samba - Jul 2005 - winbind + pam - caching + intermittant delay ==~ bug?

Hi everybody,

I think I've found a bug in winbind, or I'm out to lunch and need of 
help.. configuring winbind.  Basically, it's working great except once 
in a while it takes 2-5 minutes for a single authentication.  I've also 
seen symptoms winbind isn't caching credentials.

Here are my details:

* for testing purposes, proftpd was configured only authenticate against 
winbind.  I used this pam config:

    auth    required        pam_winbind.so debug
    account required        pam_winbind.so debug

* Samba was previously setup to participate in the local domain.  It 
works, you can connect to the file shares and everything's happy.  (The 
configuration file is included below.)

* The domain controllers are running Server 2003, but are otherwise in 
good health.

* There is network activity for each authentication request (successful 
or otherwise).

* There is a log entry on the domain controller for each authentication 
attempt.

* Even with debugging turned on, the logs on the Linux box don't report 
anything insightful.  (Ask me if you want to see them anyways!)

The smb.conf looks like this:

[global]
   workgroup = KEWL
   server string = %h server (Samba %v)
;  wins support = no
   wins server = 10.1.0.2
   dns proxy = no
;  name resolve order = lmhosts host wins bcast
   log file = /var/log/samba/log.%m
   log level = 10
   max log size = 1000
;  syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = domain
   encrypt passwords = true
   passdb backend = tdbsam guest
   obey pam restrictions = yes
   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
   socket options = TCP_NODELAY
;; winbind separator = '\'
   winbind cache time = 300
   template shell = /bin/bash
   template homedir = /home/%D/%U
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind use default domain = yes
   password server = 10.1.0.2, 10.1.0.3, *

[shared snipped]
...

If anyone has any suggestions or has had a similar experience, I would 
be happy to hear from you!  Thanks in advance for your help,

Geoff

En/na Geoff Oakham ha escrit:
> Hi everybody,
> 
> I think I've found a bug in winbind, or I'm out to lunch and need
of
> help.. configuring winbind.  Basically, it's working great except once
> in a while it takes 2-5 minutes for a single authentication.  I've also
> seen symptoms winbind isn't caching credentials.
I had similar symptoms. The problem was that winbind stopped resolving
user and group names for this period. A simple "ps aux" also taked
some
minutes if there was a process owned by a domain user.

These delays disappeared after moving security from "domain" to
"ads"
and joining the domain as a 2k server. This helped to me.

good luck!

Ximo