Hi, I am running samba/winbind 4.2.14 on Debian 8 which is joined to an Active Directory and would like to know if you have any idea with my issue. In my case, ntlm authentification is enabled in squid (proxy). Here is the problem that I am facing : "wbinfo -t" takes sometimes more than 30 secondes to display the result. For some reason, the server loses it's connection to the domain controller. I found the following line in /var/log/samba/log.wb-MY contains : [2019/02/13 15:02:19.850547, 0] ../source3/winbindd/winbindd_cm.c:918(cm_prepare_connection) cm_prepare_connection: mutex grab failed for my.domain [2019/02/13 15:03:09.928405, 0] ../source3/lib/util_tdb.c:493(tdb_chainlock_with_timeout_internal) tdb_chainlock_with_timeout_internal: alarm (40) timed out for key my.domain in tdb /var/run/samba/mutex.tdb [2019/02/13 15:03:09.928477, 0] ../source3/winbindd/winbindd_cm.c:918(cm_prepare_connection) cm_prepare_connection: mutex grab failed for my.domain What happens when /var/run/samba/mutex.tdb is locked with a timeout ? Does this mean that users authentication stops working and that the winbind is unable to comunicate with the DC ? Thanks, Michel
On Thu, 14 Feb 2019 09:15:54 +0100 LOKO MESO Michel via samba <samba at lists.samba.org> wrote:> Hi, > > I am running samba/winbind 4.2.14 on Debian 8 which is joined to an > Active Directory and would like to know if you have any idea with my > issue. In my case, ntlm authentification is enabled in squid (proxy). > > Here is the problem that I am facing : > > "wbinfo -t" takes sometimes more than 30 secondes to display the > result. For some reason, the server loses it's connection to the > domain controller. > > I found the following line in /var/log/samba/log.wb-MY contains : > > [2019/02/13 15:02:19.850547, 0] > ../source3/winbindd/winbindd_cm.c:918(cm_prepare_connection) > cm_prepare_connection: mutex grab failed for my.domain > [2019/02/13 15:03:09.928405, 0] > ../source3/lib/util_tdb.c:493(tdb_chainlock_with_timeout_internal) > tdb_chainlock_with_timeout_internal: alarm (40) timed out for key > my.domain in tdb /var/run/samba/mutex.tdb > [2019/02/13 15:03:09.928477, 0] > ../source3/winbindd/winbindd_cm.c:918(cm_prepare_connection) > cm_prepare_connection: mutex grab failed for my.domain > > What happens when /var/run/samba/mutex.tdb is locked with a timeout ? > Does this mean that users authentication stops working and that the > winbind is unable to comunicate with the DC ? > > Thanks, > > MichelPlease post your smb.conf Rowland
On Thu, 14 Feb 2019 12:04:06 +0100 LOKO MESO Michel <mmeso at olfeo.com> wrote:> Here is my smb.conf : > > [global] > workgroup = MY > netbios name = sd01 > realm = my.domain > server string = Olfeo Samba Server > log file = /var/log/samba/%m.log > max log size = 50 > security = ADS > encrypt passwords = yes > ; smb passwd file = /etc/samba/smbpasswd > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > local master = no > os level = 17 > preferred master = no > domain logons = no > dns proxy = no > idmap config * : backend = ad > idmap config * : range = 1000-999999 > template shell = /bin/false > winbind use default domain = yes > machine password timeout = 0 > > winbind max clients = 1000 > winbindd privileged socket directory > = /var/run/samba/winbindd_privileged/ winbind max domain connections > = 5 >Your 'idmap config' lines are incorrect, you shouldn't be using the 'ad' backend for the default (*) domain. I also wouldn't use the '1000-999999' range at all, you cannot have any local Unix users, what happens if Samba fails and you need to login locally ? You do not have lines for the 'MY' domain. Have you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
On Thu, 14 Feb 2019 13:36:43 +0100 LOKO MESO Michel <mmeso at olfeo.com> wrote:> In my case samba is not a domain controller and the server is joined > to an Active Directory. > Users don't need to login locally. > > Are the 'idmap config' not useful with an Active Directory ?Quite the contrary, they are mandatory, just because your users don't login locally, doesn't mean smb.conf doesn't need to be set up correctly. You are running Samba as a Unix domain member, so it needs setting up as one, read the wikipage I pointed you at and then change your smb.conf. If you do not understand something, ask. Rowland