samba - Sep 2018 - winbindd crashing -- how to auto-heal?

Hi folks,

Every couple days any one of my project's 10 or so RHEL VMs can't be
logged
into with a domain account (active directory integration). Our admin goes
in with a local account and restarts winbind to fix it.

I'd like to be more proactive and, say, create a cron job to detect a
problem and then restart winbind.

Does anybody have a recipe for this? If not, do you have any suggestions as
to how I can begin to figure out how to detect the problem?

Thanks,
Jamie

On Fri, 31 Aug 2018 21:03:39 -0400
Jamie Jackson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> Every couple days any one of my project's 10 or so RHEL VMs can't
be
> logged into with a domain account (active directory integration). Our
> admin goes in with a local account and restarts winbind to fix it.
> 
> I'd like to be more proactive and, say, create a cron job to detect a
> problem and then restart winbind.
> 
> Does anybody have a recipe for this? If not, do you have any
> suggestions as to how I can begin to figure out how to detect the
> problem?
> 
> Thanks,
> Jamie
I would be more worried about why winbind crashes, it isn't normal.
What version of RHEL ?
What version of Samba ?
How are you running Samba and what is in smb.conf ?

Rowland

Hi Rowland,

Here's the info you asked for.

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
$ smbcontrol --version
Version 4.7.1

smb.conf:
------------------------------

[global]
        security = ADS
        realm = REDACTED.WAN
        encrypt passwords = true
        workgroup = REDACTED

        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind use default domain = yes
        winbind refresh tickets = yes
        idmap config * : backend = autorid
        idmap config * : range = 1000000-2999999999
        template homedir = /home/%D/%U
        template shell = /bin/bash
        log level = 1
        debug pid = true
        max log size = 0
        nt acl support = Yes
        map acl inherit = Yes
        client use spnego = Yes
        preferred master = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

## These came from http://www.howtoforge.com/samba_active_directory
#        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
#        os level = 20
#        dns proxy = no
#        disable netbios = Yes
## Required by infosec to pass scan.  Added 10-18-2011 GLS
        guest account = nobody
        restrict anonymous = 1

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
#   max log size = 1024

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d
------------------------------

I'm not sure how to answer your question as to how samba's being run,
but
here are a couple of things I thought of to try to figure it out:
$ ps -aux | grep '\(samba\|smb\|winbind\)'
root     12600  0.0  0.0 399284  2324 ?        Ss   Aug31   0:16
/usr/sbin/winbindd --foreground --no-process-group
root     12602  0.0  0.0 424328  5948 ?        S    Aug31   0:01
/usr/sbin/winbindd --foreground --no-process-group
root     12857  0.0  0.0 406020   964 ?        S    Aug31   0:03
/usr/sbin/winbindd --foreground --no-process-group
root     12858  0.0  0.0 399144  1416 ?        S    Aug31   0:00
/usr/sbin/winbindd --foreground --no-process-group
root     12859  0.0  0.0 399144  1504 ?        S    Aug31   0:00
/usr/sbin/winbindd --foreground --no-process-group
jamie.j+ 32589  0.0  0.0 112708  1004 pts/0    S+   10:15   0:00 grep
--color=auto \(samba\|smb\|winbind\)

$ service winbind status
Redirecting to /bin/systemctl status winbind.service
● winbind.service - Samba Winbind Daemon
   Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled;
vendor preset: disabled)
   Active: active (running) since Fri 2018-08-31 11:01:39 EDT; 23h ago
 Main PID: 12600 (winbindd)
   Status: "winbindd: ready to serve connections..."
    Tasks: 5
   Memory: 14.7M
   CGroup: /system.slice/winbind.service
           ├─12600 /usr/sbin/winbindd --foreground --no-process-group
           ├─12602 /usr/sbin/winbindd --foreground --no-process-group
           ├─12857 /usr/sbin/winbindd --foreground --no-process-group
           ├─12858 /usr/sbin/winbindd --foreground --no-process-group
           └─12859 /usr/sbin/winbindd --foreground --no-process-group


On Sat, Sep 1, 2018 at 3:15 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 31 Aug 2018 21:03:39 -0400
> Jamie Jackson via samba <samba at lists.samba.org> wrote:
>
> > Hi folks,
> >
> > Every couple days any one of my project's 10 or so RHEL VMs
can't be
> > logged into with a domain account (active directory integration). Our
> > admin goes in with a local account and restarts winbind to fix it.
> >
> > I'd like to be more proactive and, say, create a cron job to
detect a
> > problem and then restart winbind.
> >
> > Does anybody have a recipe for this? If not, do you have any
> > suggestions as to how I can begin to figure out how to detect the
> > problem?
> >
> > Thanks,
> > Jamie
>
> I would be more worried about why winbind crashes, it isn't normal.
> What version of RHEL ?
> What version of Samba ?
> How are you running Samba and what is in smb.conf ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

El 1/9/18 a les 03:03, Jamie Jackson via samba ha
escrit:
> Hi folks,
> 
> Every couple days any one of my project's 10 or so RHEL VMs can't
be logged
> into with a domain account (active directory integration). Our admin goes
> in with a local account and restarts winbind to fix it.
> 
> I'd like to be more proactive and, say, create a cron job to detect a
> problem and then restart winbind.
> 
> Does anybody have a recipe for this? If not, do you have any suggestions as
> to how I can begin to figure out how to detect the problem?
I run this cron job every minute. Winbind usually crashes once or twice 
a day

#!/bin/bash
getent group | grep -q 513 && exit 0
echo "restarting winbind"
systemctl restart winbind


Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010)  Fax +34 93 5883007

El 2/9/18 a les 01:03, Luca Olivetti via samba ha
escrit:
> El 1/9/18 a les 03:03, Jamie Jackson via samba ha escrit:
>> Hi folks,
>>
>> Every couple days any one of my project's 10 or so RHEL VMs
can't be
>> logged
>> into with a domain account (active directory integration). Our admin
goes
>> in with a local account and restarts winbind to fix it.
>>
>> I'd like to be more proactive and, say, create a cron job to detect
a
>> problem and then restart winbind.
>>
>> Does anybody have a recipe for this? If not, do you have any 
>> suggestions as
>> to how I can begin to figure out how to detect the problem?
> 
> I run this cron job every minute. Winbind usually crashes once or twice 
> a day
> 
> #!/bin/bash
> getent group | grep -q 513 && exit 0
> echo "restarting winbind"
> systemctl restart winbind
I forgot to say that for this script to work you need

winbind enum users = yes
winbind enum groups = yes


in smb.conf and (I think) the backend must be ad with rfc2307 attributes 
in the schema.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010)  Fax +34 93 5883007

On 09/01/2018 07:03 PM, Luca Olivetti via samba wrote:
> El 1/9/18 a les 03:03, Jamie Jackson via samba ha escrit:
>> Hi folks,
>>
>> Every couple days any one of my project's 10 or so RHEL VMs
can't be
>> logged
>> into with a domain account (active directory integration). Our admin
goes
>> in with a local account and restarts winbind to fix it.
>>
>> I'd like to be more proactive and, say, create a cron job to detect
a
>> problem and then restart winbind.
>>
>> Does anybody have a recipe for this? If not, do you have any 
>> suggestions as
>> to how I can begin to figure out how to detect the problem?
> 
> I run this cron job every minute. Winbind usually crashes once or twice 
> a day
> 
> #!/bin/bash
> getent group | grep -q 513 && exit 0
> echo "restarting winbind"
> systemctl restart winbind
If the failure is a full daemon crash and not some kind of internal 
failure, you can edit the service unit file (systemd) and add a restart mode

# systemctl edit winbind

   [Service]
   Restart=on-failure

Hi Jamie Jackson,
this thread is very long and does not come up with an idea how to make 
winbindd work. So i will give you two hints (just my own expierience):

1. check that winbind resolve all groups and all group members. Failures 
happen if uidnumber/gidnumber is not set.

2. I assume you have more then one DC. Then compare the idmap.ldb. 
They differ in content over time. Theire are xid numbers stored. A xid can 
be a uidnumber, a gidnumber ore both.

After this is done:
"net cache flush" on all samba and/or winbindd machines or restart
them.
> Hi folks,
> 
> Every couple days any one of my project's 10 or so RHEL VMs can't
be
> logged into with a domain account (active directory integration). Our
> admin goes in with a local account and restarts winbind to fix it.
> 
> I'd like to be more proactive and, say, create a cron job to detect a
> problem and then restart winbind.
> 
> Does anybody have a recipe for this? If not, do you have any
> suggestions as to how I can begin to figure out how to detect the
> problem?


 
> Thanks,
> Jamie

-- 

Gruss
	Harry Jede