Re: [Samba] Restart Winbind
> > That looks like a very useful information. I am using 3.2.8 as well. > Will you please elaborate a bit on upgrading schema ? > First question: are your Domain Controllers using Samba? If not, the rest of this probably won't work (never used an AD domain myself). On gentoo emerging the latest samba provided me with the latest schema too. Interestingly on Debian the one I got wasn't correct when I upgraded, so I copied the one over from the gentoo boxes (although someone at work said I should have looked in /usr/share/doc/samba/something). The only file needed is samba.schema. I guess to be sure you could just download the appropriate samba release and pull it from there to put in the schema dir. > Following is what my idmap config. > > > idmap domains = default, DOMAIN1, DOMAIN2, DOMAIN3 > idmap uid = 1000 - 29 > idmap gid = 1000 - 29 > idmap config DOMAIN1:range = 10 - 19 > idmap config DOMAIN1:backend = rid > idmap config DOMAIN3:range = 1000 - 9 > idmap config DOMAIN3:backend = rid > idmap config DOMAIN2:range = 20 - 29 > idmap config DOMAIN2:backend = rid > idmap config default:default = Yes > > I see you're doing it the "new way" (and using RID not LDAP for IDMAP mappings). I'm still using the old syntax with LDAP thusly: idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 winbind nested groups = yes winbind trusted domains only = yes winbind use default domain = no winbind enum users = yes winbind enum groups = yes allow trusted domains = yes That's on the PDC, all other servers should be pointed to the PDC's (or whatever master LDAP server you have) real ip address for IDMAP. Should be no prob. to update this to the new syntax. Did you also populate your LDAP directory with the bare IDMAP ou? You can find the required LDIF in the "By Example" docs on samba.org. I find that with this setting all of my trusted domains work fine. I noticed it you do "winbind use default domain = yes" then you get all the local domain stuff in the IDMAP ou, which seems as if it could cause problems (although it never seems to when I've set that by accident). If you use the new syntax then you will probably avoid this issue. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. "Transact" is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 1200 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restart Winbind
On Thu, Sep 17, 2009 at 7:09 AM, Alex Crow wrote: > > > fi > > > > I am somewhat limited to use tdb backend as ldap back end doesn't seems > to > > be supporting trusted domains. > > > > Your samba schema might be out of date - both sides of the trust are > stored in LDAP now - I had the same problem until I ugraded my schema > files after going from 3.0.x to 3.2.x. > > Cheers > > Alex > > That looks like a very useful information. I am using 3.2.8 as well. Will you please elaborate a bit on upgrading schema ? Following is what my idmap config. idmap domains = default, DOMAIN1, DOMAIN2, DOMAIN3 idmap uid = 1000 - 29 idmap gid = 1000 - 29 idmap config DOMAIN1:range = 10 - 19 idmap config DOMAIN1:backend = rid idmap config DOMAIN3:range = 1000 - 9 idmap config DOMAIN3:backend = rid idmap config DOMAIN2:range = 20 - 29 idmap config DOMAIN2:backend = rid idmap config default:default = Yes Thanks LA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restart Winbind
> fi > > I am somewhat limited to use tdb backend as ldap back end doesn't seems to > be supporting trusted domains. > Your samba schema might be out of date - both sides of the trust are stored in LDAP now - I had the same problem until I ugraded my schema files after going from 3.0.x to 3.2.x. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. "Transact" is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 1200 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restart Winbind
On Thu, Sep 10, 2009 at 11:27 PM, Adam Nielsen wrote:
> > I wish I can put gdb, but when tdb files get corrupted, I cant login to
> > the host even as a local user on console. Winbind seems to be locking
> > the whole authentication stream. I don't understand why even the local
> > user cant login.
>
> It's because normally (depending on /etc/nsswitch.conf) winbind will be
> queried first before local files like /etc/passwd. If you swap the
> order you can make it check local auth files first.
>
> Alternatively you should be able to get around that by either leaving a
> console or SSH connection open to the server 24/7 until it breaks, or
> perhaps using SSH with public keys, which should bypass the normal
> authentication scheme. Of course then even something like "ls" will
> probably lock up, since it will query winbind to map UIDs back to
> usernames...
>
Thank you for taking time to respond.
I do have have nsswitch has file and then winbind and it is working as
expected when everything is fine. e.g. I stop winbind, use a local user and
I can login. The issue happens only when winbind takes all CPU.
I can have session open on console directly, but its very random.
> > Thats the I'm working on a script to run w/ cron, so that when winbind
> > consumes more than 40% cpu, I want to restart the cpu.
>
> Short of tracking down the bug with gdb and fixing it, this is probably
> the only alternative.
>
> > I wanted to ask another question on the same subject. When I start the
> > winbind using the init script, it forks 4 processes. The pid on
> > /var/run/winbindd.pid is the parent process. So is that the pid I need
> > to monitor to capture the true cpu utilization?
>
> I'm afraid I can't answer that, but it's possible that any of the
> instances might lock up, so you would probably need to monitor all of
> them. Perhaps an easier option could be to time how long it takes to
> run a command, and when winbind locks up and that command doesn't
> complete, then you know winbind must be restarted. (Even something like
> "rm /tmp/heartbeat; ls; touch /tmp/heartbeat" would mean that if
> /tmp/heartbeat disappeared for more than a few seconds you know
> something is wrong. "monit" probably has a test for this already and
> would save cronjob scripting.
>
I am doing something similar. I grep for no of winbind pids and avg it. If
the cpu avg crosses, say 10%, then clear the tdb and restart the winbind,
#!/bin/bash
##This script will clean up winbind if it causes CPU issue.
#WBCPU=`/bin/ps -eo pcpu,pid,user,args,cputime | grep winbind|grep -v
grep|awk '{print $1}' > /tmp/wbind.dont.d
el`
WBCPU=`top -b -n1 |grep winbindd|awk '{print $5}' > /tmp/wbind.dont.del`
WBCOUNT=`wc -l /tmp/wbind.dont.del|awk '{print $1}'`
WBCPUTOT=`echo $(sed -e 's/$/+/' /tmp/wbind.dont.del) 0|bc`
WBCPUAVG=`echo $WBCPUTOT/$WBCOUNT |bc`
#echo Count is $WBCOUNT and Tot is $WBCPUTOT and Avg is $WBCPUAVG
if [ $WBCPUAVG -gt 10 ]
then
rm -rf /var/lib/samba/* > /dev/null
/etc/init.d/winbind restart
fi
I am somewhat limited to use tdb backend as ldap back end doesn't seems to
be supporting trusted domains.
>
> Cheers,
> Adam.
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restart Winbind
> I wish I can put gdb, but when tdb files get corrupted, I cant login to > the host even as a local user on console. Winbind seems to be locking > the whole authentication stream. I don't understand why even the local > user cant login. It's because normally (depending on /etc/nsswitch.conf) winbind will be queried first before local files like /etc/passwd. If you swap the order you can make it check local auth files first. Alternatively you should be able to get around that by either leaving a console or SSH connection open to the server 24/7 until it breaks, or perhaps using SSH with public keys, which should bypass the normal authentication scheme. Of course then even something like "ls" will probably lock up, since it will query winbind to map UIDs back to usernames... > Thats the I'm working on a script to run w/ cron, so that when winbind > consumes more than 40% cpu, I want to restart the cpu. Short of tracking down the bug with gdb and fixing it, this is probably the only alternative. > I wanted to ask another question on the same subject. When I start the > winbind using the init script, it forks 4 processes. The pid on > /var/run/winbindd.pid is the parent process. So is that the pid I need > to monitor to capture the true cpu utilization? I'm afraid I can't answer that, but it's possible that any of the instances might lock up, so you would probably need to monitor all of them. Perhaps an easier option could be to time how long it takes to run a command, and when winbind locks up and that command doesn't complete, then you know winbind must be restarted. (Even something like "rm /tmp/heartbeat; ls; touch /tmp/heartbeat" would mean that if /tmp/heartbeat disappeared for more than a few seconds you know something is wrong. "monit" probably has a test for this already and would save cronjob scripting. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restart Winbind
On Tue, Sep 8, 2009 at 6:32 PM, Adam Nielsen wrote: > > BTW, The corresponding log I see on winbind log is... > > > > tdb(/var/lib/samba/winbindd_cache.tdb): tdb_rec_read bad magic 0x42424242 > at > > offset=1151980 > > [2009/09/04 10:37:25, 1] lib/util_tdb.c:tdb_validate_and_backup(1437) > > tdb '/var/lib/samba/winbindd_cache.tdb' is invalid > > > > > > Usually, removing the tdb files and restarting winbind fixes the issue. > > It'd probably be helpful if - assuming you're running a recent Samba > version - you can attach to the winbind process with GDB when it gets > stuck and post a backtrace, so that the devs can see exactly where the > problem is. No doubt the corrupted .tdb files are causing an infinite > loop somewhere. > > What version of Samba are you running? > > Cheers, > Adam. > Samba version is 3.2.4. I am in the process of upgrading to 3.2.8 that may solve the issue. I wish I can put gdb, but when tdb files get corrupted, I cant login to the host even as a local user on console. Winbind seems to be locking the whole authentication stream. I don't understand why even the local user cant login. Thats the I'm working on a script to run w/ cron, so that when winbind consumes more than 40% cpu, I want to restart the cpu. I wanted to ask another question on the same subject. When I start the winbind using the init script, it forks 4 processes. The pid on /var/run/winbindd.pid is the parent process. So is that the pid I need to monitor to capture the true cpu utilization? ~LA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restart Winbind
> BTW, The corresponding log I see on winbind log is... > > tdb(/var/lib/samba/winbindd_cache.tdb): tdb_rec_read bad magic 0x42424242 at > offset=1151980 > [2009/09/04 10:37:25, 1] lib/util_tdb.c:tdb_validate_and_backup(1437) > tdb '/var/lib/samba/winbindd_cache.tdb' is invalid > > > Usually, removing the tdb files and restarting winbind fixes the issue. It'd probably be helpful if - assuming you're running a recent Samba version - you can attach to the winbind process with GDB when it gets stuck and post a backtrace, so that the devs can see exactly where the problem is. No doubt the corrupted .tdb files are causing an infinite loop somewhere. What version of Samba are you running? Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restart Winbind
On Tue, Sep 8, 2009 at 11:26 AM, Linux Addict wrote: > Team, Few of my Redhat Hosts runs CPU at 100% due to winbind. Does anyone > have script or any idea how to restart the winbind daemon if it consumes > 100% CPU automatically? > ~LA > BTW, The corresponding log I see on winbind log is... tdb(/var/lib/samba/winbindd_cache.tdb): tdb_rec_read bad magic 0x42424242 at offset=1151980 [2009/09/04 10:37:25, 1] lib/util_tdb.c:tdb_validate_and_backup(1437) tdb '/var/lib/samba/winbindd_cache.tdb' is invalid Usually, removing the tdb files and restarting winbind fixes the issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restart Winbind
Team, Few of my Redhat Hosts runs CPU at 100% due to winbind. Does anyone have script or any idea how to restart the winbind daemon if it consumes 100% CPU automatically? ~LA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
