samba - Sep 2015 - Samba AD - Issue with winbindd: Could not write result

On 02/09/15 13:34, Rafael Domiciano wrote:
> The same problem ocurred today. The same log in /var/log/messages in 
> DC, and I have to stop and start the samba service. Any help is 
> appreciate.
>
> Regards,
>
> Rafael
>
>
> ------------------------------------------------------------------------
> *De: *"Rafael Domiciano" <r.domiciano at senff.com.br>
> *Para: *"Rowland Penny" <rowlandpenny241155 at gmail.com>
> *Cc: *samba at lists.samba.org
> *Enviadas: *Terça-feira, 1 de Setembro de 2015 14:07:10
> *Assunto: *Re: [Samba] Samba AD - Issue with winbindd: Could not write 
> result
>
>
>
> ------------------------------------------------------------------------
> *De: *"Rowland Penny" <rowlandpenny241155 at gmail.com>
> *Para: *samba at lists.samba.org
> *Enviadas: *Terça-feira, 1 de Setembro de 2015 12:05:20
> *Assunto: *Re: [Samba] Samba AD - Issue with winbindd: Could not write 
> result
>
> On 01/09/15 15:33, Rafael Domiciano wrote:
> > Hi Rowland, thanks for your response.
> >
> > Both samba is self compiled.
> >
> > DC 1:
> > [root at wdc samba]# uname -a
> > Linux wdc 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC
> > 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> > [root at wdc samba]# cat /etc/redhat-release
> > CentOS release 6.6 (Final)
> >
> > [root at wdc samba]# cat /etc/resolv.conf
> > search DOMAIN
> > nameserver 172.16.5.22
> > nameserver 172.16.5.1
> > nameserver 8.8.8.8
> >
> > [root at wdc samba]# samba -V
> > Version 4.2.3
> >
> > [root at wdc samba]# cat /etc/krb5.conf
> > [libdefaults]
> >         default_realm = DOMAIN.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > DC 2:
> > [root at bcd samba]# uname -a
> > Linux bcd.senffnet 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
> > 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> >
> > [root at bcd samba]# cat /etc/redhat-release
> > CentOS release 6.6 (Final)
> >
> > [root at bcd samba]# cat /etc/resolv.conf
> > search DOMAIN
> > nameserver 172.16.5.1
> > nameserver 172.16.5.22
> > nameserver 8.8.8.8
> >
> > [root at bcd samba]# samba -V
> > Version 4.2.3
> >
> > [root at bcd samba]# cat /etc/krb5.conf
> > [libdefaults]
> >         default_realm = DOMAIN.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> >
> > About the winbindd I got some perfomance with the following lines, and
> > I could reproduce this in my tests, so in some manner they get
> > processed at some time:
> > > winbind use default domain = yes
> > > winbind nested groups = false
> > > winbind enum users = no
> > > winbind enum groups = no
> >
> > Rafael
> >
> >
------------------------------------------------------------------------
> >
>
> Hmm, again there doesn't seem to be anything really wrong, only
> possibility is the resolv.conf files, I take it that 'search
DOMAIN' is
> really 'search domain.com' i.e. DOMAIN is the dns domain name. I
also
> take it that the two '172.16.5.x' numbers are the ipaddress of the
two
> DCs and each DC points to the other DC first, you do not actually don't
> need the google line, this should be set as a forwarder in named.conf.
>
> Ok, I've changed the configuration, now named is forwarding, and the 
> "nameserver 8.8.8.8" isn't anymore on resolv.conf.
>
> The only thing I can think is that you missed installing a package
> before compiling Samba, is this in production ? could you change to the
> Sernet packages ?
>
> Yes, it's in production. As I said before this setup is running for 1 
> month right now, and the only problem is this:
>
> Sep  1 09:04:30 wdc winbindd[18757]: [2015/09/01 09:04:30.040198,  0] 
> ../source3/winbindd/winbindd_dual.c:105(child_write_response)
> Sep  1 09:04:30 wdc winbindd[18757]:   Could not write result
>
> That repeat as so many times that "winbind max clients = 800" 
> configured.And then changed to: Sep 1 09:08:07 wdc winbindd[3068]: 
> [2015/09/01 09:08:07.980952, 0] 
> ../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler) Sep 1 
> 09:08:07 wdc winbindd[3068]: winbindd: Exceeding 800 client 
> connections, no idle connection found That repeats so long the samba 
> is up, I needed to stop and start the samba service.
> Seems that when the first error occurs samba server mantains the 
> client connection, but the client (e.g.: thunderbird, postgresql, 
> Zimbra Desktop, openfire...) request a new connection to AD. Just 
> making assumptions.
>
>
> Is selinux involved here? have you checked the logs, same goes for any
> firewall you might have installed.
>
> No Selinux (enforce = disabled). I think the firewall is not the 
> problem, as it's working: Roaming profiles, Windows ACLs, GPO (Users 
> and computers), LDAP, and so on.
>
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
OK, I personally cannot see anything wrong with your setup, perhaps 
someone else can see if I missed anything ?

In the mean time, can you set the loglevel to 10 and see if this brings 
out anything in the logs.

Rowland

Thanks Rowland for response. 

OK, setup the "log level = 10". 

I noticed something today. I have to restart the samba server 2 times. In the
second restart I did a named restart too. Maybe could be something related to
communication to named?

I did the named.conf conforming the wiki, adding these 2 lines: 

options { 
.... 

# DNS dynamic updates via kerberos 
tkey-gssapi-keytab "/opt/samba/private/dns.keytab"; 
}; 

include "/opt/samba/private/named.conf"; 

----- Mensagem original -----

De: "Rowland Penny" <rowlandpenny241155 at gmail.com> 
Para: samba at lists.samba.org 
Enviadas: Quarta-feira, 2 de Setembro de 2015 9:49:58 
Assunto: Re: [Samba] Samba AD - Issue with winbindd: Could not write result 

On 02/09/15 13:34, Rafael Domiciano wrote: 
> The same problem ocurred today. The same log in /var/log/messages in 
> DC, and I have to stop and start the samba service. Any help is 
> appreciate. 
> 
> Regards, 
> 
> Rafael 
> 
> 
> ------------------------------------------------------------------------ 
> *De: *"Rafael Domiciano" <r.domiciano at senff.com.br> 
> *Para: *"Rowland Penny" <rowlandpenny241155 at gmail.com> 
> *Cc: *samba at lists.samba.org 
> *Enviadas: *Terça-feira, 1 de Setembro de 2015 14:07:10 
> *Assunto: *Re: [Samba] Samba AD - Issue with winbindd: Could not write 
> result 
> 
> 
> 
> ------------------------------------------------------------------------ 
> *De: *"Rowland Penny" <rowlandpenny241155 at gmail.com> 
> *Para: *samba at lists.samba.org 
> *Enviadas: *Terça-feira, 1 de Setembro de 2015 12:05:20 
> *Assunto: *Re: [Samba] Samba AD - Issue with winbindd: Could not write 
> result 
> 
> On 01/09/15 15:33, Rafael Domiciano wrote: 
> > Hi Rowland, thanks for your response. 
> > 
> > Both samba is self compiled. 
> > 
> > DC 1: 
> > [root at wdc samba]# uname -a 
> > Linux wdc 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC 
> > 2015 x86_64 x86_64 x86_64 GNU/Linux 
> > 
> > [root at wdc samba]# cat /etc/redhat-release 
> > CentOS release 6.6 (Final) 
> > 
> > [root at wdc samba]# cat /etc/resolv.conf 
> > search DOMAIN 
> > nameserver 172.16.5.22 
> > nameserver 172.16.5.1 
> > nameserver 8.8.8.8 
> > 
> > [root at wdc samba]# samba -V 
> > Version 4.2.3 
> > 
> > [root at wdc samba]# cat /etc/krb5.conf 
> > [libdefaults] 
> > default_realm = DOMAIN.COM 
> > dns_lookup_realm = false 
> > dns_lookup_kdc = true 
> > 
> > DC 2: 
> > [root at bcd samba]# uname -a 
> > Linux bcd.senffnet 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 
> > 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux 
> > 
> > [root at bcd samba]# cat /etc/redhat-release 
> > CentOS release 6.6 (Final) 
> > 
> > [root at bcd samba]# cat /etc/resolv.conf 
> > search DOMAIN 
> > nameserver 172.16.5.1 
> > nameserver 172.16.5.22 
> > nameserver 8.8.8.8 
> > 
> > [root at bcd samba]# samba -V 
> > Version 4.2.3 
> > 
> > [root at bcd samba]# cat /etc/krb5.conf 
> > [libdefaults] 
> > default_realm = DOMAIN.COM 
> > dns_lookup_realm = false 
> > dns_lookup_kdc = true 
> > 
> > 
> > About the winbindd I got some perfomance with the following lines, and
> > I could reproduce this in my tests, so in some manner they get 
> > processed at some time: 
> > > winbind use default domain = yes 
> > > winbind nested groups = false 
> > > winbind enum users = no 
> > > winbind enum groups = no 
> > 
> > Rafael 
> > 
> >
------------------------------------------------------------------------
> > 
> 
> Hmm, again there doesn't seem to be anything really wrong, only 
> possibility is the resolv.conf files, I take it that 'search
DOMAIN' is
> really 'search domain.com' i.e. DOMAIN is the dns domain name. I
also
> take it that the two '172.16.5.x' numbers are the ipaddress of the
two
> DCs and each DC points to the other DC first, you do not actually don't
> need the google line, this should be set as a forwarder in named.conf. 
> 
> Ok, I've changed the configuration, now named is forwarding, and the 
> "nameserver 8.8.8.8" isn't anymore on resolv.conf. 
> 
> The only thing I can think is that you missed installing a package 
> before compiling Samba, is this in production ? could you change to the 
> Sernet packages ? 
> 
> Yes, it's in production. As I said before this setup is running for 1 
> month right now, and the only problem is this: 
> 
> Sep 1 09:04:30 wdc winbindd[18757]: [2015/09/01 09:04:30.040198, 0] 
> ../source3/winbindd/winbindd_dual.c:105(child_write_response) 
> Sep 1 09:04:30 wdc winbindd[18757]: Could not write result 
> 
> That repeat as so many times that "winbind max clients = 800" 
> configured.And then changed to: Sep 1 09:08:07 wdc winbindd[3068]: 
> [2015/09/01 09:08:07.980952, 0] 
> ../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler) Sep 1 
> 09:08:07 wdc winbindd[3068]: winbindd: Exceeding 800 client 
> connections, no idle connection found That repeats so long the samba 
> is up, I needed to stop and start the samba service. 
> Seems that when the first error occurs samba server mantains the 
> client connection, but the client (e.g.: thunderbird, postgresql, 
> Zimbra Desktop, openfire...) request a new connection to AD. Just 
> making assumptions. 
> 
> 
> Is selinux involved here? have you checked the logs, same goes for any 
> firewall you might have installed. 
> 
> No Selinux (enforce = disabled). I think the firewall is not the 
> problem, as it's working: Roaming profiles, Windows ACLs, GPO (Users 
> and computers), LDAP, and so on. 
> 
> Rowland 
> -- 
> To unsubscribe from this list go to the following URL and read the 
> instructions: https://lists.samba.org/mailman/options/samba 
> 
> 
OK, I personally cannot see anything wrong with your setup, perhaps 
someone else can see if I missed anything ? 

In the mean time, can you set the loglevel to 10 and see if this brings 
out anything in the logs. 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

On 02/09/15 13:59, Rafael Domiciano wrote:
> Thanks Rowland for response.
>
> OK, setup the "log level = 10".
>
> I noticed something today. I have to restart the samba server 2 times. 
> In the second restart I did a named restart too. Maybe could be 
> something related to communication to named?
>
> I did the named.conf conforming the wiki, adding these 2 lines:
>
> options {.... # DNS dynamic updates via kerberos tkey-gssapi-keytab 
> "/opt/samba/private/dns.keytab"; };
>
> include "/opt/samba/private/named.conf";
>
>
Can the 'named' user read the keytab ?

Rowland