M Z
2013-Apr-28 18:47 UTC
[Samba] AD client can't connect to share after winbind cache expires [Samba 3.4.12 on Gentoo]
Hello,
we're using Samba 3.4.12 on older installation of Gentoo
(2.6.34-gentoo-r12) to serve files to AD users and after Samba restart,
users can't connect to shared folders - error on client side: session setup
failed: NT_STATUS_LOGON_FAILURE; errors on server side -
Get_Pwnam_internals didn't find user [user]!,check_ntlm_password: winbind
authentication for user [user] FAILED with error NT_STATUS_NO_SUCH_USER
wbinfo -i user returns "Could not get info for user"
BUT
wbinfo -u, wbinfo -g work (list all >30K AD users,groups) also getent
passwd, group work (list all local and AD users/groups)
and after issuing wbinfo -u, the user is able to log in and access shared
files - and at the same time the wbinfo -i user works as expected returning
line from /etc/passwd with AD account
after 5 minutes (default winbind cache is 5 minutes) it's in in original
state again - user can't log in and wbinfo -i doesn't work again.
So quick summary - I have to issue wbinfo -u to populate winbind cache to
be able to log in with AD account. After the cache expires, the AD accounts
can't log in anymore.
smb.conf:
[global]
netbios name = MSVMSVFMGT01
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap alloc backend = tdb
idmap uid = 10000-100000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = DC
os level = 20
winbind enum groups = yes
socket address = 10.1.73.250
password server = *
preferred master = no
winbind separator = +
max log size = 500
log level = 10
log file = /var/log/samba/log.%m
encrypt passwords = yes
dns proxy = no
realm = DC.REALM.SK
security = ADS
# wins server = ip of your wins server
wins proxy = no
/etc/nsswitch.conf:
passwd: compat winbind
shadow: compat winbind
group: compat winbind
...
log.winbindd (when wbinfo -i issued and fails)
[2013/04/28 20:39:45, 6] winbindd/winbindd.c:827(new_connection)
accepted socket 22
[2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request)
process_request: request fn INTERFACE_VERSION
[2013/04/28 20:39:45, 3]
winbindd/winbindd_misc.c:754(winbindd_interface_version)
[16641]: request interface version
[2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2013/04/28 20:39:45, 3]
winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
[16641]: request location of privileged pipe
[2013/04/28 20:39:45, 6] winbindd/winbindd.c:827(new_connection)
accepted socket 25
[2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request)
process_request: request fn GETPWNAM
[2013/04/28 20:39:45, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[16641]: getpwnam DC+matej.zary
[2013/04/28 20:39:45, 10] winbindd/winbindd_dual.c:125(async_request)
Sending request to child pid 16287 (domain=DC)
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
s3_event: Added timed event "async_request_timeout_handler":
0x7f337ab2fc60
[2013/04/28 20:39:45, 10] lib/events.c:156(get_timed_events_timeout)
timed_events_timeout: 299/999972
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
s3_event: Destroying timer event 0x7f337ab2fc60
"async_request_timeout_handler"
[2013/04/28 20:39:45, 10]
winbindd/winbindd_cache.c:2667(cache_retrieve_response)
Retrieving response for pid 16287
[2013/04/28 20:39:45, 10] winbindd/winbindd_dual.c:125(async_request)
Sending request to child pid 16287 (domain=DC)
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
s3_event: Added timed event "async_request_timeout_handler":
0x7f337aab2030
[2013/04/28 20:39:45, 10] lib/events.c:156(get_timed_events_timeout)
timed_events_timeout: 299/999977
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
s3_event: Destroying timer event 0x7f337aab2030
"async_request_timeout_handler"
[2013/04/28 20:39:45, 10]
winbindd/winbindd_cache.c:2667(cache_retrieve_response)
Retrieving response for pid 16287
[2013/04/28 20:39:45, 5] winbindd/winbindd_async.c:296(lookupname_recv2)
lookup_name returned an error
[2013/04/28 20:39:45, 5]
winbindd/winbindd_user.c:497(getpwnam_name2sid_recv)
Could not lookup name for user DC+matej.zary
Any ideas where to look further? Many thanks...
Best Regards
Matej Zary
Marc Muehlfeld
2013-May-01 22:01 UTC
[Samba] AD client can't connect to share after winbind cache expires [Samba 3.4.12 on Gentoo]
Hello Matej, Am 28.04.2013 20:47, schrieb M Z:> ...>> wbinfo -u, wbinfo -g work (list all >30K AD users,groups) also getent > passwd, group work (list all local and AD users/groups) > > ... > > So quick summary - I have to issue wbinfo -u to populate winbind cache to > be able to log in with AD account. After the cache expires, the AD accounts > can't log in anymore. > > smb.conf: > > ... > winbind enum users = yes > winbind enum groups = yesWhat happens if you turn this two off? If you have >30K AD users/groups, as you wrote, it needs some time to pull this information from your DC. Maybe this causes your problem. Regards, Marc