Christian
2025-Aug-25 22:41 UTC
[Samba] winbind connection lost on AD member servers after upgrading from debian bookworm (4.17.12) to trixie (4.22.3)
Dear all,
we have an all samba AD with 3 samba DCs on debian, a few member servers
and a mixed bag of domain-joined machines.
I recently started the update from debian bookworm (4.17.12) to trixie
(4.22.3). Things seemed to play out smoothly first, I updated a couple
of member servers. They are all domain joined, smb.conf info below. *I
think* that after I updated one of the three DCs from 4.17.12 to 4.22.3,
issues started to appear on those member servers that had also received
the update to 4.22.3. The issue is that at first, after I start winbind
on the member server, wbinfo -u shows what I expect. After waiting for
some time, the output is empty, and I can obviously no longer use any of
the domain accounts. A message that I found in the debug log says
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.571616, 3,
traceid=461]
source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
Aug 26 00:00:42 log winbindd[1227816]: winbindd_interface_version:
[wbinfo (1274102)]: request interface version (version = 33)
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.572666, 3,
traceid=462]
source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
Aug 26 00:00:42 log winbindd[1227816]: winbindd_interface_version:
[wbinfo (1274102)]: request interface version (version = 33)
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.573140, 3,
traceid=463] source3/winbindd/winbindd_misc.c:342(winbindd_info)
Aug 26 00:00:42 log winbindd[1227816]: winbindd_info: [wbinfo
(1274102)]: request misc info
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.573599, 3,
traceid=464] source3/winbindd/winbindd_misc.c:380(winbindd_netbios_name)
Aug 26 00:00:42 log winbindd[1227816]: winbindd_netbios_name: [wbinfo
(1274102)]: request netbios name
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574028, 3,
traceid=465] source3/winbindd/winbindd_misc.c:368(winbindd_domain_name)
Aug 26 00:00:42 log winbindd[1227816]: winbindd_domain_name: [wbinfo
(1274102)]: request domain name
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574275, 3,
traceid=466] source3/winbindd/winbindd.c:495(process_request_send)
Aug 26 00:00:42 log winbindd[1227816]: process_request_send: [wbinfo
(1274102)] Handling async request: DOMAIN_INFO
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574331, 3,
traceid=466]
source3/winbindd/winbindd_domain_info.c:49(winbindd_domain_info_send)
Aug 26 00:00:42 log winbindd[1227816]: [1274102]: domain_info [WG]
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574366, 3,
traceid=466] source3/winbindd/winbindd.c:562(process_request_done)
Aug 26 00:00:42 log winbindd[1227816]: process_request_done:
[wbinfo(1274102):DOMAIN_INFO]: NT_STATUS_OK
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574823, 3,
traceid=467] source3/winbindd/winbindd.c:495(process_request_send)
Aug 26 00:00:42 log winbindd[1227816]: process_request_send: [wbinfo
(1274102)] Handling async request: LIST_USERS
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574868, 3,
traceid=467]
source3/winbindd/winbindd_list_users.c:55(winbindd_list_users_send)
Aug 26 00:00:42 log winbindd[1227816]: [wbinfo (1274102)] Winbind
external command LIST_USERS start.
Aug 26 00:00:42 log winbindd[1227816]: WBFLAG_FROM_NSS is Unset,
winbind enum users is 0.
Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574904, 3,
traceid=467]
source3/winbindd/winbindd_list_users.c:70(winbindd_list_users_send)
Aug 26 00:00:42 log winbindd[1227816]: Listing users for domain WG
Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.575494, 3,
traceid=467] source3/winbindd/winbindd_ads.c:295(query_user_list)
Aug 26 00:00:42 log winbindd[1227827]: ads: query_user_list
Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.575657, 1,
traceid=467] source3/libads/ldap_utils.c:107(ads_do_search_retry_internal)
Aug 26 00:00:42 log winbindd[1227827]: Reducing LDAP page size from
1000 to 500 due to IO_TIMEOUT
Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.617557, 1,
traceid=467] source3/libads/ldap_utils.c:144(ads_do_search_retry_internal)
Aug 26 00:00:42 log winbindd[1227827]: ads_do_search_retry_internal:
Reconnect ads connection as WG\LOG$ to realm 'DOMAINNAME' failed: No
logon servers are currently available to service the logon r>
Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.617658, 1,
traceid=467] source3/winbindd/winbindd_ads.c:311(query_user_list)
Aug 26 00:00:42 log winbindd[1227827]: query_user_list ads_search: No
logon servers are currently available to service the logon request.
(note the line where it says no logon servers are currently available to
service the logon request). However, all DCs are up, and I can perform
an ldapsearch on them without any issues. Only restarting winbind on
those members servers will make domain users work again. Domain joined
machines still on 4.17.12 do not see this issue. Another surprising
thing is that domain joined machines on 4.22.3 did not immediately start
to see this issue, but only after one of the DCs had been update to
4.22.3 AND winbind had been restarted on that particular member server
(I am not 100% certain of that, though).
Can anybody help me figure this out, please? The smb.conf info is
below... Thanks and best wishes,
Christian
# smb.conf on member server
[global]
interfaces = lo br0
bind interfaces only = Yes
realm = DOMAINNAME
workgroup = WG
hosts allow = X.X.X.X/24 Y.Y.Y.Y/25
wins server = Z.Z.Z.Z
logging = systemd
log level = 1 winbind:3
security = ADS
server role = member server
load printers = No
registry shares = Yes
# Tried this, but it did not appear to make a difference
client netlogon ping protocol = LDAP
kerberos method = system keytab
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 3000 - 7999
idmap config WG:backend = ad
idmap config WG:schema_mode = rfc2307
idmap config WG:range = 10000 - 999999
idmap config WG:unix_nss_info = Yes
idmap config WG:unix_primary_group = Yes
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
# smb.conf on DC
[global]
bind interfaces only = Yes
interfaces = lo br0 br1
netbios name = DC1
realm = DOMAINNAME
server role = active directory domain controller
workgroup = WG
idmap_ldb:use rfc2307 = yes
winbind expand groups = 2
wins support = yes
template shell = /bin/bash
template homedir = /some_dir/user/%U
winbind enum users = yes
winbind enum groups = yes
allow dns updates = disabled
kdc:service ticket lifetime = 24
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 168
dns forwarder = some_ips
[netlogon]
path = /var/lib/samba/sysvol/domainname/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[dfs]
msdfs root = Yes
msdfs proxy = \dc1.domainname\dfsroot
[dfsroot]
path = /srv/msdfs
read only = Yes
msdfs root = Yes
browseable = No
Matt Savin
2025-Aug-25 23:24 UTC
[Samba] winbind connection lost on AD member servers after upgrading from debian bookworm (4.17.12) to trixie (4.22.3)
Hello, Observed the same behavior after upgrading to Fedora 42 with a comparable smb.conf. Clearing the cache and rejoining the domain did not resolve the issue. Workaround: configured a cron job to restart winbind every hour. A system using sssd does not exhibit this problem. Domain controllers are running Windows Server 2019. Best regards, Matt On Mon, Aug 25, 2025 at 6:41?PM Christian via samba <samba at lists.samba.org> wrote:> Dear all, > > we have an all samba AD with 3 samba DCs on debian, a few member servers > and a mixed bag of domain-joined machines. > > I recently started the update from debian bookworm (4.17.12) to trixie > (4.22.3). Things seemed to play out smoothly first, I updated a couple > of member servers. They are all domain joined, smb.conf info below. *I > think* that after I updated one of the three DCs from 4.17.12 to 4.22.3, > issues started to appear on those member servers that had also received > the update to 4.22.3. The issue is that at first, after I start winbind > on the member server, wbinfo -u shows what I expect. After waiting for > some time, the output is empty, and I can obviously no longer use any of > the domain accounts. A message that I found in the debug log says > > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.571616, 3, > traceid=461] > source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > Aug 26 00:00:42 log winbindd[1227816]: winbindd_interface_version: > [wbinfo (1274102)]: request interface version (version = 33) > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.572666, 3, > traceid=462] > source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > Aug 26 00:00:42 log winbindd[1227816]: winbindd_interface_version: > [wbinfo (1274102)]: request interface version (version = 33) > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.573140, 3, > traceid=463] source3/winbindd/winbindd_misc.c:342(winbindd_info) > Aug 26 00:00:42 log winbindd[1227816]: winbindd_info: [wbinfo > (1274102)]: request misc info > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.573599, 3, > traceid=464] source3/winbindd/winbindd_misc.c:380(winbindd_netbios_name) > Aug 26 00:00:42 log winbindd[1227816]: winbindd_netbios_name: [wbinfo > (1274102)]: request netbios name > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574028, 3, > traceid=465] source3/winbindd/winbindd_misc.c:368(winbindd_domain_name) > Aug 26 00:00:42 log winbindd[1227816]: winbindd_domain_name: [wbinfo > (1274102)]: request domain name > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574275, 3, > traceid=466] source3/winbindd/winbindd.c:495(process_request_send) > Aug 26 00:00:42 log winbindd[1227816]: process_request_send: [wbinfo > (1274102)] Handling async request: DOMAIN_INFO > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574331, 3, > traceid=466] > source3/winbindd/winbindd_domain_info.c:49(winbindd_domain_info_send) > Aug 26 00:00:42 log winbindd[1227816]: [1274102]: domain_info [WG] > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574366, 3, > traceid=466] source3/winbindd/winbindd.c:562(process_request_done) > Aug 26 00:00:42 log winbindd[1227816]: process_request_done: > [wbinfo(1274102):DOMAIN_INFO]: NT_STATUS_OK > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574823, 3, > traceid=467] source3/winbindd/winbindd.c:495(process_request_send) > Aug 26 00:00:42 log winbindd[1227816]: process_request_send: [wbinfo > (1274102)] Handling async request: LIST_USERS > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574868, 3, > traceid=467] > source3/winbindd/winbindd_list_users.c:55(winbindd_list_users_send) > Aug 26 00:00:42 log winbindd[1227816]: [wbinfo (1274102)] Winbind > external command LIST_USERS start. > Aug 26 00:00:42 log winbindd[1227816]: WBFLAG_FROM_NSS is Unset, > winbind enum users is 0. > Aug 26 00:00:42 log winbindd[1227816]: [2025/08/26 00:00:42.574904, 3, > traceid=467] > source3/winbindd/winbindd_list_users.c:70(winbindd_list_users_send) > Aug 26 00:00:42 log winbindd[1227816]: Listing users for domain WG > Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.575494, 3, > traceid=467] source3/winbindd/winbindd_ads.c:295(query_user_list) > Aug 26 00:00:42 log winbindd[1227827]: ads: query_user_list > Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.575657, 1, > traceid=467] source3/libads/ldap_utils.c:107(ads_do_search_retry_internal) > Aug 26 00:00:42 log winbindd[1227827]: Reducing LDAP page size from > 1000 to 500 due to IO_TIMEOUT > Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.617557, 1, > traceid=467] source3/libads/ldap_utils.c:144(ads_do_search_retry_internal) > Aug 26 00:00:42 log winbindd[1227827]: ads_do_search_retry_internal: > Reconnect ads connection as WG\LOG$ to realm 'DOMAINNAME' failed: No > logon servers are currently available to service the logon r> > Aug 26 00:00:42 log winbindd[1227827]: [2025/08/26 00:00:42.617658, 1, > traceid=467] source3/winbindd/winbindd_ads.c:311(query_user_list) > Aug 26 00:00:42 log winbindd[1227827]: query_user_list ads_search: No > logon servers are currently available to service the logon request. > > (note the line where it says no logon servers are currently available to > service the logon request). However, all DCs are up, and I can perform > an ldapsearch on them without any issues. Only restarting winbind on > those members servers will make domain users work again. Domain joined > machines still on 4.17.12 do not see this issue. Another surprising > thing is that domain joined machines on 4.22.3 did not immediately start > to see this issue, but only after one of the DCs had been update to > 4.22.3 AND winbind had been restarted on that particular member server > (I am not 100% certain of that, though). > > Can anybody help me figure this out, please? The smb.conf info is > below... Thanks and best wishes, > > Christian > > # smb.conf on member server > [global] > interfaces = lo br0 > bind interfaces only = Yes > realm = DOMAINNAME > workgroup = WG > hosts allow = X.X.X.X/24 Y.Y.Y.Y/25 > wins server = Z.Z.Z.Z > logging = systemd > log level = 1 winbind:3 > security = ADS > server role = member server > load printers = No > registry shares = Yes > # Tried this, but it did not appear to make a difference > client netlogon ping protocol = LDAP > kerberos method = system keytab > winbind use default domain = Yes > winbind refresh tickets = Yes > idmap config * : backend = tdb > idmap config * : range = 3000 - 7999 > idmap config WG:backend = ad > idmap config WG:schema_mode = rfc2307 > idmap config WG:range = 10000 - 999999 > idmap config WG:unix_nss_info = Yes > idmap config WG:unix_primary_group = Yes > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > # smb.conf on DC > [global] > bind interfaces only = Yes > interfaces = lo br0 br1 > netbios name = DC1 > realm = DOMAINNAME > server role = active directory domain controller > workgroup = WG > idmap_ldb:use rfc2307 = yes > winbind expand groups = 2 > wins support = yes > template shell = /bin/bash > template homedir = /some_dir/user/%U > winbind enum users = yes > winbind enum groups = yes > allow dns updates = disabled > kdc:service ticket lifetime = 24 > kdc:user ticket lifetime = 24 > kdc:renewal lifetime = 168 > dns forwarder = some_ips > > > [netlogon] > path = /var/lib/samba/sysvol/domainname/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [dfs] > msdfs root = Yes > msdfs proxy = \dc1.domainname\dfsroot > > [dfsroot] > path = /srv/msdfs > read only = Yes > msdfs root = Yes > browseable = No > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >