Hi Rowland,
Here's the info you asked for.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
$ smbcontrol --version
Version 4.7.1
smb.conf:
------------------------------
[global]
security = ADS
realm = REDACTED.WAN
encrypt passwords = true
workgroup = REDACTED
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config * : backend = autorid
idmap config * : range = 1000000-2999999999
template homedir = /home/%D/%U
template shell = /bin/bash
log level = 1
debug pid = true
max log size = 0
nt acl support = Yes
map acl inherit = Yes
client use spnego = Yes
preferred master = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
## These came from http://www.howtoforge.com/samba_active_directory
# socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
# os level = 20
# dns proxy = no
# disable netbios = Yes
## Required by infosec to pass scan. Added 10-18-2011 GLS
guest account = nobody
restrict anonymous = 1
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
# max log size = 1024
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
------------------------------
I'm not sure how to answer your question as to how samba's being run,
but
here are a couple of things I thought of to try to figure it out:
$ ps -aux | grep '\(samba\|smb\|winbind\)'
root 12600 0.0 0.0 399284 2324 ? Ss Aug31 0:16
/usr/sbin/winbindd --foreground --no-process-group
root 12602 0.0 0.0 424328 5948 ? S Aug31 0:01
/usr/sbin/winbindd --foreground --no-process-group
root 12857 0.0 0.0 406020 964 ? S Aug31 0:03
/usr/sbin/winbindd --foreground --no-process-group
root 12858 0.0 0.0 399144 1416 ? S Aug31 0:00
/usr/sbin/winbindd --foreground --no-process-group
root 12859 0.0 0.0 399144 1504 ? S Aug31 0:00
/usr/sbin/winbindd --foreground --no-process-group
jamie.j+ 32589 0.0 0.0 112708 1004 pts/0 S+ 10:15 0:00 grep
--color=auto \(samba\|smb\|winbind\)
$ service winbind status
Redirecting to /bin/systemctl status winbind.service
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled;
vendor preset: disabled)
Active: active (running) since Fri 2018-08-31 11:01:39 EDT; 23h ago
Main PID: 12600 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 5
Memory: 14.7M
CGroup: /system.slice/winbind.service
├─12600 /usr/sbin/winbindd --foreground --no-process-group
├─12602 /usr/sbin/winbindd --foreground --no-process-group
├─12857 /usr/sbin/winbindd --foreground --no-process-group
├─12858 /usr/sbin/winbindd --foreground --no-process-group
└─12859 /usr/sbin/winbindd --foreground --no-process-group
On Sat, Sep 1, 2018 at 3:15 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 31 Aug 2018 21:03:39 -0400
> Jamie Jackson via samba <samba at lists.samba.org> wrote:
>
> > Hi folks,
> >
> > Every couple days any one of my project's 10 or so RHEL VMs
can't be
> > logged into with a domain account (active directory integration). Our
> > admin goes in with a local account and restarts winbind to fix it.
> >
> > I'd like to be more proactive and, say, create a cron job to
detect a
> > problem and then restart winbind.
> >
> > Does anybody have a recipe for this? If not, do you have any
> > suggestions as to how I can begin to figure out how to detect the
> > problem?
> >
> > Thanks,
> > Jamie
>
> I would be more worried about why winbind crashes, it isn't normal.
> What version of RHEL ?
> What version of Samba ?
> How are you running Samba and what is in smb.conf ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Sat, 1 Sep 2018 10:21:17 -0400 Jamie Jackson <jamiejaxon at gmail.com> wrote:> Hi Rowland, > > Here's the info you asked for. > > $ cat /etc/redhat-release > Red Hat Enterprise Linux Server release 7.5 (Maipo) > $ smbcontrol --version > Version 4.7.1 > > smb.conf: > ------------------------------ > > [global] > security = ADS > realm = REDACTED.WAN > encrypt passwords = true > workgroup = REDACTED > > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > idmap config * : backend = autorid > idmap config * : range = 1000000-2999999999 > template homedir = /home/%D/%U > template shell = /bin/bash > log level = 1 > debug pid = true > max log size = 0 > nt acl support = Yes > map acl inherit = Yes > client use spnego = Yes > preferred master = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > ## These came from http://www.howtoforge.com/samba_active_directory > # socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > # os level = 20 > # dns proxy = no > # disable netbios = Yes > ## Required by infosec to pass scan. Added 10-18-2011 GLS > guest account = nobody > restrict anonymous = 1 > > #### Debugging/Accounting #### > > # This tells Samba to use a separate log file for each machine > # that connects > log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). > # max log size = 1024 > > # We want Samba to log a minimum amount of information to syslog. > Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If > you want to log # through syslog you should set the following > parameter to something higher. syslog = 0 > > # Do something sensible when Samba crashes: mail the admin a backtrace > panic action = /usr/share/samba/panic-action %d > ------------------------------ >Is there some reason for using the autorid backend ? Most people use the 'ad' or 'rid' backend. Are you also using sssd ? You are running Samba as a Unix domain member, so I expect your machine is joined to the domain. Rowland
I'm not a sysadmin (so I don't have domain admin skills), I'm just
coming
at this as a user of these (flaky) hosts, but I'll try to answer the
questions.
If autorid is an odd/problematic setting, I can pass that info on to the
sysadmins. I looked at
https://lists.samba.org/archive/samba/2015-May/191544.html (since I don't
really know the difference between these settings), but I don't know how
many back-end AD servers there are. BTW, *is* the autoid setting
potentially problematic?
I'm also not sure how to know is sssd is in use or not, so these are the
things I thought to try:
$ systemctl -a | grep '\(smb\|samba\|sssd\|winbind\)'
winbind.service
loaded active running Samba
Winbind Daemon
$ sssd --help
-bash: sssd: command not found
$ sudo find / -xdev -name 'sssd.conf'
$
On Sat, Sep 1, 2018 at 11:21 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sat, 1 Sep 2018 10:21:17 -0400
> Jamie Jackson <jamiejaxon at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Here's the info you asked for.
> >
> > $ cat /etc/redhat-release
> > Red Hat Enterprise Linux Server release 7.5 (Maipo)
> > $ smbcontrol --version
> > Version 4.7.1
> >
> > smb.conf:
> > ------------------------------
> >
> > [global]
> > security = ADS
> > realm = REDACTED.WAN
> > encrypt passwords = true
> > workgroup = REDACTED
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind nested groups = yes
> > winbind use default domain = yes
> > winbind refresh tickets = yes
> > idmap config * : backend = autorid
> > idmap config * : range = 1000000-2999999999
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > log level = 1
> > debug pid = true
> > max log size = 0
> > nt acl support = Yes
> > map acl inherit = Yes
> > client use spnego = Yes
> > preferred master = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > ## These came from http://www.howtoforge.com/samba_active_directory
> > # socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> > # os level = 20
> > # dns proxy = no
> > # disable netbios = Yes
> > ## Required by infosec to pass scan. Added 10-18-2011 GLS
> > guest account = nobody
> > restrict anonymous = 1
> >
> > #### Debugging/Accounting ####
> >
> > # This tells Samba to use a separate log file for each machine
> > # that connects
> > log file = /var/log/samba/log.%m
> >
> > # Put a capping on the size of the log files (in Kb).
> > # max log size = 1024
> >
> > # We want Samba to log a minimum amount of information to syslog.
> > Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If
> > you want to log # through syslog you should set the following
> > parameter to something higher. syslog = 0
> >
> > # Do something sensible when Samba crashes: mail the admin a backtrace
> > panic action = /usr/share/samba/panic-action %d
> > ------------------------------
> >
>
> Is there some reason for using the autorid backend ?
> Most people use the 'ad' or 'rid' backend.
> Are you also using sssd ?
>
> You are running Samba as a Unix domain member, so I expect your machine
> is joined to the domain.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>