samba - May 2020 - NEG_CONN_CACHE questions

On Wednesday, 27 May 2020 16:21:31 PDT Jeremy Allison
wrote:
> On Wed, May 27, 2020 at 12:54:49PM -0700, Alexey A Nikitin via samba wrote:
> > 3. Are the rules for how a DC gets put into NEG_CONN_CACHE documented
anywhere besides the code itself, or wading through the code is my only option
of getting to know the criteria?
> 
> Only in the code I think, added in:
> 
> add_failed_connection_entry()
> 
> Can be cleared by:
> 
> flush_negative_conn_cache_for_domain(), which is triggered
> by winbindd getting a request to go online.
> 
But if winbind is configured with 'winbind offline logon = No' then,
from what I understand, winbindd will never get that request, except for maybe
on restart, no?

Related question - it seems that when I have 'winbind max domain
connections' set to a value above '1' Winbind attempts to open a new
connection for incoming authentication requests, judging from the fact that it
keeps trying to do DC location (but fails, because both candidate DCs are stuck
in NEG_CONN_CACHE for some reason, even if they're answering request from,
e.g., adcli). There is already an RPC pipe (ESTAB connection to port 49159 on
DC), but Winbind seems to insist on opening a new connection and doesn't
reuse existing. Am I misinterpreting something? I thought Winbind is supposed to
open a new connection only when existing one is busy with some request?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200528/438c4f2f/signature.sig>

On Thu, May 28, 2020 at 01:11:26PM -0700, Alexey A Nikitin
wrote:
> On Wednesday, 27 May 2020 16:21:31 PDT Jeremy Allison wrote:
> > On Wed, May 27, 2020 at 12:54:49PM -0700, Alexey A Nikitin via samba
wrote:
> > > 3. Are the rules for how a DC gets put into NEG_CONN_CACHE
documented anywhere besides the code itself, or wading through the code is my
only option of getting to know the criteria?
> > 
> > Only in the code I think, added in:
> > 
> > add_failed_connection_entry()
> > 
> > Can be cleared by:
> > 
> > flush_negative_conn_cache_for_domain(), which is triggered
> > by winbindd getting a request to go online.
> > 
> 
> But if winbind is configured with 'winbind offline logon = No'
> then, from what I understand, winbindd will never get that request, except
for maybe on restart, no?
Yes, but the TTL is set at 60 seconds, so it should
be removed 60 seconds after being added anyway.
> Related question - it seems that when I have 'winbind max domain
connections' set to a
> value above '1' Winbind attempts to open a new connection for
incoming authentication
> requests, judging from the fact that it keeps trying to do DC location (but
fails,
> because both candidate DCs are stuck in NEG_CONN_CACHE for some reason,
even if they're
> answering request from, e.g., adcli).
You should try to find out the request that caused them to
get put into the NEG_CONN_CACHE. In winbindd, look at the
calls to winbind_add_failed_connection_entry() - there are
several reasons that this might get called.
> There is already an RPC pipe (ESTAB connection to port 49159 on DC), but
> Winbind seems to insist on opening a new connection and doesn't reuse
existing.
> Am I misinterpreting something? I thought Winbind is supposed to open a new
connection only when existing one is busy with some request?
'winbind max domain connections' causes the
parent winbindd to chose the winbindd child
with the shortest queue to talk to.

Then it sends an async tevent_req request
to that child. I don't think it's opening
a new connection to the DC.

Add DBG_ERR() (log level 0) statements into the places
you are suspicious of and try and follow the
control flow.

What I could gather from the code, the conditions to add DC to NEG_CONN_CACHE:
  * Winbind was connected to DC, but during SAMlogon DC did not respond after
three attempts
  * Winbind failed to establish SMB connection to DC (port 445, marked as
microsoft-ds in 'ss -roestu' output)
  * Winbind failed to find out the DC server name, from the looks of it - using
LDAP query to map IP to name
  * Winbind did not get a response to CLDAP NetLogon ping during DC location
  * Winbind failed to resolve DC IP with DNS

On Thursday, 28 May 2020 13:50:23 PDT Jeremy Allison
wrote:
> 'winbind max domain connections' causes the
> parent winbindd to chose the winbindd child
> with the shortest queue to talk to.
> 
> Then it sends an async tevent_req request
> to that child. I don't think it's opening
> a new connection to the DC.
> 
So what I can typically see is that there are only two active connections to DC,
one on port 445 (microsoft-ds) and one on port, say, 49159 (one of the ports
used for RPC calls for LSA/SAMR/NetLogon, from what I could find in
documentation). When I do 'wbinfo --ping-dc' it succeeds, so my
understanding is that's CLDAP NetLogon ping succeeding, meaning DC is alive
and well. But then Winbind doesn't reuse the existing connection, based on
the logs it seems to be trying to perform DC location for a new connection, and
fails. If I understand correctly, Winbind would be doing that only if, say,
there is some request to DC on the first connection that's blocking the
queue. Is that correct?

If the above is correct, then my understanding is in theory force removing
NEG_CONN_CACHE entries may help, but if the issue is not with DC being
unresponsive but with getting DC name or resolving DC IP then it will be
re-added to NEG_CONN_CACHE right away anyway during DC location if I allow
multiple connections to DC. If I have only one connection to DC then the auth
request will be blocked by whatever other queries are in the queue of that
single connection, but if that query is fast enough auth request may come
through quickly enough as well. Is that correct?

Now if I have 'winbind offline logon' enabled, then while I'm
limited to single connection, Winbind should not attempt to go through DC
location or anything else like that, so while the single connection may get
blocked by some query in the queue, eventually the auth request should go
through, even if DC is not available and Winbind cannot locate any, so long as
Winbind cache has the creds to authenticate the user. Is that correct?

Now, in another email I saw Andrew Bartlett saying that "offline login is
only for local plaintext logins, we don't do NTLM challenge-response against
the offline store." I have following in my pam_winbind.conf:
cached_login = yes
krb5_ccache_type = FILE
krb5_auth = yes
Does using krb5_auth mean 'winbind offline logon' would be useless to me
as way to mitigate various temporary hickups in the DNS/networking?

If 'winbind offline logon' would not be useless with krb5_auth, then how
long credentials cache is supposed to live, is there any way to control that
TTL? I cannot find any information on that so far.

I've also ran into an issue where attempting to log in with 'winbind
offline logon' enabled while there is nothing cached (after net cache flush)
and domain-specific DNS servers are temporarily unavailable then Winbind
(v4.9.1) afterwards keeps failing auth easily for more than ten-fifteen minutes
even after DNS is fixed, even after machine restart, and so far have been unable
to figure out how to get Winbind out of that state, besides just letting it sit
there undisturbed for some time.

> Add DBG_ERR() (log level 0) statements into the places
> you are suspicious of and try and follow the
> control flow.
> 
Unfortunately, running a custom build of Samba is not an option for me :-(
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200528/d81559f8/signature.sig>