samba - Feb 2019 - Winbind, cached logons and 'user persistency'...

On Mon, 11 Feb 2019 14:47:01 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> Sorry. Still on this issue.
> 
> Today i'm upgrading my DC (with latest 4.5 from louis repo). Note that
> i've 7 DC in total.
> 
> In site 'PP' i've upgraded samba, then rebooted the container.
reboot
> on 'vdcpp2' happen on:
> 
>  Feb 11 13:59:52 vdcpp2 shutdown[33452]: shutting down for system
> reboot
> 
> at '14:00:30' bind, ntp and (i suppose) samba was stared.
> 
> 
> After that, i've upgraded and rebooted the second DC in that site
> (really, the first ;):
> 
>  Feb 11 14:03:09 vdcpp1 shutdown[26601]: shutting down for system
> reboot
> 
> again, for 14:04:00 was up&runing.
> 
> 
> But the mail server refuse to deliver messages, fortunately all admin
> messages to an admin users (was loop: messages undeliverability
> errors, email go to postmaster, so to admin, so error, ...).
> 
>  2019-02-11 14:02:34 1gtBEG-0006lw-Qm ** admin123 at fvg.lnf.it
> F=<root at pp.lnf.it>: Unrouteable address 2019-02-11 14:02:35
> 1gtBEI-0006nz-CH ** admin123 at fvg.lnf.it F=<root at sv.lnf.it>:
> Unrouteable address 2019-02-11 14:02:38 1gtBEL-0006pl-P3 **
> admin123 at fvg.lnf.it F=<>: Unrouteable address [...] 2019-02-11
> 14:05:18 1gtBGv-0007IA-QR ** admin123 at fvg.lnf.it F=<>: Unrouteable
> address 2019-02-11 14:05:18 1gtBGv-0007I9-Sf ** admin123 at fvg.lnf.it
> F=<>: Unrouteable address
> 
> 
> So again seems to me that, even if there was at least a DC on the site
> active (and, indeed there's other 5 DCs offsite!)
> stopping/disconnecting the dc ''make users desappearming''
from at
> least exim.
> 
> 
> I need to setup a testbed...
> 
It sounds to me that 'exim' is using LDAP for its lookups and is NOT
using any cache (winbind or otherwise). So when the LDAP source goes
away, so do your users.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> It sounds to me that 'exim' is using LDAP for its lookups and is
NOT
> using any cache (winbind or otherwise). So when the LDAP source goes
> away, so do your users.
No, rowland; because:

a) could be for 'aesthetic aliases' (marco.gaiarin@ that is the same as
 gaio@), but this is not the case.

b) still i put at least TWO DC in ldap calls:

	ldap_default_servers = vdcpp2.ad.fvg.lnf.it::3268:vdcpp1.ad.fvg.lnf.it::3268

;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Mon, 11 Feb 2019 15:28:57 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > It sounds to me that 'exim' is using LDAP for its lookups and
is NOT
> > using any cache (winbind or otherwise). So when the LDAP source goes
> > away, so do your users.
> 
> No, rowland; because:
> 
> a) could be for 'aesthetic aliases' (marco.gaiarin@ that is the
same
> as gaio@), but this is not the case.
> 
> b) still i put at least TWO DC in ldap calls:
> 
> 	ldap_default_servers >
vdcpp2.ad.fvg.lnf.it::3268:vdcpp1.ad.fvg.lnf.it::3268
> 
> ;-)
> 
That actually proves my point, exim is doing ldap lookups (note you do
not really need the port number, all Samba DC's are global catalogues)

I also take it that each DC is using itself as its nameserver.

I think this is what is happening:

The DC is stopped, so the first nameserver isn't there any more.
Exim tries searching using the ldap lookup but cannot find the first
ldap server, after this times out, it tries to ask the dns server for
the second ldap server and this eventually times out, so it gives up.

Try changing the names in the 'ldap_default_servers' to ipaddresses.

Rowland