samba - Sep 2015 - Samba AD - Issue with winbindd: Could not write result

----- Mensagem original -----

De: "Rowland Penny" <rowlandpenny241155 at gmail.com> 
Para: samba at lists.samba.org 
Enviadas: Terça-feira, 1 de Setembro de 2015 12:05:20 
Assunto: Re: [Samba] Samba AD - Issue with winbindd: Could not write result 

On 01/09/15 15:33, Rafael Domiciano wrote: 
> Hi Rowland, thanks for your response. 
> 
> Both samba is self compiled. 
> 
> DC 1: 
> [root at wdc samba]# uname -a 
> Linux wdc 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC 
> 2015 x86_64 x86_64 x86_64 GNU/Linux 
> 
> [root at wdc samba]# cat /etc/redhat-release 
> CentOS release 6.6 (Final) 
> 
> [root at wdc samba]# cat /etc/resolv.conf 
> search DOMAIN 
> nameserver 172.16.5.22 
> nameserver 172.16.5.1 
> nameserver 8.8.8.8 
> 
> [root at wdc samba]# samba -V 
> Version 4.2.3 
> 
> [root at wdc samba]# cat /etc/krb5.conf 
> [libdefaults] 
> default_realm = DOMAIN.COM 
> dns_lookup_realm = false 
> dns_lookup_kdc = true 
> 
> DC 2: 
> [root at bcd samba]# uname -a 
> Linux bcd.senffnet 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 
> 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux 
> 
> [root at bcd samba]# cat /etc/redhat-release 
> CentOS release 6.6 (Final) 
> 
> [root at bcd samba]# cat /etc/resolv.conf 
> search DOMAIN 
> nameserver 172.16.5.1 
> nameserver 172.16.5.22 
> nameserver 8.8.8.8 
> 
> [root at bcd samba]# samba -V 
> Version 4.2.3 
> 
> [root at bcd samba]# cat /etc/krb5.conf 
> [libdefaults] 
> default_realm = DOMAIN.COM 
> dns_lookup_realm = false 
> dns_lookup_kdc = true 
> 
> 
> About the winbindd I got some perfomance with the following lines, and 
> I could reproduce this in my tests, so in some manner they get 
> processed at some time: 
> > winbind use default domain = yes 
> > winbind nested groups = false 
> > winbind enum users = no 
> > winbind enum groups = no 
> 
> Rafael 
> 
> ------------------------------------------------------------------------ 
> 
Hmm, again there doesn't seem to be anything really wrong, only 
possibility is the resolv.conf files, I take it that 'search DOMAIN' is 
really 'search domain.com' i.e. DOMAIN is the dns domain name. I also 
take it that the two '172.16.5.x' numbers are the ipaddress of the two 
DCs and each DC points to the other DC first, you do not actually don't 
need the google line, this should be set as a forwarder in named.conf. 

Ok, I've changed the configuration, now named is forwarding, and the
"nameserver 8.8.8.8" isn't anymore on resolv.conf.

The only thing I can think is that you missed installing a package 
before compiling Samba, is this in production ? could you change to the 
Sernet packages ? 

Yes, it's in production. As I said before this setup is running for 1 month
right now, and the only problem is this:

Sep 1 09:04:30 wdc winbindd[18757]: [2015/09/01 09:04:30.040198, 0]
../source3/winbindd/winbindd_dual.c:105(child_write_response)
Sep 1 09:04:30 wdc winbindd[18757]: Could not write result 

That repeat as so many times that "winbind max clients = 800"
configured. And then changed to:

Sep 1 09:08:07 wdc winbindd[3068]: [2015/09/01 09:08:07.980952, 0]
../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler)
Sep 1 09:08:07 wdc winbindd[3068]: winbindd: Exceeding 800 client connections,
no idle connection found

That repeats so long the samba is up, I needed to stop and start the samba
service.

Seems that when the first error occurs samba server mantains the client
connection, but the client (e.g.: thunderbird, postgresql, Zimbra Desktop,
openfire...) request a new connection to AD. Just making assumptions.


Is selinux involved here? have you checked the logs, same goes for any 
firewall you might have installed. 

No Selinux (enforce = disabled). I think the firewall is not the problem, as
it's working: Roaming profiles, Windows ACLs, GPO (Users and computers),
LDAP, and so on.

Rowland 
-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

The same problem ocurred today. The same log in /var/log/messages in DC, and I
have to stop and start the samba service. Any help is appreciate.

Regards, 

Rafael 


----- Mensagem original -----

De: "Rafael Domiciano" <r.domiciano at senff.com.br> 
Para: "Rowland Penny" <rowlandpenny241155 at gmail.com> 
Cc: samba at lists.samba.org 
Enviadas: Terça-feira, 1 de Setembro de 2015 14:07:10 
Assunto: Re: [Samba] Samba AD - Issue with winbindd: Could not write result 




----- Mensagem original -----

De: "Rowland Penny" <rowlandpenny241155 at gmail.com> 
Para: samba at lists.samba.org 
Enviadas: Terça-feira, 1 de Setembro de 2015 12:05:20 
Assunto: Re: [Samba] Samba AD - Issue with winbindd: Could not write result 

On 01/09/15 15:33, Rafael Domiciano wrote: 
> Hi Rowland, thanks for your response. 
> 
> Both samba is self compiled. 
> 
> DC 1: 
> [root at wdc samba]# uname -a 
> Linux wdc 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC 
> 2015 x86_64 x86_64 x86_64 GNU/Linux 
> 
> [root at wdc samba]# cat /etc/redhat-release 
> CentOS release 6.6 (Final) 
> 
> [root at wdc samba]# cat /etc/resolv.conf 
> search DOMAIN 
> nameserver 172.16.5.22 
> nameserver 172.16.5.1 
> nameserver 8.8.8.8 
> 
> [root at wdc samba]# samba -V 
> Version 4.2.3 
> 
> [root at wdc samba]# cat /etc/krb5.conf 
> [libdefaults] 
> default_realm = DOMAIN.COM 
> dns_lookup_realm = false 
> dns_lookup_kdc = true 
> 
> DC 2: 
> [root at bcd samba]# uname -a 
> Linux bcd.senffnet 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 
> 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux 
> 
> [root at bcd samba]# cat /etc/redhat-release 
> CentOS release 6.6 (Final) 
> 
> [root at bcd samba]# cat /etc/resolv.conf 
> search DOMAIN 
> nameserver 172.16.5.1 
> nameserver 172.16.5.22 
> nameserver 8.8.8.8 
> 
> [root at bcd samba]# samba -V 
> Version 4.2.3 
> 
> [root at bcd samba]# cat /etc/krb5.conf 
> [libdefaults] 
> default_realm = DOMAIN.COM 
> dns_lookup_realm = false 
> dns_lookup_kdc = true 
> 
> 
> About the winbindd I got some perfomance with the following lines, and 
> I could reproduce this in my tests, so in some manner they get 
> processed at some time: 
> > winbind use default domain = yes 
> > winbind nested groups = false 
> > winbind enum users = no 
> > winbind enum groups = no 
> 
> Rafael 
> 
> ------------------------------------------------------------------------ 
> 
Hmm, again there doesn't seem to be anything really wrong, only 
possibility is the resolv.conf files, I take it that 'search DOMAIN' is 
really 'search domain.com' i.e. DOMAIN is the dns domain name. I also 
take it that the two '172.16.5.x' numbers are the ipaddress of the two 
DCs and each DC points to the other DC first, you do not actually don't 
need the google line, this should be set as a forwarder in named.conf. 

Ok, I've changed the configuration, now named is forwarding, and the
"nameserver 8.8.8.8" isn't anymore on resolv.conf.

The only thing I can think is that you missed installing a package 
before compiling Samba, is this in production ? could you change to the 
Sernet packages ? 

Yes, it's in production. As I said before this setup is running for 1 month
right now, and the only problem is this:

Sep 1 09:04:30 wdc winbindd[18757]: [2015/09/01 09:04:30.040198, 0]
../source3/winbindd/winbindd_dual.c:105(child_write_response)
Sep 1 09:04:30 wdc winbindd[18757]: Could not write result 

That repeat as so many times that "winbind max clients = 800"
configured. And then changed to:

Sep 1 09:08:07 wdc winbindd[3068]: [2015/09/01 09:08:07.980952, 0]
../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler)
Sep 1 09:08:07 wdc winbindd[3068]: winbindd: Exceeding 800 client connections,
no idle connection found

That repeats so long the samba is up, I needed to stop and start the samba
service.

Seems that when the first error occurs samba server mantains the client
connection, but the client (e.g.: thunderbird, postgresql, Zimbra Desktop,
openfire...) request a new connection to AD. Just making assumptions.


Is selinux involved here? have you checked the logs, same goes for any 
firewall you might have installed. 

No Selinux (enforce = disabled). I think the firewall is not the problem, as
it's working: Roaming profiles, Windows ACLs, GPO (Users and computers),
LDAP, and so on.

Rowland 
-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

On 02/09/15 13:34, Rafael Domiciano wrote:
> The same problem ocurred today. The same log in /var/log/messages in 
> DC, and I have to stop and start the samba service. Any help is 
> appreciate.
>
> Regards,
>
> Rafael
>
>
> ------------------------------------------------------------------------
> *De: *"Rafael Domiciano" <r.domiciano at senff.com.br>
> *Para: *"Rowland Penny" <rowlandpenny241155 at gmail.com>
> *Cc: *samba at lists.samba.org
> *Enviadas: *Terça-feira, 1 de Setembro de 2015 14:07:10
> *Assunto: *Re: [Samba] Samba AD - Issue with winbindd: Could not write 
> result
>
>
>
> ------------------------------------------------------------------------
> *De: *"Rowland Penny" <rowlandpenny241155 at gmail.com>
> *Para: *samba at lists.samba.org
> *Enviadas: *Terça-feira, 1 de Setembro de 2015 12:05:20
> *Assunto: *Re: [Samba] Samba AD - Issue with winbindd: Could not write 
> result
>
> On 01/09/15 15:33, Rafael Domiciano wrote:
> > Hi Rowland, thanks for your response.
> >
> > Both samba is self compiled.
> >
> > DC 1:
> > [root at wdc samba]# uname -a
> > Linux wdc 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC
> > 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> > [root at wdc samba]# cat /etc/redhat-release
> > CentOS release 6.6 (Final)
> >
> > [root at wdc samba]# cat /etc/resolv.conf
> > search DOMAIN
> > nameserver 172.16.5.22
> > nameserver 172.16.5.1
> > nameserver 8.8.8.8
> >
> > [root at wdc samba]# samba -V
> > Version 4.2.3
> >
> > [root at wdc samba]# cat /etc/krb5.conf
> > [libdefaults]
> >         default_realm = DOMAIN.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > DC 2:
> > [root at bcd samba]# uname -a
> > Linux bcd.senffnet 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
> > 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> >
> > [root at bcd samba]# cat /etc/redhat-release
> > CentOS release 6.6 (Final)
> >
> > [root at bcd samba]# cat /etc/resolv.conf
> > search DOMAIN
> > nameserver 172.16.5.1
> > nameserver 172.16.5.22
> > nameserver 8.8.8.8
> >
> > [root at bcd samba]# samba -V
> > Version 4.2.3
> >
> > [root at bcd samba]# cat /etc/krb5.conf
> > [libdefaults]
> >         default_realm = DOMAIN.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> >
> > About the winbindd I got some perfomance with the following lines, and
> > I could reproduce this in my tests, so in some manner they get
> > processed at some time:
> > > winbind use default domain = yes
> > > winbind nested groups = false
> > > winbind enum users = no
> > > winbind enum groups = no
> >
> > Rafael
> >
> >
------------------------------------------------------------------------
> >
>
> Hmm, again there doesn't seem to be anything really wrong, only
> possibility is the resolv.conf files, I take it that 'search
DOMAIN' is
> really 'search domain.com' i.e. DOMAIN is the dns domain name. I
also
> take it that the two '172.16.5.x' numbers are the ipaddress of the
two
> DCs and each DC points to the other DC first, you do not actually don't
> need the google line, this should be set as a forwarder in named.conf.
>
> Ok, I've changed the configuration, now named is forwarding, and the 
> "nameserver 8.8.8.8" isn't anymore on resolv.conf.
>
> The only thing I can think is that you missed installing a package
> before compiling Samba, is this in production ? could you change to the
> Sernet packages ?
>
> Yes, it's in production. As I said before this setup is running for 1 
> month right now, and the only problem is this:
>
> Sep  1 09:04:30 wdc winbindd[18757]: [2015/09/01 09:04:30.040198,  0] 
> ../source3/winbindd/winbindd_dual.c:105(child_write_response)
> Sep  1 09:04:30 wdc winbindd[18757]:   Could not write result
>
> That repeat as so many times that "winbind max clients = 800" 
> configured.And then changed to: Sep 1 09:08:07 wdc winbindd[3068]: 
> [2015/09/01 09:08:07.980952, 0] 
> ../source3/winbindd/winbindd.c:1116(winbindd_listen_fde_handler) Sep 1 
> 09:08:07 wdc winbindd[3068]: winbindd: Exceeding 800 client 
> connections, no idle connection found That repeats so long the samba 
> is up, I needed to stop and start the samba service.
> Seems that when the first error occurs samba server mantains the 
> client connection, but the client (e.g.: thunderbird, postgresql, 
> Zimbra Desktop, openfire...) request a new connection to AD. Just 
> making assumptions.
>
>
> Is selinux involved here? have you checked the logs, same goes for any
> firewall you might have installed.
>
> No Selinux (enforce = disabled). I think the firewall is not the 
> problem, as it's working: Roaming profiles, Windows ACLs, GPO (Users 
> and computers), LDAP, and so on.
>
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
OK, I personally cannot see anything wrong with your setup, perhaps 
someone else can see if I missed anything ?

In the mean time, can you set the loglevel to 10 and see if this brings 
out anything in the logs.

Rowland