Ron Creamer
2002-Mar-20 10:23 UTC
[Samba] "Insufficient system resources.." Winbindd throttles PDC's SAM?
Cross Posting to comp.protocols.smb Here's the scenario: RH 7.2 server running Samba 2.2.3a with winbindd. Our PDC is NT 4 based. Samba server uses "security = domain", "password server = *". o I am able to join server to the domain. o wbinfo -t works. So does wbinfo -g and wbinfo -u (initially). o Server successfully logs samba clients on and maps them to the UNIX accounts. o Samba life is good I don't know if it is because of all the mapping going on or what, but after about 4-6 hours. I get the following symptoms: o wbinfo -u or wbinfo -t produces "Error looking up domain users" o wbinfo -t still says "secret is good" o /var/log/samba/smbd.log shows nothing important o /var/log/samba/winbindd shows: [timestamp] nsswitch/winbindd_group.c:winbindd_getgrent(736) could not lookup domain group MYDOMAIN+mygroup o "getent group" and "getent password" fail to get my winbindd (NT Domain) accounts o I log on to the PDC (NT4 sp6a + latest patches) and try to run "User Manager for Domains". I get the following error: "Insufficient system resources exist to complete the requested service." "Do you want to select another domain to administer"? o netstat -a shows about 35 STREAM connections to /tmp/.winbindd/pipe o I need to restart the PDC (not samba) and all is fine. Or, if I kill off winbindd and restart it (leaving PDC alone).. all is well Microsoft Knowledgebase article Q191634 http://support.microsoft.com/default.aspx?scid=kb;EN-US;q191634 "When a user logs on to a domain in which group policies are implemented, a \PIPE\samr connection is established with the PDC to verify group membership for this user. After the verification process, the \PIPE\samr connection is not released. These \PIPE\samr connections eventually exceed the limit of 2,048. After this limit is reached, no new processes requiring security account manager (SAM) access can connect to the PDC until you restart the computer. Server Manager and User Manager for Domains require a connection to the PDC for domain administration. Their failure to make this connection results in the preceding error message." They claim upgrade to service pack 4 (I'm running 6a). It didn't help. Is samba's winbindd not releasing the pipe connections it no longer needs on the PDC? It's not a large network. Only about 25 users, of which only 8-10 are accessing samba. 'Tis quite inconvenient to restart the PDC every few hours ;) Has anybody seen this? Any help would be appreciated. -Ron