Felix Matouschek
2015-Jul-01 11:59 UTC
[Samba] winbindd hangs and makes the system unuseable when DC is offline
Hello,
I am using winbindd to map users via the idmap_ad backend from a Samba 4.2.2 AD
to another machine in the network.
Everything works fine unless I shutdown the DC.
I would expect winbindd to realize the DC is offline and shutdown or something,
however instead of realizing something is wrong
It goes into some kind of reconnection loop and makes the whole system
unuseable.
As soon as I kill winbindd or the DC comes online again everything goes back to
normal.
Is there any option to limit the count of reconnection tries when a DC is
offline? Or have I overlooked something perhaps?
My smb.conf looks like this:
[global]
netbios name = MyServer
server string = Fileserver (%h V:%v)
workgroup = INTRANET
realm = INTRANET.MYDOMAIN.DE
security = ADS
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 1
winbind nested groups = yes
winbind use default domain = yes
winbind normalize names = yes
winbind refresh tickets = yes
winbind nss info = rfc2307:INTRANET, template
template shell = /bin/bash
template homedir = /home/users/%U
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
idmap config * : range = 1000000 - 1999999
idmap config INTRANET : backend = ad
idmap config INTRANET : schema_mode = rfc2307
idmap config INTRANET : range = 5000 - 40000
map untrusted to domain = yes
unix extensions = no
invalid users = root, vipco-admin
acl allow execute always = yes
printing = bsd
printcap name = /dev/null
disable spoolss = yes
load printers = no
deadtime = 10
use sendfile = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
Greetings,
Felix
Rowland Penny
2015-Jul-01 13:57 UTC
[Samba] winbindd hangs and makes the system unuseable when DC is offline
On 01/07/15 12:59, Felix Matouschek wrote:> Hello, > > I am using winbindd to map users via the idmap_ad backend from a Samba 4.2.2 AD to another machine in the network. > Everything works fine unless I shutdown the DC. > I would expect winbindd to realize the DC is offline and shutdown or something, however instead of realizing something is wrong > It goes into some kind of reconnection loop and makes the whole system unuseable. > As soon as I kill winbindd or the DC comes online again everything goes back to normal. > > Is there any option to limit the count of reconnection tries when a DC is offline? Or have I overlooked something perhaps? > > My smb.conf looks like this: > > [global] > netbios name = MyServer > server string = Fileserver (%h V:%v) > > workgroup = INTRANET > realm = INTRANET.MYDOMAIN.DE > security = ADS > > winbind enum users = yes > winbind enum groups = yes > winbind expand groups = 1 > winbind nested groups = yes > winbind use default domain = yes > winbind normalize names = yes > winbind refresh tickets = yes > winbind nss info = rfc2307:INTRANET, template > template shell = /bin/bash > template homedir = /home/users/%U > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > idmap config * : range = 1000000 - 1999999 > idmap config INTRANET : backend = ad > idmap config INTRANET : schema_mode = rfc2307 > idmap config INTRANET : range = 5000 - 40000 > > map untrusted to domain = yes > > unix extensions = no > invalid users = root, vipco-admin > > acl allow execute always = yes > > printing = bsd > printcap name = /dev/null > disable spoolss = yes > load printers = no > > deadtime = 10 > use sendfile = yes > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE > > Greetings, > FelixYou could try 'winbind offline logon' , have a look here: https://wiki.samba.org/index.php/PAM_Offline_Authentication Whilst you are adding the line to smb.conf, I would suggest you make the following changes: Change: winbind nss info = rfc2307:INTRANET, template To: winbind nss info = rfc2307 Remove: idmap_ldb:use rfc2307 = yes It should only be on an AD DC Remove: socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE You could be making things worse, just allow the kernel to sort these things. Finally, why are you using templates ? you can and should have these in AD. template shell = /bin/bash template homedir = /home/users/%U Rowland
Felix Matouschek
2015-Jul-01 14:24 UTC
[Samba] winbindd hangs and makes the system unuseable when DC is offline
Hello Rowland, yes, indeed, "idmap_ldb:use rfc2307 = yes" can be removed. As for the templates, I need those lines on the DC since it won't apply the values for login shell and home dir automatically via rfc2307. I just copied the basic config over... hence they are in my member config, although theoretically everything gets pulled from AD. The socket options never made any problems so far... Anyhow... i figured out how to solve this problem. Your advice to use "winbind offline logon" is correct. However, it should be noted that offline logon won't work if either "map untrusted to domain = yes" or "winbind normalize names = yes" is set. I had a fair struggle with that... I guess thats a bug?! I solved the problem by letting winbind use ist own config file where both these options are disabled. Note that when having "map untrusted to domain = yes" in the main smb.conf you have to explicitly overwrite it in with no the winbind config file. Very strange behaviour if you ask me... I'm glad I've sorted it out. Greetings, Felix -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny Gesendet: Mittwoch, 1. Juli 2015 15:57 An: samba at lists.samba.org Betreff: Re: [Samba] winbindd hangs and makes the system unuseable when DC is offline On 01/07/15 12:59, Felix Matouschek wrote:> Hello, > > I am using winbindd to map users via the idmap_ad backend from a Samba 4.2.2 AD to another machine in the network. > Everything works fine unless I shutdown the DC. > I would expect winbindd to realize the DC is offline and shutdown or > something, however instead of realizing something is wrong It goes into some kind of reconnection loop and makes the whole system unuseable. > As soon as I kill winbindd or the DC comes online again everything goes back to normal. > > Is there any option to limit the count of reconnection tries when a DC is offline? Or have I overlooked something perhaps? > > My smb.conf looks like this: > > [global] > netbios name = MyServer > server string = Fileserver (%h V:%v) > > workgroup = INTRANET > realm = INTRANET.MYDOMAIN.DE > security = ADS > > winbind enum users = yes > winbind enum groups = yes > winbind expand groups = 1 > winbind nested groups = yes > winbind use default domain = yes > winbind normalize names = yes > winbind refresh tickets = yes > winbind nss info = rfc2307:INTRANET, template > template shell = /bin/bash > template homedir = /home/users/%U > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > idmap config * : range = 1000000 - 1999999 > idmap config INTRANET : backend = ad > idmap config INTRANET : schema_mode = rfc2307 > idmap config INTRANET : range = 5000 - 40000 > > map untrusted to domain = yes > > unix extensions = no > invalid users = root, vipco-admin > > acl allow execute always = yes > > printing = bsd > printcap name = /dev/null > disable spoolss = yes > load printers = no > > deadtime = 10 > use sendfile = yes > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE > > Greetings, > FelixYou could try 'winbind offline logon' , have a look here: https://wiki.samba.org/index.php/PAM_Offline_Authentication Whilst you are adding the line to smb.conf, I would suggest you make the following changes: Change: winbind nss info = rfc2307:INTRANET, template To: winbind nss info = rfc2307 Remove: idmap_ldb:use rfc2307 = yes It should only be on an AD DC Remove: socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE You could be making things worse, just allow the kernel to sort these things. Finally, why are you using templates ? you can and should have these in AD. template shell = /bin/bash template homedir = /home/users/%U Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba