[Samba] Samba 3.0.31 stills fails to read and write to socket.
Hi, I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the winbind issue previously reported (Bug# 5551) but the issue is still happening in my servers. I have an ftp server (vsftpd), configured to use pam_winbind with krb5_auth and I see some random disconnects and my users cant login. My samba servers are member of a Windows 2003 domain. The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to the socket failed because the connection was reset by peer, this happened also on 3.0.28, i was hoping that 3.0.31 fix this issue. Im including my configuration and my log files. This happens only when pam_winbind authenticates users of other domains, sometimes it gets fixed itself because in my krb5.conf i have configured several domain controllers for the other domains and it changes the connections to the next server, but sometimes it gets stuck with one failed server and all my users cant login for a while. Regards, Jose Santiago Oyervides. This is my setup: [global] workgroup = MYDOMAIN netbios name = MYSERVER security = ADS password server = 10.X.X.1 10.X.X.2 10.X.X.3 encrypt passwords = Yes wins server = 10.X.Y.1 10.X.Y.2 local master = no domain master = no preferred master = no log level =10 passdb:10 auth:10 winbind:10 idmap:10 smb:10 acls:10 log file = /var/log/samba/%m.log max log size = 1000 idmap uid = 1-6 idmap gid = 1-6 winbind enum users = no winbind enum groups = no winbind refresh tickets = true realm = MYDOMAIN.FORREST.COM winbind use default domain = Yes interfaces = 127.0.0.1/255.0.0.0 10.X.X.30/255.255.240.0 template shell = /bin/bash username map = /etc/samba/smbusers template homedir = /home/users/%D/%U socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 name resolve order = lmhosts wins bcast bind interfaces only = yes load printers = No dns proxy = No hosts allow = 10. 127. hosts deny = 0.0.0.0/0 smb ports = 139 My /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON [libdefaults] default_realm = MYDOMAIN.FORREST.COM dns_lookup_realm = none dns_lookup_kdc = none ticket_lifetime = 24h forwardable = yes [realms] FORREST.COM = { kdc=SERVER1.FORREST.COM kdc=SERVER2.FORREST.COM } MYDOMAIN.FORREST.COM= { kdc=SERVER1.MYDOMAIN.FORREST.COM kdc=SERVER2.MYDOMAIN.FORREST.COM ) OTHERDOMAIN.FORREST.COM= = { kdc=SERVER1.OTHERDOMAIN.FORREST.COM kdc=SERVER1.OTHERDOMAIN.FORREST.COM } [domain_realm] .mydomain.forrest.com = MYDOMAIN.FORREST.COM .otherdomain.forrest.com = OTHERDOMAIN.FORREST.COM /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind hosts: files wins dns winbind These are the lines that I see in log.wb-ANOTERDOMAIN: [2008/07/31 10:03:35, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 31 Jul 2008 20:03:28 CDT [2008/07/31 10:03:35, 10] libsmb/clikrb5.c:ads_krb5_mk_req(624) ads_krb5_mk_req: Ticket ([EMAIL PROTECTED]) in ccache (MEMORY:winbind_ccache) is valid until: (Thu, 31 Jul 2008 20:03:28 CDT - 1217552608) [2008/07/31 10:03:35, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(735) Got KRB5 session key of length 16 [2008/07/31 10:03:35, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64) Search for (objectclass=*) in gave 1 replies [2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(440) store_cache_seqnum: success [OTHERDOMAIN][646535412 @ 1217516615] [2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(504) refresh_sequence_number: OTHERDOMAIN seq number is now 646535412 [2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:centry_expired(549) centry_expired: Key U/S-1-5-21-2031228914-1097686851-784825492-55515 for domain OTHERDOMAIN expired [2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:wcache_fetch(621) wcache_fetch: entry U/S-1-5-21-2031228914-1097686851-784825492-55515 expired for domain OTHERDOMAIN [2008/07/31 10:03:35, 10] nsswitch/winbindd_cache.c:query_user(1652) query_user: [Cached] - doing backend query for info for domain OTHERDOMAIN [2008/07/31 10:03:35, 3] nsswitch/winbindd_ads.c:query_user(453) ads: query_user [2008/07/31 10:03:35, 10] nsswitch/winbindd_ads.c:ads_cached_connection(46) ads_cached_connection [2008/07/31 10:03:35, 7] nsswitch/winbindd_ads.c:ads_cached_connection(59) Current tickets expire in 35993 seconds (at 1217552608, time is now 1217516615) [2008/07/31 10:03:35, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64) Search for (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F2\17\12\79\43\5F\6D\41\94\7C\C7\2E\DB\D8\00\00) in
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
On Fri, Aug 01, 2008 at 10:46:54AM -0500, Jose Santiago Oyervides wrote: Hi, I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the winbind issue previously reported (Bug# 5551) but the issue is still happening in my servers. I have an ftp server (vsftpd), configured to use pam_winbind with krb5_auth and I see some random disconnects and my users cant login. My samba servers are member of a Windows 2003 domain. The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to the socket failed because the connection was reset by peer, this happened also on 3.0.28, i was hoping that 3.0.31 fix this issue. Im including my configuration and my log files. This happens only when pam_winbind authenticates users of other domains, sometimes it gets fixed itself because in my krb5.conf i have configured several domain controllers for the other domains and it changes the connections to the next server, but sometimes it gets stuck with one failed server and all my users cant login for a while. This is your problem : config [/var/lib/samba/smb_krb5/krb5.conf.MYDOMAIN] [2008/07/31 10:03:55, 10] nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(580) got TGT for [EMAIL PROTECTED] in MEMORY:winbindd_pam_ccache (valid until: Thu, 31 Jul 2008 20:03:57 CDT (1217552637), renewable till: Thu, 31 Jul 2008 20:03:57 CDT (1217552617)) [2008/07/31 10:04:05, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew Note the 30 second gap in timestamps. Looks like the call : krb5_ret = cli_krb5_get_ticket(local_service, time_offset, tkt, session_key_krb5, 0, cc, NULL); at line 604: in nsswitch/winbindd_pam.c is taking ages to contact a KDC. Do you have DNS resolution issues ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
Hi Jeremy, I think i could be DNS resolution like you say, since this problem only happens with accounts from other domains. I have had troubles in the past in order to get DNS resolution to work, because this server also has a public postfix server, so If I configured the internal DNS the external resolution didn't work and viceversa, in order to cope with this issue I configured and internal DNS server with both internal and external resolution and that seemed to work. If I ping the domain controllers from any another domain it responds very fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my nsswitch.conf I have configured this: hosts: files wins dns winbind and in /etc/samba/smb.conf I have name resolve order=lmhosts wins bcast. Would it help if I configured the Ip address in my krb5.conf for all domains instead of their name? Why in /var/lib/samba/smb_krb5 is only created krb5.conf.MYDOMAIN and not the file for the others domains? May be this has somethng to do... Regards, Jose Santiago Oyervides. On Fri, Aug 1, 2008 at 12:19 PM, Jeremy Allison [EMAIL PROTECTED] wrote: On Fri, Aug 01, 2008 at 10:46:54AM -0500, Jose Santiago Oyervides wrote: Hi, I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the winbind issue previously reported (Bug# 5551) but the issue is still happening in my servers. I have an ftp server (vsftpd), configured to use pam_winbind with krb5_auth and I see some random disconnects and my users cant login. My samba servers are member of a Windows 2003 domain. The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to the socket failed because the connection was reset by peer, this happened also on 3.0.28, i was hoping that 3.0.31 fix this issue. Im including my configuration and my log files. This happens only when pam_winbind authenticates users of other domains, sometimes it gets fixed itself because in my krb5.conf i have configured several domain controllers for the other domains and it changes the connections to the next server, but sometimes it gets stuck with one failed server and all my users cant login for a while. This is your problem : config [/var/lib/samba/smb_krb5/krb5.conf.MYDOMAIN] [2008/07/31 10:03:55, 10] nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(580) got TGT for [EMAIL PROTECTED] in MEMORY:winbindd_pam_ccache (valid until: Thu, 31 Jul 2008 20:03:57 CDT (1217552637), renewable till: Thu, 31 Jul 2008 20:03:57 CDT (1217552617)) [2008/07/31 10:04:05, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew Note the 30 second gap in timestamps. Looks like the call : krb5_ret = cli_krb5_get_ticket(local_service, time_offset, tkt, session_key_krb5, 0, cc, NULL); at line 604: in nsswitch/winbindd_pam.c is taking ages to contact a KDC. Do you have DNS resolution issues ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
On Fri, Aug 01, 2008 at 12:50:48PM -0500, Jose Santiago Oyervides wrote: Hi Jeremy, I think i could be DNS resolution like you say, since this problem only happens with accounts from other domains. I have had troubles in the past in order to get DNS resolution to work, because this server also has a public postfix server, so If I configured the internal DNS the external resolution didn't work and viceversa, in order to cope with this issue I configured and internal DNS server with both internal and external resolution and that seemed to work. If I ping the domain controllers from any another domain it responds very fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my nsswitch.conf I have configured this: hosts: files wins dns winbind and in /etc/samba/smb.conf I have name resolve order=lmhosts wins bcast. Try taking wins out of the /etc/nsswitch.conf hosts line. It may be recursing into winbindd. Alternatively ensure that dns is second after files. Would it help if I configured the Ip address in my krb5.conf for all domains instead of their name? Why in /var/lib/samba/smb_krb5 is only created krb5.conf.MYDOMAIN and not the file for the others domains? May be this has somethng to do... Yes, an explicit IP address would help, but if DNS is working correctly you shouldn't need that. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.31 stills fails to read and write to socket.
Thanks Jeremy, I wil follow your recommendations and let you know what happens. Regards Jose Santiago Oyervides. On Fri, Aug 1, 2008 at 12:59 PM, Jeremy Allison [EMAIL PROTECTED] wrote: On Fri, Aug 01, 2008 at 12:50:48PM -0500, Jose Santiago Oyervides wrote: Hi Jeremy, I think i could be DNS resolution like you say, since this problem only happens with accounts from other domains. I have had troubles in the past in order to get DNS resolution to work, because this server also has a public postfix server, so If I configured the internal DNS the external resolution didn't work and viceversa, in order to cope with this issue I configured and internal DNS server with both internal and external resolution and that seemed to work. If I ping the domain controllers from any another domain it responds very fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my nsswitch.conf I have configured this: hosts: files wins dns winbind and in /etc/samba/smb.conf I have name resolve order=lmhosts wins bcast. Try taking wins out of the /etc/nsswitch.conf hosts line. It may be recursing into winbindd. Alternatively ensure that dns is second after files. Would it help if I configured the Ip address in my krb5.conf for all domains instead of their name? Why in /var/lib/samba/smb_krb5 is only created krb5.conf.MYDOMAIN and not the file for the others domains? May be this has somethng to do... Yes, an explicit IP address would help, but if DNS is working correctly you shouldn't need that. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba