Hello, I have tried posting to comp.protocols.smb with no luck. Please help. I am running: Slackware 9.0 (x86) kernel 2.4.21 samba 3.0b3 MIT kerberos5 v1.2.7 I am testing samba 3.0b3 as part of migrating my site to Active Directory. Compiles/installs OK. When winbindd is started, it looks for the list of trusted domains and then queries those domains for user/group info. When I have the samba3b3 box joined to an NT4 domain, it takes about 15 minutes to get this info from all domains. (roughly 60000+ user accounts in many domains.) When the machine is joined to the AD domain, though, it gets list of IP's for each domain on servers it can try to get the user/group data from. Many of the IP addresses it is obtaining are bad in almost every domain it contacts (cannot nslookup, ping, traceroute, or query WINS with any results). Winbindd just sits there until it times out, then tries the next one. The problem is that it takes many HOURS of waiting to get a full list generated so that I can run 'getent passwd'. Then I have to start the wait all over again so that 'getent group' works also. Once winbindd is queried, the test box is useless from the network until it's done (including plain Linux stuff like ssh) Everyting is fine at this point until I restart winbindd, then the whole thing starts over again. These are my questions: I thought that winbindd was supposed to cache all this info. Why doesn't it read the cache when it's restarted instead of getting new information? Is there something that can be done to tell winbindd not to try to query servers that aren't actually up? Where is this list of IP's coming from? Are these a bunch of dead accounts being reported from some Server Manager on a PDC? Any info would be greatly appreciated. --
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4 Aug 2003, Chris Douglass wrote:> Hello, > I have tried posting to comp.protocols.smb with no luck. Please help. > I am running: > Slackware 9.0 (x86) > kernel 2.4.21 > samba 3.0b3 > MIT kerberos5 v1.2.7 > > I am testing samba 3.0b3 as part of migrating my site to Active > Directory. Compiles/installs OK. When winbindd is started, it looks for > the list of trusted domains and then queries those domains for > user/group info. When I have the samba3b3 box joined to an NT4 domain, > it takes about 15 minutes to get this info from all domains. (roughly > 60000+ user accounts in many domains.) > > When the machine is joined to the AD domain, though, it gets list of > IP's for each domain on servers it can try to get the user/group data > from. Many of the IP addresses it is obtaining are bad in almost every > domain it contacts (cannot nslookup, ping, traceroute, or query WINS > with any results). Winbindd just sits there until it times out, then > tries the next one. The problem is that it takes many HOURS of waiting > to get a full list generated so that I can run 'getent passwd'. Then I > have to start the wait all over again so that 'getent group' works also. > Once winbindd is queried, the test box is useless from the network until > it's done (including plain Linux stuff like ssh) > Everyting is fine at this point until I restart winbindd, then the > whole thing starts over again.you have a DNS or name server problem. Fix that.> These are my questions: > > I thought that winbindd was supposed to cache all this info. Why doesn't > it read the cache when it's restarted instead of getting new > information?It does cache, on disk cache works well but does not contain everything. failed connection caches are in memory so they are reset upon restart. Once we get a connection we hold onto it as along as possible.> Is there something that can be done to tell winbindd not to try to query > servers that aren't actually up?Fix your name service.> Where is this list of IP's coming from? Are these a bunch of dead > accounts being reported from some Server Manager on a PDC?Are you using security = ads? Probably from a SRV record in DNS for _ldap._tcp.<your domain> cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/Mz8GIR7qMdg1EfYRAuS+AKCRJWTjlRuBYBHLiIOGONLFrGSIYQCgmym6 OnKHww+qn+qLZFWpndQ0cmU=89ow -----END PGP SIGNATURE-----
-----Original Message----- From: Gerald (Jerry) Carter To: Chris Douglass Cc: samba@lists.samba.org Sent: 8/7/2003 11:11 PM Subject: Re: [Samba] winbind timeouts -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4 Aug 2003, Chris Douglass wrote:>> Hello, >> I have tried posting to comp.protocols.smb with no luck. Please help. >> I am running: >> Slackware 9.0 (x86) >> kernel 2.4.21 >> samba 3.0b3 >> MIT kerberos5 v1.2.7 >> >> I am testing samba 3.0b3 as part of migrating my site to Active >> Directory. Compiles/installs OK. When winbindd is started, it looksfor>> the list of trusted domains and then queries those domains for >> user/group info. When I have the samba3b3 box joined to an NT4 domain, >> it takes about 15 minutes to get this info from all domains. (roughly >> 60000+ user accounts in many domains.) >> >> When the machine is joined to the AD domain, though, it gets list of >> IP's for each domain on servers it can try to get the user/group data >> from. Many of the IP addresses it is obtaining are bad in almost every >> domain it contacts (cannot nslookup, ping, traceroute, or query WINS >> with any results). Winbindd just sits there until it times out, then >> tries the next one. The problem is that it takes many HOURS of waiting >> to get a full list generated so that I can run 'getent passwd'. Then I >> have to start the wait all over again so that 'getent group' worksalso.>> Once winbindd is queried, the test box is useless from the networkuntil>> it's done (including plain Linux stuff like ssh) >> Everyting is fine at this point until I restart winbindd, then the >> whole thing starts over again.> you have a DNS or name server problem. Fix that.Since posting I have come to this conclusion also. My local domains are no problem. Another IT dept is in charge of corporate wide DNS, and does not allow AD zones to be replicated upstream. Therefore AD DC's have an A record (authoritative) at the Corporate DNS servers, but no SRV records. I'm planning on fixing this by slaving zones from the other AD sites. Unfortunately the real problem domain is NT4.>> These are my questions: >> >> I thought that winbindd was supposed to cache all this info. Whydoesn't>> it read the cache when it's restarted instead of getting new >> information?>It does cache, on disk cache works well but does not contain >everything. >failed connection caches are in memory so they are reset upon restart. >Once we get a connection we hold onto it as along as possible.>> Is there something that can be done to tell winbindd not to try toquery>> servers that aren't actually up?>Fix your name service.>> Where is this list of IP's coming from? Are these a bunch of dead >> accounts being reported from some Server Manager on a PDC?>Are you using security = ads? Probably from a SRV record in DNS for >_ldap._tcp.<your domain>Yes I am; but the offending domain is not AD. With an NT4 domain, this would be WINS only, right? I have 4 corporate wide WINS servers available to me. If I do 'net lookup dc <PROBLEM_NT4_DOMAIN>' I get a list of 24 IP's. Almost 1/2 of them have no entry in DNS, and 'wbinfo -I' also show no hostname. Barring a bad master browse list, where else can this come from? Thanks again, Chris>cheers, jerry > ---------------------------------------------------------------------- > Hewlett-Packard ------------------------- http://www.hp.com > SAMBA Team ---------------------- http://www.samba.org > GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc > "You can never go home again, Oatman, but I guess you can shop there."--John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/Mz8GIR7qMdg1EfYRAuS+AKCRJWTjlRuBYBHLiIOGONLFrGSIYQCgmym6 OnKHww+qn+qLZFWpndQ0cmU=89ow -----END PGP SIGNATURE-----