samba - Feb 2016 - winbind warnings filling up syslog

hasm> Every few minutes windbindd posts an error message like:
hasm>   winbindd:  ../source3/libads/ldap.c:552(ads_find_dc)
hasm>   winbindd:  ads_find_dc: name resolution for realm 'XXX.CO'
hasm>   (domain 'XXX_01') failed: NT_STATUS_NO_LOGON_SERVERS
hasm> How can I shut this thing up?  I've also seen, not sure
hasm> whether related, winbindd shooting up to 100% CPU (of this
hasm> dual core box.)

rpenny> How are you running Samba ?

Fedora 23 daily patched.
Samba is enabled and started by systemd.
Status on services smb, nmb and winbind shows them running
with no error or warning messages.

rpenny> What version of Samba ?

Seems to be 4.3.4.1:
  samba-4.3.4-1.fc23.x86_64
  samba-client-4.3.4-1.fc23.x86_64
  samba-client-libs-4.3.4-1.fc23.x86_64
  samba-common-4.3.4-1.fc23.noarch
  samba-common-libs-4.3.4-1.fc23.x86_64
  samba-common-tools-4.3.4-1.fc23.x86_64
  samba-devel-4.3.4-1.fc23.x86_64
  samba-libs-4.3.4-1.fc23.x86_64
  samba-winbind-4.3.4-1.fc23.x86_64
  samba-winbind-clients-4.3.4-1.fc23.x86_64
  samba-winbind-modules-4.3.4-1.fc23.x86_64

rpenny> Can you post (sanitized) versions of smb.conf,
rpenny> /etc/resolv.conf, /etc/krb5.conf

Below.

-- HASM


------------------------------------------------------------
/etc/resolv.conf
------------------------------------------------------------
  ;generated by /sbin/dhclient-script
  search company.com
  nameserver 10.xx.xx.xx
  nameserver 10.yy.yy.yy
  nameserver 10.zz.zz.zz
------------------------------------------------------------
/etc/krb5.conf
------------------------------------------------------------
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 forwardable = true
 rdns = false
 default_realm = COMPANY.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 COMPANY.COM = {
 kdc = dcxx.company.com:88
 admin_server = COMPANY.COM
 default_domain = COMPANY.COM
}

[domain_realm]
  .company.com = COMPANY.COM
  company.com = COMPANY.COM
------------------------------------------------------------
/etc/samba/smb.conf
------------------------------------------------------------
[global]
 guest account = nobody
 restrict anonymous = 1
 hosts allow = 10. 127. 192.168.1.
 load printers = no
 printing = cups
 cups options = raw
 logging = systemd
 log level = 1
 map to guest = bad user
 username map = /etc/samba/smbusers
 local master = no
 domain master = no
 preferred master = no
 name resolve order = host bcast
 wins support = no

 server string = HOSTNAME (SAMBA %v)
 server signing = auto

 client ntlmv2 auth = yes
 wins server = dcxx
 security = ADS
 encrypt passwords = yes
 password server = dcxx
 workgroup = COMPANY
 winbind use default domain = yes
 realm = COMPANY.COM
------------------------------------------------------------

On 01/02/16 16:24, HASM wrote:
> hasm> Every few minutes windbindd posts an error message like:
> hasm>   winbindd:  ../source3/libads/ldap.c:552(ads_find_dc)
> hasm>   winbindd:  ads_find_dc: name resolution for realm
'XXX.CO'
> hasm>   (domain 'XXX_01') failed: NT_STATUS_NO_LOGON_SERVERS
> hasm> How can I shut this thing up?  I've also seen, not sure
> hasm> whether related, winbindd shooting up to 100% CPU (of this
> hasm> dual core box.)
>
> rpenny> How are you running Samba ?
>
> Fedora 23 daily patched.
> Samba is enabled and started by systemd.
> Status on services smb, nmb and winbind shows them running
> with no error or warning messages.
>
> rpenny> What version of Samba ?
>
> Seems to be 4.3.4.1:
>    samba-4.3.4-1.fc23.x86_64
>    samba-client-4.3.4-1.fc23.x86_64
>    samba-client-libs-4.3.4-1.fc23.x86_64
>    samba-common-4.3.4-1.fc23.noarch
>    samba-common-libs-4.3.4-1.fc23.x86_64
>    samba-common-tools-4.3.4-1.fc23.x86_64
>    samba-devel-4.3.4-1.fc23.x86_64
>    samba-libs-4.3.4-1.fc23.x86_64
>    samba-winbind-4.3.4-1.fc23.x86_64
>    samba-winbind-clients-4.3.4-1.fc23.x86_64
>    samba-winbind-modules-4.3.4-1.fc23.x86_64
>
> rpenny> Can you post (sanitized) versions of smb.conf,
> rpenny> /etc/resolv.conf, /etc/krb5.conf
>
> Below.
>
> -- HASM
>
>
> ------------------------------------------------------------
> /etc/resolv.conf
> ------------------------------------------------------------
>    ;generated by /sbin/dhclient-script
>    search company.com
>    nameserver 10.xx.xx.xx
>    nameserver 10.yy.yy.yy
>    nameserver 10.zz.zz.zz
> ------------------------------------------------------------
> /etc/krb5.conf
> ------------------------------------------------------------
> includedir /etc/krb5.conf.d/
>
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
>   forwardable = true
>   rdns = false
>   default_realm = COMPANY.COM
>   default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>   COMPANY.COM = {
>   kdc = dcxx.company.com:88
>   admin_server = COMPANY.COM
>   default_domain = COMPANY.COM
> }
>
> [domain_realm]
>    .company.com = COMPANY.COM
>    company.com = COMPANY.COM
> ------------------------------------------------------------
> /etc/samba/smb.conf
> ------------------------------------------------------------
> [global]
>   guest account = nobody
>   restrict anonymous = 1
>   hosts allow = 10. 127. 192.168.1.
>   load printers = no
>   printing = cups
>   cups options = raw
>   logging = systemd
>   log level = 1
>   map to guest = bad user
>   username map = /etc/samba/smbusers
>   local master = no
>   domain master = no
>   preferred master = no
>   name resolve order = host bcast
>   wins support = no
>
>   server string = HOSTNAME (SAMBA %v)
>   server signing = auto
>
>   client ntlmv2 auth = yes
>   wins server = dcxx
>   security = ADS
>   encrypt passwords = yes
>   password server = dcxx
>   workgroup = COMPANY
>   winbind use default domain = yes
>   realm = COMPANY.COM
> ------------------------------------------------------------		
>
>
OK, based on the fact you are running Fedora and have virtually have no 
winbind lines in smb.conf, you are probably running sssd. In which case, 
you could try turning winbind off, later version of sssd come with the 
their own version of libwinbind.

Rowland

rpenny> OK, based on the fact you are running Fedora and
rpenny> have virtually have no winbind lines in smb.conf,

Seems I cut off my smb.conf short.  I do have these two
lines that may be winbind related:

  idmap config * : backend = tdb
  idmap config * : range = 1000-199999

rpenny> you are probably running sssd.

Great, another daemon to read about in my spare time:-).
I've been ignoring that thing since it showed up.

rpenny> In which case, you could try turning winbind off

I stopped and disabled sssd instead, then restarted smb,
nmb, winbind, and already have a couple of winbindd warning
lines in the logs:

  winbindd:  ads_find_dc: name resolution for realm 'XXX.CO'
    (domain 'XXX_01') failed: NT_STATUS_NO_LOGON_SERVERS

-- HASM