samba - Sep 2015 - Samba AD - Issue with winbindd: Could not write result

I've implemented AD samba in our structure almost one month, after almost
two months of tests. Everything is working, including GPO, although we are still
adapting to the new way of working, after all AD domains is quite different from
NT domains.

But I have experienced strange problems with the winbindd, which has happened at
least 3 times.

Suddenly users can no longer authenticate, and services that depend on AD for
account validation begin to fail. The solution is to stop the samba and start
again.

Follow the logs that could identify: 

* /var/log/messages 
Sep 1 09:07:52 ### winbindd [19488]: [01/09/2015 09: 07: 52.255050, 0]
../source3/winbindd/winbindd_dual.c:105(child_write_response)
Sep 1 09:07:52 ### winbindd [19488]: Could not write result 

And after several such errors, logging changes to: 
Sep 1 09:07:53 winbindd ### [3068]: [01/09/2015 09: 07: 53.556980, 0]
../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler)
Sep 1 09:07:53 winbindd ### [3068]: winbindd: Exceeding 800 client connections,
the idle connection found

In the samba logs (/opt/samba/var) there is no log. 

The following configuration of smb.conf: 
# Global parameters 
[global] 
workgroup = DOMAIN 
realm = DOMAIN.COM 
netbios name = SERVER 
server role = active directory domain controller 
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes 

# -------------------------------------------- 
# LOG 
# %U = Usuario %m = machine 
log file = /opt/samba/var/machine/%U_%m 
# 15 Mb 
max log size = 15360 
log level = 2 

# -------------------------------------------- 
deadtime = 5 

# -------------------------------------------- 
# WINBIND 
winbind use default domain = yes 
template homedir = /home/%U 
template shell=/bin/bash 

winbind max clients = 1200 
winbind nested groups = false 
winbind enum users = no 
winbind enum groups = no 

# -------------------------------------------- 
# Linguagens 
# cp850 -> Compatibilidade com Acentos (ISO8859-1 - Western European Unix) 
#display charset = ISO8859-1 
unix charset = cp850 
dos charset = cp850 

We have a PDC and a BDC configured, both with named as backend. 

Just for records, right now I have only 226 connections open to samba: 
[root@### var]# ps axf | grep "\_ /opt/samba/sbin/smbd" | wc -l 
226 

Any help is appreciate. 

Regards, 

Rafael Domiciano

On 01/09/15 14:49, Rafael Domiciano wrote:
> I've implemented AD samba in our structure almost one month, after
almost two months of tests. Everything is working, including GPO, although we
are still adapting to the new way of working, after all AD domains is quite
different from NT domains.
>
> But I have experienced strange problems with the winbindd, which has
happened at least 3 times.
>
> Suddenly users can no longer authenticate, and services that depend on AD
for account validation begin to fail. The solution is to stop the samba and
start again.
>
> Follow the logs that could identify:
>
> * /var/log/messages
> Sep 1 09:07:52 ### winbindd [19488]: [01/09/2015 09: 07: 52.255050, 0]
../source3/winbindd/winbindd_dual.c:105(child_write_response)
> Sep 1 09:07:52 ### winbindd [19488]: Could not write result
>
> And after several such errors, logging changes to:
> Sep 1 09:07:53 winbindd ### [3068]: [01/09/2015 09: 07: 53.556980, 0]
../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler)
> Sep 1 09:07:53 winbindd ### [3068]: winbindd: Exceeding 800 client
connections, the idle connection found
>
> In the samba logs (/opt/samba/var) there is no log.
>
> The following configuration of smb.conf:
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.COM
> netbios name = SERVER
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> # --------------------------------------------
> # LOG
> # %U = Usuario %m = machine
> log file = /opt/samba/var/machine/%U_%m
> # 15 Mb
> max log size = 15360
> log level = 2
>
> # --------------------------------------------
> deadtime = 5
>
> # --------------------------------------------
> # WINBIND
> winbind use default domain = yes
> template homedir = /home/%U
> template shell=/bin/bash
>
> winbind max clients = 1200
> winbind nested groups = false
> winbind enum users = no
> winbind enum groups = no
>
> # --------------------------------------------
> # Linguagens
> # cp850 -> Compatibilidade com Acentos (ISO8859-1 - Western European
Unix)
> #display charset = ISO8859-1
> unix charset = cp850
> dos charset = cp850
Hi, if you use samba4 as an AD DC all the lines you added that start 
with 'winbind' will be ignored.
>
> We have a PDC and a BDC configured, both with named as backend.
No you don't, you have two DCs, all DCs are equal apart from the FSMO roles.
>
> Just for records, right now I have only 226 connections open to samba:
> [root@### var]# ps axf | grep "\_ /opt/samba/sbin/smbd" | wc -l
> 226
>
> Any help is appreciate.
There doesn't seem to be anything really wrong, so can you post a bit 
more info, what OS, what version of samba, where did it come from, self 
compiled, OS packages or Sernet packages. Can you also post krb5.conf 
and resolv.conf from both DCs

Rowland
> Regards,
>
> Rafael Domiciano

Hi Rowland, thanks for your response. 

Both samba is self compiled . 

DC 1: 
[root at wdc samba]# uname -a 
Linux wdc 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC 2015 x86_64
x86_64 x86_64 GNU/Linux

[root at wdc samba]# cat /etc/redhat-release 
CentOS release 6.6 (Final) 

[root at wdc samba]# cat /etc/resolv.conf 
search DOMAIN 
nameserver 172.16.5.22 
nameserver 172.16.5.1 
nameserver 8.8.8.8 

[root at wdc samba]# samba -V 
Version 4.2.3 

[root at wdc samba]# cat /etc/krb5.conf 
[libdefaults] 
default_realm = DOMAIN.COM 
dns_lookup_realm = false 
dns_lookup_kdc = true 

DC 2: 
[root at bcd samba]# uname -a 
Linux bcd.senffnet 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux

[root at bcd samba]# cat /etc/redhat-release 
CentOS release 6.6 (Final) 

[root at bcd samba]# cat /etc/resolv.conf 
search DOMAIN 
nameserver 172.16.5.1 
nameserver 172.16.5.22 
nameserver 8.8.8.8 

[root at bcd samba]# samba -V 
Version 4.2.3 

[root at bcd samba]# cat /etc/krb5.conf 
[libdefaults] 
default_realm = DOMAIN.COM 
dns_lookup_realm = false 
dns_lookup_kdc = true 


About the winbindd I got some perfomance with the following lines, and I could
reproduce this in my tests, so in some manner they get processed at some time:
> winbind use default domain = yes 
> winbind nested groups = false 
> winbind enum users = no 
> winbind enum groups = no 
Rafael 

----- Mensagem original -----

De: "Rowland Penny" <rowlandpenny241155 at gmail.com> 
Para: samba at lists.samba.org 
Enviadas: Terça-feira, 1 de Setembro de 2015 11:20:33 
Assunto: Re: [Samba] Samba AD - Issue with winbindd: Could not write result 

On 01/09/15 14:49, Rafael Domiciano wrote: 
> I've implemented AD samba in our structure almost one month, after
almost two months of tests. Everything is working, including GPO, although we
are still adapting to the new way of working, after all AD domains is quite
different from NT domains.
> 
> But I have experienced strange problems with the winbindd, which has
happened at least 3 times.
> 
> Suddenly users can no longer authenticate, and services that depend on AD
for account validation begin to fail. The solution is to stop the samba and
start again.
> 
> Follow the logs that could identify: 
> 
> * /var/log/messages 
> Sep 1 09:07:52 ### winbindd [19488]: [01/09/2015 09: 07: 52.255050, 0]
../source3/winbindd/winbindd_dual.c:105(child_write_response)
> Sep 1 09:07:52 ### winbindd [19488]: Could not write result 
> 
> And after several such errors, logging changes to: 
> Sep 1 09:07:53 winbindd ### [3068]: [01/09/2015 09: 07: 53.556980, 0]
../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler)
> Sep 1 09:07:53 winbindd ### [3068]: winbindd: Exceeding 800 client
connections, the idle connection found
> 
> In the samba logs (/opt/samba/var) there is no log. 
> 
> The following configuration of smb.conf: 
> # Global parameters 
> [global] 
> workgroup = DOMAIN 
> realm = DOMAIN.COM 
> netbios name = SERVER 
> server role = active directory domain controller 
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes 
> 
> # -------------------------------------------- 
> # LOG 
> # %U = Usuario %m = machine 
> log file = /opt/samba/var/machine/%U_%m 
> # 15 Mb 
> max log size = 15360 
> log level = 2 
> 
> # -------------------------------------------- 
> deadtime = 5 
> 
> # -------------------------------------------- 
> # WINBIND 
> winbind use default domain = yes 
> template homedir = /home/%U 
> template shell=/bin/bash 
> 
> winbind max clients = 1200 
> winbind nested groups = false 
> winbind enum users = no 
> winbind enum groups = no 
> 
> # -------------------------------------------- 
> # Linguagens 
> # cp850 -> Compatibilidade com Acentos (ISO8859-1 - Western European
Unix)
> #display charset = ISO8859-1 
> unix charset = cp850 
> dos charset = cp850 
Hi, if you use samba4 as an AD DC all the lines you added that start 
with 'winbind' will be ignored. 
> 
> We have a PDC and a BDC configured, both with named as backend. 
No you don't, you have two DCs, all DCs are equal apart from the FSMO roles.
> 
> Just for records, right now I have only 226 connections open to samba: 
> [root@### var]# ps axf | grep "\_ /opt/samba/sbin/smbd" | wc -l 
> 226 
> 
> Any help is appreciate. 
There doesn't seem to be anything really wrong, so can you post a bit 
more info, what OS, what version of samba, where did it come from, self 
compiled, OS packages or Sernet packages. Can you also post krb5.conf 
and resolv.conf from both DCs 

Rowland 
> Regards, 
> 
> Rafael Domiciano 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba