Marco Coli
2017-Jun-23 05:09 UTC
[Samba] Samba AD - Issue with winbindd: Could not write result
Il 22/06/2017 15:30, Rowland Penny via samba ha scritto:> On Thu, 22 Jun 2017 14:47:36 +0200 > Marco Coli via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I have the same problems outlined in this old thread... >> Only difference the original poster was on RHEL6.X, I am on RHEL7, he >> compiled samba on its own, I used Sernet Samba (latest)... >> >> Unfortunately there is no solution on this thread. Suggestions? >> >> Thank you >> > Yikes, that was from nearly two years ago. > > Can you post: > /etc/resolv.conf > /etc/hostname > /etc/hosts > If using Bind9, its conf files > /etc/samba/smb.conf > /etc/krb5.conf > > Rowland >Yes very old, but it is the only similar problem (quite identical) I did find. Thank you for your interest, here we are: cat /etc/resolv.conf # Generated by NetworkManager search niccolai.local nameserver 10.0.0.253 ---- [root at nic-mail ~]# cat /etc/hostname nic-mail ---- [root at nic-mail ~]# cat /etc/hosts 10.0.0.253 nic-mail mail.niccolaitrafile.it nic-server-mail nic-mail.niccolai.local nic-server-mail.niccolai.local sogo.niccolaitrafile.it 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 ____ [root at nic-mail ~]# cat /etc/named.conf include "/etc/rndc.key"; # include "/var/lib/samba/private/named.conf"; include "/etc/named.conf.samba"; // // named.conf for Red Hat caching-nameserver // options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // query-source address * port 53; // forward first; // forwarders { // 8.8.8.8; // 8.8.4.4; # 151.99.125.2; # 151.99.250.2; # 213.92.5.54; # 194.185.88.5; # 151.99.125.3; // }; }; // // a caching only nameserver config // controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localdomain" IN { type master; file "localdomain.zone"; allow-update { none; }; }; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.ip6.local"; allow-update { none; }; }; //zone "255.in-addr.arpa" IN { // type master; // file "named.broadcast"; // allow-update { none; }; // }; //zone "0.in-addr.arpa" IN { // type master; // file "named.zero"; // allow-update { none; }; //}; #zone "niccolai" IN { # type master; # file "niccolai"; # allow-update { key "rndckey" ; }; ## allow-transfer { 10.0.0.19; }; ## notify yes; #}; #zone "10.in-addr.arpa" IN { # type master; # file "10.in-addr.arpa"; # allow-update { key "rndckey" ; }; ## allow-transfer { 10.0.0.19; }; ## notify yes; #}; zone "niccolai.homelinux.org" IN { type master; file "homelinux"; allow-update { none; }; # allow-transfer { 10.0.0.19; }; notify yes; }; zone "niccolaitrafile.it" IN { type master; file "niccolaitrafile.it"; allow-update { none; }; # allow-transfer { 10.0.0.19; }; # notify yes; }; -------- [root at nic-mail ~]# cat /etc/named.conf. named.conf.DISTRIB named.conf.rpmnew named.conf.samba [root at nic-mail ~]# cat /etc/named.conf.samba # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/var/lib/samba4/private/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { #dlz "niccolai.local" { # For BIND 9.8.0 # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; # For BIND 9.9.0 database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so"; }; ---- [root at nic-mail ~]# cat /etc/samba/smb.conf # Global parameters [global] workgroup = NICCOLAI realm = niccolai.local netbios name = NIC-MAIL server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate # idmap_ldb:use rfc2307 = yes interfaces = 127.0.0.1 10.0.0.253 bind interfaces only = yes unix extensions = yes allow insecure wide links = Yes # Inseriti per evitare blocco per troppi files aperti # deadtime = 20 # max open files = 490000 socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 TCP_KEEPINTVL=10 TCP_KEEPCNT=5 ldap server require strong auth = no # Aggiunto da TT 13/6 ## client use spnego = no ## client ntlmv2 auth = no ## client ipc max protocol = NT1 # Aggiunto da TT 19/6 ## client ldap sasl wrapping = plain [netlogon] path = /var/lib/samba/sysvol/niccolai.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [profiles] path = /archivi/samba/profiles read only = no [dati] comment = Directory di lavoro path = /archivi/samba/dati read only = no wide links = yes [Com] comment= Commesse path = /archivi/samba/dbcommesse read only = No public = yes wide links = yes [Scambio] comment= Scambio path = /archivi/samba/scambio read only = No writeable = yes [Acquisti] path = /archivi/samba/acquisti read only = No wide links = yes [Commerciale] path = /archivi/samba/commerciale read only = no wide links = yes [Contabilita] path = /archivi/samba/contabilita read only = no [Tecnico] path = /archivi/samba/tecnico read only = no [Amministrazione] path = /archivi/samba/amministrazione read only = no [Info$] path = /archivi/samba/informatica read only = no wide links = yes [manuali] path = /archivi/samba/manuali read only = no wide links = yes [officina] path = /archivi/samba/officina read only = no [magazzino_inserti] path = /archivi/samba/MAGAZZINO_INSERTI read only = no [Foto] path = /archivi/samba/foto read only = no wide links = yes [Contenit] path = /archivi/samba/contenitori read only = no wide links = yes #[Backup] # path = /BACKUP # browseable = yes # read only = no # read only = yes # vfs objects = acl_xattr [Collaudo] path = /archivi/samba/collaudo read only = no # vfs objects = acl_xattr [Certificati_conformita] path = /archivi/samba/certificati_conformita read only = no [Manuali_Macchine] path = /archivi/samba/MANUALI_MACCHINE read only = no wide links = yes [Deployment] path = /archivi/samba/DEPLOYMENT read only = no guest ok = yes ----- [root at nic-mail ~]# cat /etc/krb5.conf [libdefaults] default_realm = NICCOLAI.LOCAL dns_lookup_realm = false dns_lookup_kdc = true After some hours the services are down, the output of wbinfo -u becomes empty, and some weird login/share problems begin. If I restart the services (systemctl restart sernet-samba-ad ) all is ok. It worked flawlessy for years, until 15 days ago... The server is updated with latest kernel and latest samba: [root at nic-mail ~]# uname -a Linux nic-mail 3.10.0-514.21.2.el7.x86_64 #1 SMP Sun May 28 17:08:21 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux [root at nic-mail ~]# rpm -qa |grep samba sernet-samba-libsmbclient0-4.6.5-8.el7.x86_64 sernet-samba-4.6.5-8.el7.x86_64 sernet-samba-libs-4.6.5-8.el7.x86_64 sernet-samba-common-4.6.5-8.el7.x86_64 sernet-samba-client-4.6.5-8.el7.x86_64 sernet-samba-ad-4.6.5-8.el7.x86_64 sernet-samba-winbind-4.6.5-8.el7.x86_64 Thank you!
Marco Coli
2017-Jun-23 05:13 UTC
[Samba] Samba AD - Issue with winbindd: Could not write result
Il 23/06/2017 07:09, Marco Coli ha scritto:> After some hours the services are down, the output of wbinfo -u > becomes empty, and some weird login/share problems begin. > If I restart the services (systemctl restart sernet-samba-ad ) all is ok.Sorry that is wrong.. It should be: After some hours the samba services are running (40 users average), the output of wbinfo -u becomes empty, and some weird login/share problems begin with the users. If I restart the services (systemctl restart sernet-samba-ad ) all return normal until next cicle> [root at nic-mail ~]# cat /etc/named.conf. > named.conf.DISTRIB named.conf.rpmnew named.conf.sambaIgnore these two lines. Best regards
Rowland Penny
2017-Jun-23 08:49 UTC
[Samba] Samba AD - Issue with winbindd: Could not write result
Please see inline comments. On Fri, 23 Jun 2017 07:09:47 +0200 Marco Coli <marco.coli at isolettaelba.eu> wrote:> cat /etc/resolv.conf > # Generated by NetworkManager > search niccolai.local > nameserver 10.0.0.253Only thing wrong there is that you may be using the '.local' domain (unless it is has been changed to hide the real domain). If it is the real domain, remove Avahi if it is installed.> ---- > [root at nic-mail ~]# cat /etc/hostname > nic-mail > ---- > [root at nic-mail ~]# cat /etc/hosts > 10.0.0.253 nic-mail mail.niccolaitrafile.it nic-server-mail > nic-mail.niccolai.local nic-server-mail.niccolai.local > sogo.niccolaitrafile.it > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6Why does red-hat do things the wrong way round to other OS's ? I would change it to this: 10.0.0.253 nic-mail.niccolai.local nic-mail 10.0.0.? mail.niccolaitrafile.it mail 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 Create a virtual network interface for the '10.0.0.?' address and assign a 'IP'. Create a CNAME record for nic-server-mail to nic-mail.niccolai.local, create a CNAME record for sogo to 'mail.niccolaitrafile.it'> ____ > > [root at nic-mail ~]# cat /etc/named.conf > include "/etc/rndc.key"; > # include "/var/lib/samba/private/named.conf"; > include "/etc/named.conf.samba"; > > // > // named.conf for Red Hat caching-nameserver > // > > options { > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > /* > * If there is a firewall between you and nameservers you > want > * to talk to, you might need to uncomment the query-source > * directive below. Previous versions of BIND always asked > * questions using port 53, but BIND 8.1 uses an unprivileged > * port by default. > */ > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > // query-source address * port 53; > // forward first; > // forwarders { > // 8.8.8.8; > // 8.8.4.4; > # 151.99.125.2; > # 151.99.250.2; > # 213.92.5.54; > # 194.185.88.5; > # 151.99.125.3; > // }; > > }; >Uncomment the 'forwarders' lines, I would just use the Google ones.> // > // a caching only nameserver config > // > controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; > }; > > zone "." IN { > type hint; > file "named.ca"; > }; > > zone "localdomain" IN { > type master; > file "localdomain.zone"; > allow-update { none; }; > }; > > zone "localhost" IN { > type master; > file "localhost.zone"; > allow-update { none; }; > }; > > zone "0.0.127.in-addr.arpa" IN { > type master; > file "named.local"; > allow-update { none; }; > }; > > zone > "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" > IN { > type master; > file "named.ip6.local"; > allow-update { none; }; > }; > > //zone "255.in-addr.arpa" IN { > // type master; > // file "named.broadcast"; > // allow-update { none; }; > // }; > > //zone "0.in-addr.arpa" IN { > // type master; > // file "named.zero"; > // allow-update { none; }; > //}; > > #zone "niccolai" IN { > # type master; > # file "niccolai"; > # allow-update { key "rndckey" ; }; > ## allow-transfer { 10.0.0.19; }; > ## notify yes; > #}; > #zone "10.in-addr.arpa" IN { > # type master; > # file "10.in-addr.arpa"; > # allow-update { key "rndckey" ; }; > ## allow-transfer { 10.0.0.19; }; > ## notify yes; > #}; > > zone "niccolai.homelinux.org" IN { > type master; > file "homelinux"; > allow-update { none; }; > # allow-transfer { 10.0.0.19; }; > notify yes; > };Remove the above zone, you do not seem to be using it.> > zone "niccolaitrafile.it" IN { > type master; > file "niccolaitrafile.it"; > allow-update { none; }; > # allow-transfer { 10.0.0.19; }; > # notify yes; > }; > -------- > [root at nic-mail ~]# cat /etc/named.conf. > named.conf.DISTRIB named.conf.rpmnew named.conf.samba > [root at nic-mail ~]# cat /etc/named.conf.samba > # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen > support. # > # This file should be included in your main BIND configuration file > # > # For example with > # include "/var/lib/samba4/private/named.conf"; > > # > # This configures dynamically loadable zones (DLZ) from AD schema > # Uncomment only single database line, depending on your BIND version > # > dlz "AD DNS Zone" { > #dlz "niccolai.local" { > # For BIND 9.8.0 > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; > > # For BIND 9.9.0 > database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so"; > }; > > ---- > > [root at nic-mail ~]# cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = NICCOLAI > realm = niccolai.local > netbios name = NIC-MAIL > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > # idmap_ldb:use rfc2307 = yesUncomment the above line, you need it.> interfaces = 127.0.0.1 10.0.0.253 > bind interfaces only = yes > unix extensions = yes > allow insecure wide links = Yes > # Inseriti per evitare blocco per troppi files aperti > # deadtime = 20 > # max open files = 490000 > socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 > TCP_KEEPINTVL=10 TCP_KEEPCNT=5You should let Samba set the above line for you.> ldap server require strong auth = no > # Aggiunto da TT 13/6 > ## client use spnego = no > ## client ntlmv2 auth = no > ## client ipc max protocol = NT1 > # Aggiunto da TT 19/6 > ## client ldap sasl wrapping = plain > > [netlogon] > path = /var/lib/samba/sysvol/niccolai.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [profiles] > path = /archivi/samba/profiles > read only = no > > [dati] > comment = Directory di lavoro > path = /archivi/samba/dati > read only = no > wide links = yes > > [Com] > comment= Commesse > path = /archivi/samba/dbcommesse > read only = No > public = yes > wide links = yes > > [Scambio] > comment= Scambio > path = /archivi/samba/scambio > read only = No > writeable = yes > > [Acquisti] > path = /archivi/samba/acquisti > read only = No > wide links = yes > > [Commerciale] > path = /archivi/samba/commerciale > read only = no > wide links = yes > > [Contabilita] > path = /archivi/samba/contabilita > read only = no > > [Tecnico] > path = /archivi/samba/tecnico > read only = no > > [Amministrazione] > path = /archivi/samba/amministrazione > read only = no > > [Info$] > path = /archivi/samba/informatica > read only = no > wide links = yes > > [manuali] > path = /archivi/samba/manuali > read only = no > wide links = yes > > [officina] > path = /archivi/samba/officina > read only = no > > [magazzino_inserti] > path = /archivi/samba/MAGAZZINO_INSERTI > read only = no > > [Foto] > path = /archivi/samba/foto > read only = no > wide links = yes > > [Contenit] > path = /archivi/samba/contenitori > read only = no > wide links = yes > > #[Backup] > # path = /BACKUP > # browseable = yes > # read only = no > # read only = yes > # vfs objects = acl_xattr > > [Collaudo] > path = /archivi/samba/collaudo > read only = no > # vfs objects = acl_xattr > > [Certificati_conformita] > path = /archivi/samba/certificati_conformita > read only = no > > [Manuali_Macchine] > path = /archivi/samba/MANUALI_MACCHINE > read only = no > wide links = yes > > [Deployment] > path = /archivi/samba/DEPLOYMENT > read only = no > guest ok = yes > > ----- > [root at nic-mail ~]# cat /etc/krb5.conf > [libdefaults] > default_realm = NICCOLAI.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > > After some hours the services are down, the output of wbinfo -u > becomes empty, and some weird login/share problems begin. > If I restart the services (systemctl restart sernet-samba-ad ) all is > ok. > > It worked flawlessy for years, until 15 days ago... The server is > updated with latest kernel and latest samba: > [root at nic-mail ~]# uname -a > Linux nic-mail 3.10.0-514.21.2.el7.x86_64 #1 SMP Sun May 28 17:08:21 > EDT 2017 x86_64 x86_64 x86_64 GNU/Linux > [root at nic-mail ~]# rpm -qa |grep samba > sernet-samba-libsmbclient0-4.6.5-8.el7.x86_64 > sernet-samba-4.6.5-8.el7.x86_64 > sernet-samba-libs-4.6.5-8.el7.x86_64 > sernet-samba-common-4.6.5-8.el7.x86_64 > sernet-samba-client-4.6.5-8.el7.x86_64 > sernet-samba-ad-4.6.5-8.el7.x86_64 > sernet-samba-winbind-4.6.5-8.el7.x86_64 > > Thank you!I no longer use the Sernet packages, but can you check if there are any other Sernet Samba packages available (Debian has one called samba-dsdb-modules) and install them. I am not saying that the changes I suggest will cure your problem, but the should not make anything worse either. Rowland
Marco Coli
2017-Jun-24 17:30 UTC
[Samba] Samba AD - Issue with winbindd: Could not write result
Il 23/06/2017 10:49, Rowland Penny via samba ha scritto:> Please see inline comments. > > On Fri, 23 Jun 2017 07:09:47 +0200 > Marco Coli <marco.coli at isolettaelba.eu> wrote: > >> cat /etc/resolv.conf >> # Generated by NetworkManager >> search niccolai.local >> nameserver 10.0.0.253 > Only thing wrong there is that you may be using the '.local' domain > (unless it is has been changed to hide the real domain). If it is the > real domain, remove Avahi if it is installed.Done> > I would change it to this: > > 10.0.0.253 nic-mail.niccolai.local nic-mail > 10.0.0.? mail.niccolaitrafile.it mail > 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 > > Create a virtual network interface for the '10.0.0.?' address and > assign a 'IP'. Create a CNAME record for nic-server-mail to > nic-mail.niccolai.local, create a CNAME record for sogo to > 'mail.niccolaitrafile.it'To be done> > Uncomment the 'forwarders' lines, I would just use the Google ones.Done> > zone "niccolai.homelinux.org" IN { > type master; > file "homelinux"; > allow-update { none; }; > # allow-transfer { 10.0.0.19; }; > notify yes; > }; > Remove the above zone, you do not seem to be using it.Done> >> zone "niccolaitrafile.it" IN { >> type master; >> file "niccolaitrafile.it"; >> allow-update { none; }; >> # allow-transfer { 10.0.0.19; }; >> # notify yes; >> }; >> -------- >> [root at nic-mail ~]# cat /etc/named.conf. >> named.conf.DISTRIB named.conf.rpmnew named.conf.samba >> [root at nic-mail ~]# cat /etc/named.conf.samba >> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen >> support. # >> # This file should be included in your main BIND configuration file >> # >> # For example with >> # include "/var/lib/samba4/private/named.conf"; >> >> # >> # This configures dynamically loadable zones (DLZ) from AD schema >> # Uncomment only single database line, depending on your BIND version >> # >> dlz "AD DNS Zone" { >> #dlz "niccolai.local" { >> # For BIND 9.8.0 >> # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; >> >> # For BIND 9.9.0 >> database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so"; >> }; >> >> ---- >> >> [root at nic-mail ~]# cat /etc/samba/smb.conf >> # Global parameters >> [global] >> workgroup = NICCOLAI >> realm = niccolai.local >> netbios name = NIC-MAIL >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbind, ntp_signd, kcc, dnsupdate >> # idmap_ldb:use rfc2307 = yes > Uncomment the above line, you need it.Done> > socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 > TCP_KEEPINTVL=10 TCP_KEEPCNT=5 > You should let Samba set the above line for you.Done (commented line)> > I no longer use the Sernet packages, but can you check if there are any > other Sernet Samba packages available (Debian has one called > samba-dsdb-modules) and install them. > > I am not saying that the changes I suggest will cure your problem, but > the should not make anything worse either. > > Rowland > >So far, with all cleaning you suggested except file hosts (I will do it in the next days, and thank you!) the problem remains. I did a simple script which runs every 5 minutes in crontab, and check if wbinfo -u returns no lines, in this case it restart samba. Is the only temporary solution I did find by now... I see it restart samba 4/5 a day, in different hours, also by night without operational users. Here is the script: [root at nic-mail niccolai]# cat script_riavvio_samba.sh if [ $(wbinfo -u | wc -l) -eq 0 ]; then echo "Riavviato il servizio"; /usr/bin/systemctl restart sernet-samba-ad; fi Doing this, I have no more complaints from users about share not reacheable, or AD login not performed, and so on... I have no resource problem: [root at nic-mail niccolai]# free total used free shared buff/cache available Mem: 12139548 2649440 573128 202884 8916980 8830260 Swap: 5177340 1796 5175544 The server is doing a lot of other things without a problem, it started to have problems only with samba and only recently, I have no more clues... Thank you for your indications!