Good morning, Samba list. =)
I've been experiencing intermittent winbind failures over the past few
weeks. The symptom is that users that haven't connected in a while, and
thus aren't in the winbind cache, are unable to connect to any shares. I
see a lot of NT_STATUS_PIPE_BROKEN in the logs when the failures occur, like
this one from log.winbind:
###
[2011/04/26 09:20:54.671225, 5]
winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-1060284298-1450960922-725345543-818338:
NT_STATUS_PIPE_BROKEN
###
At the same time, this is from log.somehostname:
###
[2011/04/26 09:17:30.597274, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [coolusername] ->
[coolusername] FAILED with error NT_STATUS_NO_SUCH_USER
###
A few minutes later, I restarted winbind and everything was groovy again.
Users that are still cached seem to work fine, sometimes for hours. It's
only _some_ new connections that exhibit this problem. Restarting winbindd
fixes the issue 100% of the time. I've tried to figure out how to
'detect' when winbind has crapped out on me, but wbinfo -tp, and net ads
testjoin all return what would be expected. Most of the time, `id username`
works fine, too, for users that are most certainly not cached.
I also see a lot of noise in the logs about "more than 200 winbind
connections, cleaning up idle connections". This particular server usually
has at least 400 client connections all the time, and a good chunk of those are
rather active (distributed renderfarm). I see that smb.conf will recognize
"winbind max clients" in 3.6. I also understand that I could change
WINBINDD_MAX_SIMULTANEOUS_CLIENTS and recompile a new winbindd, but that's
not an option for me for a few weeks.
Output from uname -a:
Linux cias-files 2.6.32-5-amd64 #1 SMP Mon Mar 7 21:35:22 UTC 2011 x86_64
GNU/Linux
I'm using Samba 3.5.6 on Debian Squeeze in ADS mode joined to a 2008R2
domain. I'm using the RID idmap backend.
Any thoughts on how I can further troubleshoot/debug this problem? Do you think
that the 200 clients thing is an issue for me?
Thanks!
~Jay
--
Jay Sullivan
CIAS::RIT
jay.sullivan at rit.edu<mailto:jay.sullivan at rit.edu>
