[Samba] Samba 3.0.31 stills fails to read and write to socket.
Hi,
I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the
winbind issue previously reported (Bug# 5551) but the issue is still
happening in my servers.
I have an ftp server (vsftpd), configured to use pam_winbind with krb5_auth
and I see some random disconnects and my users cant login. My samba servers
are member of a Windows 2003 domain.
The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to the
socket failed because the connection was reset by peer, this happened also
on 3.0.28, i was hoping that 3.0.31 fix this issue.
Im including my configuration and my log files. This happens only when
pam_winbind authenticates users of other domains, sometimes it gets fixed
itself because in my krb5.conf i have configured several domain controllers
for the other domains and it changes the connections to the next server, but
sometimes it gets stuck with one failed server and all my users cant login
for a while.
Regards,
Jose Santiago Oyervides.
This is my setup:
[global]
workgroup = MYDOMAIN
netbios name = MYSERVER
security = ADS
password server = 10.X.X.1 10.X.X.2 10.X.X.3
encrypt passwords = Yes
wins server = 10.X.Y.1 10.X.Y.2
local master = no
domain master = no
preferred master = no
log level =10 passdb:10 auth:10 winbind:10 idmap:10 smb:10 acls:10
log file = /var/log/samba/%m.log
max log size = 1000
idmap uid = 1-6
idmap gid = 1-6
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = true
realm = MYDOMAIN.FORREST.COM
winbind use default domain = Yes
interfaces = 127.0.0.1/255.0.0.0 10.X.X.30/255.255.240.0
template shell = /bin/bash
username map = /etc/samba/smbusers
template homedir = /home/users/%D/%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
name resolve order = lmhosts wins bcast
bind interfaces only = yes
load printers = No
dns proxy = No
hosts allow = 10. 127.
hosts deny = 0.0.0.0/0
smb ports = 139
My /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
[libdefaults]
default_realm = MYDOMAIN.FORREST.COM
dns_lookup_realm = none
dns_lookup_kdc = none
ticket_lifetime = 24h
forwardable = yes
[realms]
FORREST.COM = {
kdc=SERVER1.FORREST.COM
kdc=SERVER2.FORREST.COM
}
MYDOMAIN.FORREST.COM= {
kdc=SERVER1.MYDOMAIN.FORREST.COM
kdc=SERVER2.MYDOMAIN.FORREST.COM
)
OTHERDOMAIN.FORREST.COM= = {
kdc=SERVER1.OTHERDOMAIN.FORREST.COM
kdc=SERVER1.OTHERDOMAIN.FORREST.COM
}
[domain_realm]
.mydomain.forrest.com = MYDOMAIN.FORREST.COM
.otherdomain.forrest.com = OTHERDOMAIN.FORREST.COM
/etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files wins dns winbind
These are the lines that I see in log.wb-ANOTERDOMAIN:
[2008/07/31 10:03:35, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Thu, 31 Jul 2008 20:03:28 CDT
[2008/07/31 10:03:35, 10] libsmb/clikrb5.c:ads_krb5_mk_req(624)
ads_krb5_mk_req: Ticket ([EMAIL PROTECTED]) in ccache
(MEMORY:winbind_ccache) is valid until: (Thu, 31 Jul 2008 20:03:28 CDT -
1217552608)
[2008/07/31 10:03:35, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(735)
Got KRB5 session key of length 16
[2008/07/31 10:03:35, 5]
libads/ldap_utils.c:ads_do_search_retry_internal(64)
Search for (objectclass=*) in gave 1 replies
[2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(440)
store_cache_seqnum: success [OTHERDOMAIN][646535412 @ 1217516615]
[2008/07/31 10:03:35, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(504)
refresh_sequence_number: OTHERDOMAIN seq number is now 646535412
[2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:centry_expired(549)
centry_expired: Key U/S-1-5-21-2031228914-1097686851-784825492-55515 for
domain OTHERDOMAIN expired
[2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:wcache_fetch(621)
wcache_fetch: entry U/S-1-5-21-2031228914-1097686851-784825492-55515
expired for domain OTHERDOMAIN
[2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:query_user(1652)
query_user: [Cached] - doing backend query for info for domain OTHERDOMAIN
[2008/07/31 10:03:35, 3] nsswitch/winbindd_ads.c:query_user(453)
ads: query_user
[2008/07/31 10:03:35, 10] nsswitch/winbindd_ads.c:ads_cached_connection(46)
ads_cached_connection
[2008/07/31 10:03:35, 7] nsswitch/winbindd_ads.c:ads_cached_connection(59)
Current tickets expire in 35993 seconds (at 1217552608, time is now
1217516615)
[2008/07/31 10:03:35, 5]
libads/ldap_utils.c:ads_do_search_retry_internal(64)
Search for
(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F2\17\12\79\43\5F\6D\41\94\7C\C7\2E\DB\D8\00\00)
in
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
On Fri, Aug 01, 2008 at 10:46:54AM -0500, Jose Santiago Oyervides wrote: Hi, I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the winbind issue previously reported (Bug# 5551) but the issue is still happening in my servers. I have an ftp server (vsftpd), configured to use pam_winbind with krb5_auth and I see some random disconnects and my users cant login. My samba servers are member of a Windows 2003 domain. The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to the socket failed because the connection was reset by peer, this happened also on 3.0.28, i was hoping that 3.0.31 fix this issue. Im including my configuration and my log files. This happens only when pam_winbind authenticates users of other domains, sometimes it gets fixed itself because in my krb5.conf i have configured several domain controllers for the other domains and it changes the connections to the next server, but sometimes it gets stuck with one failed server and all my users cant login for a while. This is your problem : config [/var/lib/samba/smb_krb5/krb5.conf.MYDOMAIN] [2008/07/31 10:03:55, 10] nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(580) got TGT for [EMAIL PROTECTED] in MEMORY:winbindd_pam_ccache (valid until: Thu, 31 Jul 2008 20:03:57 CDT (1217552637), renewable till: Thu, 31 Jul 2008 20:03:57 CDT (1217552617)) [2008/07/31 10:04:05, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew Note the 30 second gap in timestamps. Looks like the call : krb5_ret = cli_krb5_get_ticket(local_service, time_offset, tkt, session_key_krb5, 0, cc, NULL); at line 604: in nsswitch/winbindd_pam.c is taking ages to contact a KDC. Do you have DNS resolution issues ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
Hi Jeremy, I think i could be DNS resolution like you say, since this problem only happens with accounts from other domains. I have had troubles in the past in order to get DNS resolution to work, because this server also has a public postfix server, so If I configured the internal DNS the external resolution didn't work and viceversa, in order to cope with this issue I configured and internal DNS server with both internal and external resolution and that seemed to work. If I ping the domain controllers from any another domain it responds very fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my nsswitch.conf I have configured this: hosts: files wins dns winbind and in /etc/samba/smb.conf I have name resolve order=lmhosts wins bcast. Would it help if I configured the Ip address in my krb5.conf for all domains instead of their name? Why in /var/lib/samba/smb_krb5 is only created krb5.conf.MYDOMAIN and not the file for the others domains? May be this has somethng to do... Regards, Jose Santiago Oyervides. On Fri, Aug 1, 2008 at 12:19 PM, Jeremy Allison [EMAIL PROTECTED] wrote: On Fri, Aug 01, 2008 at 10:46:54AM -0500, Jose Santiago Oyervides wrote: Hi, I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the winbind issue previously reported (Bug# 5551) but the issue is still happening in my servers. I have an ftp server (vsftpd), configured to use pam_winbind with krb5_auth and I see some random disconnects and my users cant login. My samba servers are member of a Windows 2003 domain. The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to the socket failed because the connection was reset by peer, this happened also on 3.0.28, i was hoping that 3.0.31 fix this issue. Im including my configuration and my log files. This happens only when pam_winbind authenticates users of other domains, sometimes it gets fixed itself because in my krb5.conf i have configured several domain controllers for the other domains and it changes the connections to the next server, but sometimes it gets stuck with one failed server and all my users cant login for a while. This is your problem : config [/var/lib/samba/smb_krb5/krb5.conf.MYDOMAIN] [2008/07/31 10:03:55, 10] nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(580) got TGT for [EMAIL PROTECTED] in MEMORY:winbindd_pam_ccache (valid until: Thu, 31 Jul 2008 20:03:57 CDT (1217552637), renewable till: Thu, 31 Jul 2008 20:03:57 CDT (1217552617)) [2008/07/31 10:04:05, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew Note the 30 second gap in timestamps. Looks like the call : krb5_ret = cli_krb5_get_ticket(local_service, time_offset, tkt, session_key_krb5, 0, cc, NULL); at line 604: in nsswitch/winbindd_pam.c is taking ages to contact a KDC. Do you have DNS resolution issues ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
On Fri, Aug 01, 2008 at 12:50:48PM -0500, Jose Santiago Oyervides wrote: Hi Jeremy, I think i could be DNS resolution like you say, since this problem only happens with accounts from other domains. I have had troubles in the past in order to get DNS resolution to work, because this server also has a public postfix server, so If I configured the internal DNS the external resolution didn't work and viceversa, in order to cope with this issue I configured and internal DNS server with both internal and external resolution and that seemed to work. If I ping the domain controllers from any another domain it responds very fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my nsswitch.conf I have configured this: hosts: files wins dns winbind and in /etc/samba/smb.conf I have name resolve order=lmhosts wins bcast. Try taking wins out of the /etc/nsswitch.conf hosts line. It may be recursing into winbindd. Alternatively ensure that dns is second after files. Would it help if I configured the Ip address in my krb5.conf for all domains instead of their name? Why in /var/lib/samba/smb_krb5 is only created krb5.conf.MYDOMAIN and not the file for the others domains? May be this has somethng to do... Yes, an explicit IP address would help, but if DNS is working correctly you shouldn't need that. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
Thanks Jeremy, I wil follow your recommendations and let you know what happens. Regards Jose Santiago Oyervides. On Fri, Aug 1, 2008 at 12:59 PM, Jeremy Allison [EMAIL PROTECTED] wrote: On Fri, Aug 01, 2008 at 12:50:48PM -0500, Jose Santiago Oyervides wrote: Hi Jeremy, I think i could be DNS resolution like you say, since this problem only happens with accounts from other domains. I have had troubles in the past in order to get DNS resolution to work, because this server also has a public postfix server, so If I configured the internal DNS the external resolution didn't work and viceversa, in order to cope with this issue I configured and internal DNS server with both internal and external resolution and that seemed to work. If I ping the domain controllers from any another domain it responds very fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my nsswitch.conf I have configured this: hosts: files wins dns winbind and in /etc/samba/smb.conf I have name resolve order=lmhosts wins bcast. Try taking wins out of the /etc/nsswitch.conf hosts line. It may be recursing into winbindd. Alternatively ensure that dns is second after files. Would it help if I configured the Ip address in my krb5.conf for all domains instead of their name? Why in /var/lib/samba/smb_krb5 is only created krb5.conf.MYDOMAIN and not the file for the others domains? May be this has somethng to do... Yes, an explicit IP address would help, but if DNS is working correctly you shouldn't need that. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
