Hey, Am 23.08.2019 11:13, schrieb L.P.H. van Belle via samba:> Your where running Debian buster 4.9.5, you could try my 4.9.11/4.10.6 > package of debian sid/testing, its 4.9.11 package.same behaviour with testing (4.9.11), tested that already. As I already wrote, I've definitely checked the networking, and that's all fine. There are no network packets generated by winbind when the hangs occur, and there is no explicit correlation between network activity of winbind and the hangs. From what I can see (after having some sleep, my google-fu seems to be better), I'm probably hitting an interoperability problem with sssd: https://bugzilla.samba.org/show_bug.cgi?id=13815 The description of the original CentOS bug doesn't contain log messages similar to mine, but describes pretty much the same behaviour (i.e., lookup of non-existant local accounts, in my case from ssh brute-forces on a webserver, causing winbind timeouts eventually due to recursive nss calls). The RedHat bug for sssd isn't open, so I can't check whether the referenced patch has already been integrated into Debian (I guess not...), but switching the order of winbind and sssd and putting the latter last (which is fine in the environment that I use winbind in) seems to at least cause the timeouts to disappear; I'm not 100% certain that the problems are fixed, because ps auxf sometimes still "hangs" for a while, but at least it looks better than before. I'll try to get some more info on the sssd fix; possibly opening a Debian bug report for that should be worth it. Thanks for the hints and I'm hoping that this fixes things for now! -- --- Heiko Wundram.
On 23/08/2019 11:22, Heiko Wundram via samba wrote:> Hey, > > Am 23.08.2019 11:13, schrieb L.P.H. van Belle via samba: >> Your where running Debian buster 4.9.5, you could try my 4.9.11/4.10.6 >> package of debian sid/testing, its 4.9.11 package. > > same behaviour with testing (4.9.11), tested that already. As I > already wrote, I've definitely checked the networking, and that's all > fine. There are no network packets generated by winbind when the hangs > occur, and there is no explicit correlation between network activity > of winbind and the hangs. > > From what I can see (after having some sleep, my google-fu seems to be > better), I'm probably hitting an interoperability problem with sssd: > > https://bugzilla.samba.org/show_bug.cgi?id=13815 > > The description of the original CentOS bug doesn't contain log > messages similar to mine, but describes pretty much the same behaviour > (i.e., lookup of non-existant local accounts, in my case from ssh > brute-forces on a webserver, causing winbind timeouts eventually due > to recursive nss calls). The RedHat bug for sssd isn't open, so I > can't check whether the referenced patch has already been integrated > into Debian (I guess not...), but switching the order of winbind and > sssd and putting the latter last (which is fine in the environment > that I use winbind in) seems to at least cause the timeouts to > disappear; I'm not 100% certain that the problems are fixed, because > ps auxf sometimes still "hangs" for a while, but at least it looks > better than before. > > I'll try to get some more info on the sssd fix; possibly opening a > Debian bug report for that should be worth it. Thanks for the hints > and I'm hoping that this fixes things for now! >Do not bother, I take it you missed that red-hat (who produces sssd) no longer supports using sssd with Winbind. So your cure is obvious: apt-get purge sssd This would also explain why winbind seems to be doing nothing, because it is doing nothing, sssd is doing the authentication. Rowland
Hello Rowland, Am 23.08.2019 13:12, schrieb Rowland penny via samba:> Do not bother, I take it you missed that red-hat (who produces sssd) > no longer supports using sssd with Winbind. So your cure is obvious: > apt-get purge sssdas I'm not using sssd and winbind for the same authentication domain (rather, winbind is for a windows domain, sssd for an LDAP-based authentication domain, and the usernames don't overlap), my only solution would be to switch to sssd completely, which is definitely possible thanks to idmap_sss (i.e., there's interoperability between winbind and sssd when both go against the same domain, as not having any integration would break all the other Samba services when working with sssd). So, anyway, this comment is neither correct (RedHat explicitly states how to configure winbind/samba to work in tandem with sssd), and is also not applicable to my situation. Thanks anyway. -- --- Heiko Wundram.