileged
   volume = Staff
   browseable = no
   path = /srv/staff
   public = no
   writeable = yes
   create mask = 0770
   directory mask = 2770
   force group = +newstaff
   valid users = @newstaff

[accounting]
   comment = blah Accounting Files --- Privileged
   volume = Accounting
   browseable = no
   path = /srv/accounting
   public = no
   writeable = yes
   create mask = 0770
   directory mask = 2770
   force group = +blah_acct
   valid users = @blah_acct

[software]
   comment = Shared Software --- Privileged
   volume = Software
   browseable = no
   path = /srv/software
   public = no
   writeable = yes
   create mask = 0770
   directory mask = 2770
   force group = +blah_main
   valid users = root administrator @blah_main

[public]
   comment = Public Placement
   volume = Public
   browseable = yes
   path = /srv/public
   public = yes
   guest ok = yes
   writeable = yes
   create mask = 0770
   directory mask = 2770
   force group = +blah
   valid users = @blah

I set up an NIS slave on the Samba server, and this appears to fix the problem.

On 1/5/07, Matt Proud <matt.proud.list@gmail.com>
wrote:
> Hello,
>
> Occasionally when I perform "net rpc group members (group a)," I
get a
> timeout. When I do "net rpc group members (group b)," I always
get a
> timeout.
>
> I get the following error:
>
> [2007/01/05 16:36:18, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
>   rpc_api_pipe: Remote machine 127.0.0.1 pipe \samr fnum
> 0x72cdreturned critical error. Error was Call timed out: server did
> not respond after 10000 milliseconds
> [2007/01/05 16:36:18, 0] libsmb/clientgen.c:cli_rpc_pipe_close(375)
>   cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x72cd to
> machine 127.0.0.1.  Error was Call timed out: server did not respond
> after 10000 milliseconds
>
> Everything looks appropriate when looking at "net groupmap list."
>
> We are using NIS (I have begun a phased transition to LDAP and
> Kerberos), and NIS sometimes times out. Still, I overrode nsswitch and
> PAM to use LDAP and Kerberos respectively and no NIS, but this only
> marginally helps things.
>
> Can this timeout be raised? Is there some other underlying problem? We
> are using NSCD. There are a lot of user accounts.
>
> I have seen this problem discussed elsewhere, but nobody has proffered
> any solutions.
>
> Version: 3.0.22-1ubuntu3.1
>
> Here's a copy of the Samba configuration:
>
> [global]
>    netbios name = COPPER
>    workgroup = blah
>    server string = %h via SAMBA
>
> #   passdb backend = smbpasswd
>    passdb backend = tdbsam:/var/lib/samba/passdb.tdb
>    security = user
>    username map = /etc/samba/smbusers
>
>    name resolve order = wins bcast hosts lmhosts
>    wins support = yes
>
>    domain master = yes
>    local master = yes
>    domain logons = yes
>    preferred master = yes
>    os level = 255
>
>    printcap = cups
>    printing = cups
>    load printers = yes
>
>    #logon drive = H:
>    logon script = logon.bat
>    logon path = ""
>    #logon path = \\%N\profile\%U
>    #logon home = \\%L\
>
>    #log level = 0 printdrivers:10 rpc_srv:10 rpc_cli:10 smb:10
>    #log level = 0 smb:10 passdb:10 tbd:10 lanman:10 acls:10
>    log level = 10
>    log file = /var/log/samba/log.%m
>    debug timestamp = yes
>
>    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192
>    deadtime = 120
>
>    time server = yes
>
>    hide dot files = yes
>    hide unreadable = yes
>
>    guest ok = no
>    guest account = nobody
>
>    admin users = @newadm
>    #domain admin group = @newadm
>    #domain admin users = root
>
>    encrypt passwords = yes
>    null passwords = yes
>    #unix password sync = yes
>    #passwd program = /usr/bin/yppasswd %u
>    #passwd chat = *old\spassword:* %o\n *new\spassword:** %n\n
> *new\spassword:** %n *changed* .
>    #obey pam restrictions = yes
>
>    unix charset = ISO8859-1
>
>    add machine script = /var/lib/samba/scripts/smb-add-machine %u
>
>    map to guest = nobody
>
>    preserve case = yes
>    short preserve case = yes
>    #All blah subnets should be enumerated here.
>    #remote announce = 128.101.10.252/NT_blah 192.168.116.192/NT_blah
>
>    enable privileges = yes
>
>    printer admin = "blah\Domain Admins"
>
> # Experimental
> # These settings should either be inverted to the formerly noted defaults
> # or removed entirely.
>    strict locking = no
> # Was no
>    kernel oplocks = no
> # Was no
>    oplocks = no
> # Was unset
>    locking = no
>
>
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /tmp
>    printable = yes
>    public = yes
>    writeable = no
>    create mode = 0700
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    writeable = no
>    public = yes
>    write list = root, @newadm
>
> [netlogon]
>    comment = Remote Login
>    path = /var/lib/samba/netlogon
>    writeable = no
>    browseable = no
>    admin users = root, @newadm
>    write list = root, @newadm
>
> #[profile]
> #   comment = Roaming Profiles
> #   path = /var/lib/samba/profiles
> #   create mode = 0600
> #   directory mode = 0700
> #   writable = yes
> #   default case = lower
> #   preserve case = no
> #   short preserve case = no
> #   case sensitive = no
> #   #write list = root @blah
> #   csc policy = disable
> #   browseable = no
> #   force user = %U
> #   #profile acls = yes
> #   #valid users = %U@"Domain Admins"
>
> [homes]
>    comment = UNIX Home Directory
>    volume = %u
>    browseable = no
>    writeable = yes
>    guest ok = no
>    inherit permissions = yes
>    #valid users = root @blah
>    valid users = %S
>    invalid users = guest nobody
>    create mask = 0644
>    directory mask = 0755
>    public = no
>    locking = no
>
> [staff]
>    comment = blah Staff Files --- Privileged
>    volume = Staff
>    browseable = no
>    path = /srv/staff
>    public = no
>    writeable = yes
>    create mask = 0770
>    directory mask = 2770
>    force group = +newstaff
>    valid users = @newstaff
>
> [accounting]
>    comment = blah Accounting Files --- Privileged
>    volume = Accounting
>    browseable = no
>    path = /srv/accounting
>    public = no
>    writeable = yes
>    create mask = 0770
>    directory mask = 2770
>    force group = +blah_acct
>    valid users = @blah_acct
>
> [software]
>    comment = Shared Software --- Privileged
>    volume = Software
>    browseable = no
>    path = /srv/software
>    public = no
>    writeable = yes
>    create mask = 0770
>    directory mask = 2770
>    force group = +blah_main
>    valid users = root administrator @blah_main
>
> [public]
>    comment = Public Placement
>    volume = Public
>    browseable = yes
>    path = /srv/public
>    public = yes
>    guest ok = yes
>    writeable = yes
>    create mask = 0770
>    directory mask = 2770
>    force group = +blah
>    valid users = @blah
>