samba - Aug 2019 - Winbind timeouts/hangs(?)

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Heiko Wundram via samba
> Verzonden: donderdag 22 augustus 2019 16:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind timeouts/hangs(?)
> 
> Am 22.08.2019 15:31, schrieb Rowland penny via samba:
> > Sorry, but you cannot rely on the output of 'id' to identify
your
> > users group memberships. Having said that, I wouldn't have 
> thought it
> > would take 60 secs to do nothing ;-)
> 
> That's clear and I know, but I can rely on login sessions to have the 
> correct groups when Kerberos has completed. That's what this 
> (and also 
> recursive group membership) is about; it's a shared directory 
> which is 
> used by several users to store files which are then hosted by 
> an Apache 
> webserver (with the directory in question having g+s, and 
> default ACLs 
> for a shared group). So, yeah, I do know the limitations of 
> winbind. ;-)
> 
> > Please post your smb.conf.
> 
> Anyway, here goes:
> 
> [global]
>          security = ADS
>          workgroup = <wg>
wg = <WG>
>          realm = <domain>
!!!!
realm = <REALM> 
realm is not <domain> 
!!!!
> 
>          idmap config * : backend = tdb
>          idmap config * : range = 60001-65000
> 
>          idmap config <wg> : backend = rid
>          idmap config <wg> : range = 65001-100000
> 
>          winbind nss info = template
>          template shell = /bin/bash
>          template homedir = /home/%U
> 
>          winbind nested groups = yes
>          winbind refresh tickets = yes
>          winbind offline logon = yes
>          winbind enum users = yes
>          winbind enum groups = yes
Set the 2 enum to no. 
>          allow trusted domains = no
> 
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
> 
>          client signing = auto
>          server signing = auto
Remove these 2 
> 
>          bind interfaces only = yes
>          interfaces = lo eth0
> 
> So, nothing out of the ordinary; I've replaced workgroup and 
> domain by 
> placeholders.
> 
> krb5.conf is set up as follows:
> 
> [libdefaults]
>          default_realm = <domain>
!!!!
realm = <REALM> 
realm is not <domain> 
!!!!
>          ticket_lifetime = 1d
>          clockskew = 300
>          forwardable = true
>          proxiable = true
>          dns_lookup_realm = true
  dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> [realms]
>          <domain> = {
>                  auth_to_local = RULE:[1:<wg>\$1]
>          }
> 
> with the same placeholders.
> 
> Thanks for any hints!
> 
> -- 
> --- Heiko.
> 
I really advice to keep some parts CAPS not caps, correct. 

So in smb.conf
Netbios = IN-CAPS
Workgroup = IN-CAPS
REALM = IN-CAPS
dns-domain = no-caps
dns-search = no-caps

Small things but these small things help a lot! 


Greetz, 

Louis

Am 22.08.2019 16:44, schrieb L.P.H. van Belle via samba:
>>          winbind enum users = yes
>>          winbind enum groups = yes
> Set the 2 enum to no.
Changed this and...
>>          dns_lookup_realm = true
> 
>   dns_lookup_realm = false
also this one; I understand what they do, and I don't rely on either (as 
the host is not bound to any other kerberos domain. The casing is clear; 
I just made the placeholders lowercase. And of course domain is the 
realm, but windows does call it domain. ;-)

Anyway, I restarted winbind, but the logs show that shortly after the 
restart, there was another winbindd_getgroups_state timeout.

I've also checked DNS and network reachability of the DCs from the host 
(one of the DCs isn't at the location of the host, but rather 
tunnelled), but that is definitely correct.

Any other hints on where I might look/what I might try to debug why the 
wb_domain_request_state/wb_child_request_state times out like it 
does/takes so long?

-- 
--- Heiko.

Hmm,, your config looks ok. 

Your where running Debian buster 4.9.5, you could try my 4.9.11/4.10.6 package
of debian sid/testing, its 4.9.11 package.

And since you using vpn, check that also. 
https://www.atlantic.net/cloud-hosting/how-to-mtr-understanding-troubleshooting-network-connectivity/
My bet is on this part is you problem, or instable vpn, or to big MTU requests. 

Check if it helps if you add in resolv.conf 
options edns0



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Heiko Wundram via samba
> Verzonden: donderdag 22 augustus 2019 17:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind timeouts/hangs(?)
> 
> Am 22.08.2019 16:44, schrieb L.P.H. van Belle via samba:
> >>          winbind enum users = yes
> >>          winbind enum groups = yes
> > Set the 2 enum to no.
> 
> Changed this and...
> 
> >>          dns_lookup_realm = true
> > 
> >   dns_lookup_realm = false
> 
> also this one; I understand what they do, and I don't rely on 
> either (as 
> the host is not bound to any other kerberos domain. The 
> casing is clear; 
> I just made the placeholders lowercase. And of course domain is the 
> realm, but windows does call it domain. ;-)
> 
> Anyway, I restarted winbind, but the logs show that shortly after the 
> restart, there was another winbindd_getgroups_state timeout.
> 
> I've also checked DNS and network reachability of the DCs 
> from the host 
> (one of the DCs isn't at the location of the host, but rather 
> tunnelled), but that is definitely correct.
> 
> Any other hints on where I might look/what I might try to 
> debug why the 
> wb_domain_request_state/wb_child_request_state times out like it 
> does/takes so long?
> 
> -- 
> --- Heiko.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hey,

Am 23.08.2019 11:13, schrieb L.P.H. van Belle via samba:
> Your where running Debian buster 4.9.5, you could try my 4.9.11/4.10.6
> package of debian sid/testing, its 4.9.11 package.
same behaviour with testing (4.9.11), tested that already. As I already 
wrote, I've definitely checked the networking, and that's all fine. 
There are no network packets generated by winbind when the hangs occur, 
and there is no explicit correlation between network activity of winbind 
and the hangs.

 From what I can see (after having some sleep, my google-fu seems to be 
better), I'm probably hitting an interoperability problem with sssd:

https://bugzilla.samba.org/show_bug.cgi?id=13815

The description of the original CentOS bug doesn't contain log messages 
similar to mine, but describes pretty much the same behaviour (i.e., 
lookup of non-existant local accounts, in my case from ssh brute-forces 
on a webserver, causing winbind timeouts eventually due to recursive nss 
calls). The RedHat bug for sssd isn't open, so I can't check whether the
referenced patch has already been integrated into Debian (I guess 
not...), but switching the order of winbind and sssd and putting the 
latter last (which is fine in the environment that I use winbind in) 
seems to at least cause the timeouts to disappear; I'm not 100% certain 
that the problems are fixed, because ps auxf sometimes still "hangs"
for
a while, but at least it looks better than before.

I'll try to get some more info on the sssd fix; possibly opening a 
Debian bug report for that should be worth it. Thanks for the hints and 
I'm hoping that this fixes things for now!

-- 
--- Heiko Wundram.