[Samba] Winbindd IDMAP SID-to-UNIX-IDs problem

[Burgess, Adam]

IDAMP cache somehow ends up with an unmapped SID2UID entry (i.e value = -1) and 
the SID2GID entry expires.  At this stage winbindd returns unmapped for a 
SID-to-UNIX-IDs request.  This results in smbd giving incorrect group 
memberships and incorrect resource access, until the SID2UID entry expires. 
This is surely a bug?

Samba version is 3.6.6 as bundled with our current Solaris 10 patch revision 
(the platform).  Using only Kerberos PAC SIDs for membership and basic LDAP 
based IDMAP backend.

Reproduction steps:


1.   Pick a valid UNIX GID that should be mapped to a SID

2.   Get SID for this GID (e.g. wbinfo -G )

3.   Delete or set low expiry value for SID2GID entry for this SID (e.g. 
net cache del IDMAP/SID2GID/)

4.   Now request SID2UID lookup for this SID, which should be unmapped 
(e.g. wbinfo -S )

5.   Now do SID-to-UNIX-IDs lookup to mimic smbd IDMAP lookup of Kerberos 
PAC SIDs (e.g. wbinfo --sids-to-unix-ids=)



The result is that the SID is unmapped.



Winbindd IDMAP will not consider the state of having an unmapped SID2UID and an 
expired or non-existent SID2GID as reason to query IDMAP backend for a SID2GID.



In our environment this is causing considerable problems as we have a maximum 
setting for IDMAP negative entries in order to prevent them expiring at all 
(this is required because we have user in a large number of AD groups i.e. 
>400) and only a few required for UNIX (<= Solaris limit of 16).  When negative 
entries expire connections take a very long time as a result of the numerous 
negative IDMAP queries.  This means that we are more likely to hit the problem 
than with the default cache time values.



idmap cache time = 36000

idmap negative cache time = 2147483647



It is not clear which smbd function might be causing the SID2UID lookup (for 
group SID value) in the first place but then that's seem to me to be not the 
crucial issue as it may just happen via a wbinfo invocation as above directly 
anyway.



Does anyone know if this is a bug and if so if it has been addressed in 
versions beyond 3.6.6 (I have tested very quickly with 3.6.12 too but it seems 
to me no different)?



Thanks,



Adam






Adam Burgess
Infrastructure Architect, Enterprise Services UK
Hewlett-Packard Company

+44 207 020 6302 / Office
+44 208 288 9728 /Home Office
+44 7789924321 / Mobile
adam.burg...@hp.com / Email

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd performance tunning?

[Volker Lendecke]

On Thu, Mar 14, 2013 at 01:25:06AM +0800, xx77009833 wrote:
> Winbindd version is 3.5.8, it runs on a 8 core CPUs
> machine, and my DC(win2k8) runs on a 4 core CPUs machine.
> "performance is slow" means, the transaction per second is
> around 200. I think it is slow and should be better.

200 ntlm auth requests per second is not too bad in 3.5.8 I
guess. 3.6.12 has a "winbind max domain connections" which
allows you to open more than one connection to the DC. You
should try that.

> The CPU usage of winbindd is not high. I suspect that
> winbindd doesn't processing the request in parallel or it
> is blocked by some internal synchronous operation. But I
> am not sure.
> Till now, I have not profiled winbindd to find where the time is spent..

My guess would be that it's the DC. Can you wireshark the
network to the DC and analyze the response time there?

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd performance tunning?

[xx77009833]

Thank you for your reply:)


Winbindd version is 3.5.8, it runs on a 8 core CPUs machine, and my DC(win2k8) 
runs on a 4 core CPUs machine.
"performance is slow" means, the transaction per second is around 200. I think 
it is slow and should be better.
The CPU usage of winbindd is not high. I suspect that winbindd doesn't 
processing the request in parallel or it is blocked by some internal 
synchronous operation. But I am not sure.
Till now, I have not profiled winbindd to find where the time is spent..

They all run over my local-area network. So I think network is fast enough
and I suppose DC is not the bottleneck under such pressure:)
BTW.
I found there is a macro WINBINDD_MAX_CLIENTS, and I modified it to 2. All 
tests have been done under this condition.


So, the question,
Any suggestion of winbindd performance tunning?
Will it be helpful by using samba4? Is it fully asynchronous internally?




appreciate your help very much!


Xin.


At 2013-03-13 17:50:06,"Volker Lendecke"  wrote:
>On Wed, Mar 13, 2013 at 11:51:25AM +0800, xx77009833 wrote:
>> Hi,
>> 
>> 
>> Thanks in advanced.
>> 
>> 
>> I have written a winbindd client which communicates with winbindd to do NTLM 
>> authentication.
>> However, it seems that the performance of winbindd is low.
>> I have two questions.
>> 1. seems winbindd is asynchronous? If yes, I think its
>> performance should be higher.
>> 2. do you any suggestion of winbindd performance tunning?
>> Is there any configuration item or anything useful?
>
>What version are you using? What exactly is slow? Is winbind
>chewing CPU? Have you measured where the time is spent? It
>might well be the DC or the network is slow. We need more
>information here.
>
>With best regards,
>
>Volker Lendecke
>
>-- 
>SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
>phone: +49-551-37-0, fax: +49-551-37-9
>AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd performance tunning?

[Volker Lendecke]

On Wed, Mar 13, 2013 at 11:51:25AM +0800, xx77009833 wrote:
> Hi,
> 
> 
> Thanks in advanced.
> 
> 
> I have written a winbindd client which communicates with winbindd to do NTLM 
> authentication.
> However, it seems that the performance of winbindd is low.
> I have two questions.
> 1. seems winbindd is asynchronous? If yes, I think its
> performance should be higher.
> 2. do you any suggestion of winbindd performance tunning?
> Is there any configuration item or anything useful?

What version are you using? What exactly is slow? Is winbind
chewing CPU? Have you measured where the time is spent? It
might well be the DC or the network is slow. We need more
information here.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd performance tunning?

[xx77009833]

Hi,


Thanks in advanced.


I have written a winbindd client which communicates with winbindd to do NTLM 
authentication.
However, it seems that the performance of winbindd is low.
I have two questions.
1. seems winbindd is asynchronous? If yes, I think its performance should be 
higher.
2. do you any suggestion of winbindd performance tunning? Is there any 
configuration item or anything useful?


Thanks and I will appreciate any of your help.


Xin.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd performance tunning?

[xx77009833]

Hi,


Thanks in advanced.


I have written a winbindd client which communicates with winbindd to do NTLM 
authentication.
However, it seems that the performance of winbindd is low.
I have two questions.
1. seems winbindd is asynchronous? If yes, I think its performance should be 
higher.
2. do you any suggestion of winbindd performance tunning? Is there any 
configuration item or anything useful?


Thanks and I will appreciate any of your help.


Xin.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd: socket dir

[Michael Hendrie]

Hi List,

Hunting around Google I've found a couple of references to using "winbindd: 
socket dir" in smb.conf to allow multiple winbindd instances to run but can't 
seem to find any doco on this feature.

I have tried adding this to my smb.conf file but when I try to use ntlm_auth 
with this configuration any authentication fails and it returns:

ntlm_auth --username=testusr
[2012/08/18 23:37:24.230344,  0] utils/ntlm_auth.c:184(get_winbind_domain)
  could not obtain winbind domain name!

I know the rest of my config is correct as without winbindd: socket dir 
specified, authentication is successful.   

I can see that the pipe has been created in the directory specified in the 
smb.conf but can't get authentication to succeed.

Can anyone shed some light on why this might be failing, or point me in the 
direction of some documentation.

Running distro supplied samba versions:

samba3x.x86_64:  3.5.10-0.110.el5_8
samba3x-common.x86_64:  3.5.10-0.110.el5_8
samba3x-winbind.x86_64:  3.5.10-0.110.el5_8

My smb.conf

[global]
workgroup = ADLOSA
realm = ADLOSA.LOCAL
server string = testprox
security = ADS
password server = dc01.adlosa.local
smb passwd file = /etc/samba/smbpasswd
log level = 0 winbind:9
log file = /var/log/samba/%m.log
max log size = 5
printcap name = /etc/printcap
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = Yes
winbindd: socket dir = /tmp/wb_socket
hosts allow = 192.168.100., 127.
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd not providing supplementary groups with server 2003 AD

[Ivo Karabojkov]

I have Windows server 2003 AD controller and Samba 3 (3.5.11 or 3.6.3) 
member server running on FreeBSD 8.2/9.0. I don't use MS Services for 
Unix and my setup relies on Winbindd for idmapping. I can see all users 
/ groups with wbinfo -g, wbinfo -u, getent group, getent passwd. I can 
see all user's group with id .
I had to solve more complicated tasks including ACLs and granting rights 
to AD groups. I was surprised that only primary groups for users were 
honored but supplementary not. I tested with share on filesystem without 
ACL to exclude error in ACLs - same problem. Using debuglevel 10 I saw 
that somehow appears incorrect list of supplementary groups. wbinfo -r 
username returns ONLY primary group of the user.


smbserver:/var/log/samba# id AD-DOMAIN_user13
uid=10014(AD-DOMAIN_user13) gid=10013(AD-DOMAIN_domain users) 
groups=10013(AD-DOMAIN_domain users),10022(AD-DOMAIN_accounting)

(this is correct, the user is member of these two groups only)

getent groups shows (all IDMapped groups from AD):
AD-DOMAIN_helpservicesgroup:x:10002:AD-DOMAIN_support_388
AD-DOMAIN_telnetclients:x:10003
AD-DOMAIN_wins users:x:10004
AD-DOMAIN_dhcp users:x:10005
AD-DOMAIN_dhcp administrators:x:10006
AD-DOMAIN_domain computers:x:10007
AD-DOMAIN_domain controllers:x:10008
AD-DOMAIN_schema 
admins:x:10009:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator
AD-DOMAIN_enterprise 
admins:x:10010:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator

AD-DOMAIN_cert publishers:x:10011
AD-DOMAIN_domain 
admins:x:10012:AD-DOMAIN_atan,AD-DOMAIN_job_acc,AD-DOMAIN_administrator
AD-DOMAIN_domain 
users:x:10013:AD-DOMAIN_marti,AD-DOMAIN_interbase,AD-DOMAIN_iii,AD-DOMAIN_plll,AD-DOMAIN_lid,AD-DOMAIN_ita

AD-DOMAIN_domain guests:x:10014
AD-DOMAIN_group policy creator 
owners:x:10015:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator

AD-DOMAIN_ras and ias servers:x:10016
AD-DOMAIN_dnsadmins:x:10017
AD-DOMAIN_dnsupdateproxy:x:10018
AD-DOMAIN_management:x:10019:AD-DOMAIN_iva,AD-DOMAIN_marti
AD-DOMAIN_manufacture:x:10020:AD-DOMAIN_poli,AD-DOMAIN_kanc,AD-DOMAIN_delc,AD-DOMAIN_kol,AD-DOMAIN_pash,AD-DOMAIN_nik
AD-DOMAIN_offices:x:10021:AD-DOMAIN_nesh,AD-DOMAIN_stef,AD-DOMAIN_jon,AD-DOMAIN_dimi
AD-DOMAIN_accounting:x:10022:AD-DOMAIN_user01,AD-DOMAIN_pet,AD-DOMAIN_user13,AD-DOMAIN_georg,AD-DOMAIN_acct1
AD-DOMAIN_stock_management:x:10023:AD-DOMAIN_stef,AD-DOMAIN_pash,AD-DOMAIN_nik
AD-DOMAIN_trz:x:10024:AD-DOMAIN_ivan,AD-DOMAIN_georg
AD-DOMAIN_backup:x:10025
AD-DOMAIN_test2:x:10026

As I try to access shared folder with the following permissions:
(UIDs/GIDs)
drwxrwx---   2 10012  10022   512 Mar 23 18:14 accshart
(user and group names)
drwxrwx---   2 AD-DOMAIN_user01  AD-DOMAIN_accounting512 Mar 23 
18:14 accshart


with debuglevel 10 I see the following strange messages:

[2012/03/23 18:58:16.606992,  5] 
../libcli/security/security_token.c:63(security_token_debug)

  Security token SIDs (10):
SID[  0]: S-1-5-21-1579055750-3724707312-788426950-1136
SID[  1]: S-1-5-21-1579055750-3724707312-788426950-513
SID[  2]: S-1-1-0
SID[  3]: S-1-5-2
SID[  4]: S-1-5-11
SID[  5]: S-1-22-1-10014
SID[  6]: S-1-22-2-10013
SID[  7]: S-1-22-2-1
SID[  8]: S-1-22-2-10001
SID[  9]: S-1-22-2-10027
   Privileges (0x   0):
   Rights (0x   0):
[2012/03/23 18:58:16.607095,  5] 
auth/token_util.c:527(debug_unix_user_token)

  UNIX token of user 10014
  Primary group is 10013 and contains 4 supplementary groups
  Group[  0]: 10013
  Group[  1]: 1
  Group[  2]: 10001
  Group[  3]: 10027
[2012/03/23 18:58:16.607157,  5] smbd/uid.c:317(change_to_user_internal)
  Impersonated user: uid=(0,10014), gid=(0,10013)
[2012/03/23 18:58:16.607176,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /usr/accshart
[2012/03/23 18:58:16.607202,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /usr/accshart
[2012/03/23 18:58:16.607223,  3] smbd/service.c:190(set_current_service)
  chdir (/usr/accshart) failed, reason: Permission denied
[2012/03/23 18:58:16.607270,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/process.c(1558) cmd=50 (SMBtrans2) 
NT_STATUS_ACCESS_DENIED


As you can see only the primary group [0] is correct, supplementary 
groups [1],[2],[3] are not existing.

wbinfo -r AD-DOMAIN_user13 returns only primary GID:
10013

This is equal with both available versions of Samba via FreeBSD ports: 
3.5.11 and 3.6.3.


Here is my Samba config:

[global]
workgroup = AD-DOMAIN
realm = AD-DOMAIN.LOCAL
server string = Samba Server
interfaces = localhost, nfe0
bind interfaces only = Yes
security = ADS
map untrusted to domain = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 500
template homedir = /var/spool/vacation/AD-DOMAIN
template shell = /sbin/nologin
winbind separator = _
winbind enum users = Yes
winbind enum groups = Yes
winbind nested group

[Samba] winbindd requests failing with NT_STATUS_PIPE_BROKEN

[Micha Lenk]

Hi Samba experts,

I am currently investigating an issue with a bigger winbindd
installation which causes all following winbindd requests to fail until
winbindd is restarted. We use a slightly patched version of winbindd
based on Samba 3.5.8. In the used setup the winbindd is joined to an AD
domain and is quite busy with answering winbindd requests of type
PAM_AUTH_CRAP, LOOKUPNAME, GETUSERSIDS, and LOOKUPSID. Several AD users
are member of more than 128 groups. In this production environment the
issue happens a few times a day, however in our development environment
the issue is unreproducible.

All observed occurrences have in common that we see following messages
in debug output:

winbindd: Exceeding 200 client connections, removing idle connection.
Found 200 idle client connections, shutting down sock 122, pid 28456
accepted socket 122

Once the issue occurred, all further requests fail with the following
lines in debug output (loglevel 10):

Could not lookup sid S-1-5-21-1710691794-657421245-3729435916-358021:
NT_STATUS_PIPE_BROKEN
wb_request_done[28456:LOOKUPSID]: NT_STATUS_PIPE_BROKEN
winbind_client_response_written[28456:LOOKUPSID]: deliverd response to
client

Right now we don't understand really what is going on. So, the big
question is: What could cause the broken pipe message? And what
expression should I search the logfile for to get more information about
the possible reasons?

I would appreciate any assumptions about the reason that might trigger
the issue or suggestions on how to debug that issue further.

Regards,
Micha
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) Cannot allocate gid above 20000!

[Charles Weber]

I feel your pain. we are up to  1275000, but have been running idmap/ldap for 
many years.
I have considered going to RID or full AD integration, but have organizational 
issues either way.

On Dec 22, 2011, at 3:50 AM, Jelle de Jong wrote:

> On 19/12/11 19:10, Jelle de Jong wrote:
>> On 19/12/11 11:22, Jelle de Jong wrote:
>>> On 23/05/11 13:37, Jelle de Jong wrote:
 I got a few servers that where running stable and somehow winbindd
 started complaining. There were no users added or any samba related
 updates. Also the problems did not started on the same day one of the
 servers started today and on other one months ago...
 
 winbindd[14450]: [2011/05/23 13:33:13.442070,  0]
 winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
 winbindd[14450]:   Cannot allocate gid above 2!
 
 # winbindd --version
 Version 3.5.6
>>> 
>>> I am still having these errors and I keep increasing the values:
>>> 
>>>   idmap uid = 1-60500
>>>   idmap gid = 1-60500
>>> 
>>> I started with 2 and I am now on 60500...
>>> 
>>> Dec 19 11:01:15 stayce winbindd[23861]: [2011/12/19 11:01:15.569602,  0]
>>> winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
>>> Dec 19 11:01:15 stayce winbindd[23861]:   Cannot allocate gid above 60500!
>>> 
>>> # winbindd --version
>>> Version 3.5.6
>> 
>> I found the following:
>> 
>> samba (2:3.5.8~dfsg-1) unstable; urgency=low
>>  * New upstream release. This fixes the following bugs:
>>- Winbind leaks gids with idmap ldap backend (upstrem #)
>>  Closes: #613624
>> 
>> Upgraded to:
>> 
>> # winbindd --version
>> Version 3.5.11
>> 
>> Hopefully this will fix my issues.
> 
> Sadly this didn't work!! A few days later the problem started again...
> 
> stayce:~# grep "Cannot allocate gid above" /var/log/syslog
> Dec 22 07:28:15 stayce winbindd[26373]:   Cannot allocate gid above 61000!
> Dec 22 07:28:15 stayce winbindd[26373]:   Cannot allocate gid above 61000!
> Dec 22 07:29:53 stayce winbindd[26373]:   Cannot allocate gid above 61000!
> 
> Dec 22 09:31:40 stayce winbindd[26373]:   Cannot allocate gid above 61000!
> 
> stayce:~# winbindd -V
> Version 3.5.11
> stayce:~# smbd -V
> Version 3.5.11
> stayce:~# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[documenten]"
> Processing section "[homes]"
> Processing section "[netlogon]"
> Processing section "[profiles]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> Press enter to see a dump of your service definitions
> 
> [global]
>   workgroup = company
>   netbios name = SERVER
>   passdb backend = ldapsam
>   log file = /var/log/samba/log.%m
>   smb ports = 445
>   time server = Yes
>   load printers = No
>   printcap name = /dev/null
>   disable spoolss = Yes
>   logon script = netlogon.bat
>   logon path = \\%N\profiles\%U
>   domain logons = Yes
>   preferred master = Yes
>   domain master = Yes
>   dns proxy = No
>   ldap admin dn = cn=admin,dc=company,dc=nl
>   ldap delete dn = Yes
>   ldap group suffix = ou=groups
>   ldap idmap suffix = ou=idmap
>   ldap machine suffix = ou=computers
>   ldap passwd sync = yes
>   ldap suffix = dc=company,dc=nl
>   ldap ssl = no
>   ldap user suffix = ou=users
>   usershare max shares = 0
>   usershare path = /srv/storage/shares
>   panic action = /usr/share/samba/panic-action %d
>   idmap backend = ldap:ldap://localhost/
>   idmap alloc backend = ldap
>   idmap uid = 1-61000
>   idmap gid = 1-61000
>   template homedir = /srv/storage/shares/
>   template shell = /bin/bash
>   ldapsam:trusted = yes
>   ldapsam:editposix = yes
>   idmap alloc config : ldap_url = ldap://localhost/
>   idmap alloc config : ldap_base_dn = ou=idmap,dc=company,dc=nl
>   idmap alloc config : ldap_user_dn = cn=admin,dc=company,dc=nl
>   printing = bsd
>   print command = lpr -r -P'%p' %s
>   lpq command = lpq -P'%p'
>   lprm command = lprm -P'%p' %j
> 
> [documenten]
>   path = /srv/storage/shares
>   read only = No
>   inherit acls = Yes
>   map acl inherit = Yes
>   hide unreadable = Yes
>   store dos attributes = Yes
>   vfs objects = recycle
>   recycle:keeptree = Yes
>   recycle:versions = Yes
>   recycle:touch_mtime = Yes
> 
> [homes]
>   comment = Home Directories
>   path = /srv/storage/samba/homes/%U
>   read only = No
>   inherit acls = Yes
>   map acl inherit = Yes
>   store dos attributes = Yes
>   browseable = No
>   root preexec = /usr/local/bin/samba-mkdir-home %U
> 
> [netlogon]
>   comment = Network Logon Service
>   path = /srv/storage/samba/netlogon
>   read only = No
>   inherit acls = Yes
>   map acl inherit = Yes
>   store dos attributes = Yes
>   browseable = N

Re: [Samba] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) Cannot allocate gid above 20000!

[Jelle de Jong]

On 19/12/11 19:10, Jelle de Jong wrote:
> On 19/12/11 11:22, Jelle de Jong wrote:
>> On 23/05/11 13:37, Jelle de Jong wrote:
>>> I got a few servers that where running stable and somehow winbindd
>>> started complaining. There were no users added or any samba related
>>> updates. Also the problems did not started on the same day one of the
>>> servers started today and on other one months ago...
>>>
>>> winbindd[14450]: [2011/05/23 13:33:13.442070,  0]
>>> winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
>>> winbindd[14450]:   Cannot allocate gid above 2!
>>>
>>> # winbindd --version
>>> Version 3.5.6
>>
>> I am still having these errors and I keep increasing the values:
>>
>>idmap uid = 1-60500
>>idmap gid = 1-60500
>>
>> I started with 2 and I am now on 60500...
>>
>> Dec 19 11:01:15 stayce winbindd[23861]: [2011/12/19 11:01:15.569602,  0]
>> winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
>> Dec 19 11:01:15 stayce winbindd[23861]:   Cannot allocate gid above 60500!
>>
>> # winbindd --version
>> Version 3.5.6
> 
> I found the following:
> 
> samba (2:3.5.8~dfsg-1) unstable; urgency=low
>   * New upstream release. This fixes the following bugs:
> - Winbind leaks gids with idmap ldap backend (upstrem #)
>   Closes: #613624
> 
> Upgraded to:
> 
> # winbindd --version
> Version 3.5.11
> 
> Hopefully this will fix my issues.

Sadly this didn't work!! A few days later the problem started again...

stayce:~# grep "Cannot allocate gid above" /var/log/syslog
Dec 22 07:28:15 stayce winbindd[26373]:   Cannot allocate gid above 61000!
Dec 22 07:28:15 stayce winbindd[26373]:   Cannot allocate gid above 61000!
Dec 22 07:29:53 stayce winbindd[26373]:   Cannot allocate gid above 61000!

Dec 22 09:31:40 stayce winbindd[26373]:   Cannot allocate gid above 61000!

stayce:~# winbindd -V
Version 3.5.11
stayce:~# smbd -V
Version 3.5.11
stayce:~# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[documenten]"
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
workgroup = company
netbios name = SERVER
passdb backend = ldapsam
log file = /var/log/samba/log.%m
smb ports = 445
time server = Yes
load printers = No
printcap name = /dev/null
disable spoolss = Yes
logon script = netlogon.bat
logon path = \\%N\profiles\%U
domain logons = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
ldap admin dn = cn=admin,dc=company,dc=nl
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap passwd sync = yes
ldap suffix = dc=company,dc=nl
ldap ssl = no
ldap user suffix = ou=users
usershare max shares = 0
usershare path = /srv/storage/shares
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:ldap://localhost/
idmap alloc backend = ldap
idmap uid = 1-61000
idmap gid = 1-61000
template homedir = /srv/storage/shares/
template shell = /bin/bash
ldapsam:trusted = yes
ldapsam:editposix = yes
idmap alloc config : ldap_url = ldap://localhost/
idmap alloc config : ldap_base_dn = ou=idmap,dc=company,dc=nl
idmap alloc config : ldap_user_dn = cn=admin,dc=company,dc=nl
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j

[documenten]
path = /srv/storage/shares
read only = No
inherit acls = Yes
map acl inherit = Yes
hide unreadable = Yes
store dos attributes = Yes
vfs objects = recycle
recycle:keeptree = Yes
recycle:versions = Yes
recycle:touch_mtime = Yes

[homes]
comment = Home Directories
path = /srv/storage/samba/homes/%U
read only = No
inherit acls = Yes
map acl inherit = Yes
store dos attributes = Yes
browseable = No
root preexec = /usr/local/bin/samba-mkdir-home %U

[netlogon]
comment = Network Logon Service
path = /srv/storage/samba/netlogon
read only = No
inherit acls = Yes
map acl inherit = Yes
store dos attributes = Yes
browseable = No

[profiles]
comment = Users profiles
path = /srv/storage/samba/profiles
read only = No
inherit acls = Yes
profile acls = Yes
map acl inherit = Yes
store dos attributes = Yes
browseable = No

Can somebody help me?

Kind regards,

Jelle de Jong



signature.asc
Description: OpenPGP digi

Re: [Samba] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) Cannot allocate gid above 20000!

[Jelle de Jong]

On 19/12/11 11:22, Jelle de Jong wrote:
> On 23/05/11 13:37, Jelle de Jong wrote:
>> I got a few servers that where running stable and somehow winbindd
>> started complaining. There were no users added or any samba related
>> updates. Also the problems did not started on the same day one of the
>> servers started today and on other one months ago...
>>
>> winbindd[14450]: [2011/05/23 13:33:13.442070,  0]
>> winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
>> winbindd[14450]:   Cannot allocate gid above 2!
>>
>> # winbindd --version
>> Version 3.5.6
> 
> I am still having these errors and I keep increasing the values:
> 
>idmap uid = 1-60500
>idmap gid = 1-60500
> 
> I started with 2 and I am now on 60500...
> 
> Dec 19 11:01:15 stayce winbindd[23861]: [2011/12/19 11:01:15.569602,  0]
> winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
> Dec 19 11:01:15 stayce winbindd[23861]:   Cannot allocate gid above 60500!
> 
> # winbindd --version
> Version 3.5.6

I found the following:

samba (2:3.5.8~dfsg-1) unstable; urgency=low
  * New upstream release. This fixes the following bugs:
- Winbind leaks gids with idmap ldap backend (upstrem #)
  Closes: #613624

Upgraded to:

# winbindd --version
Version 3.5.11

Hopefully this will fix my issues.

Kind regards,

Jelle de Jong



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) Cannot allocate gid above 20000!

[Jelle de Jong]

On 23/05/11 13:37, Jelle de Jong wrote:
> I got a few servers that where running stable and somehow winbindd
> started complaining. There were no users added or any samba related
> updates. Also the problems did not started on the same day one of the
> servers started today and on other one months ago...
> 
> winbindd[14450]: [2011/05/23 13:33:13.442070,  0]
> winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
> winbindd[14450]:   Cannot allocate gid above 2!
> 
> # winbindd --version
> Version 3.5.6

I am still having these errors and I keep increasing the values:

   idmap uid = 1-60500
   idmap gid = 1-60500

I started with 2 and I am now on 60500...

Dec 19 11:01:15 stayce winbindd[23861]: [2011/12/19 11:01:15.569602,  0]
winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
Dec 19 11:01:15 stayce winbindd[23861]:   Cannot allocate gid above 60500!

# winbindd --version
Version 3.5.6

How can I fix my this in a more permanent way?

Kind regards,

Jelle de Jong



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba winbindd: "Invalid request size received" problem

[Christian M Ambach]

Moshe wrote on 08/06/2011 05:07:00 AM:

> I am trying to resolve Windows host names (aka Netbios names, aka
> "UNC names) from a Linux box.
> I have added "dns wins" to the "hosts" line at the nsswitch
> configuration file: /etc/nsswitch.conf, and installed samba 3.2.2
> and ran winbindd -D".
[...]
> More info: I am running a Linux system whose kernel version is: "2.
> 6.12.6-arm1". It's a D-Link DNS-323 NAS box with an ARM processor.
> I have stopped and restarted winbindd.

I gave it a quick test and such a setup works with Samba 3.6.
You should try to upgrade to a newer Samba version anyway as 3.2 is quite
old.
Maybe you can find binary packages that you can install on the box instead
of having to compile your own ones.

Regards,
Christian

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba winbindd: "Invalid request size received" problem

[Moshe Aelion]

Hi experts - I hope you can help me.

I am trying to resolve Windows host names (aka Netbios names, aka "UNC names) 
from a Linux box. 
I have added "dns wins" to the "hosts" line at the nsswitch configuration file: 
/etc/nsswitch.conf, and installed samba 3.2.2 and ran winbindd -D". 

Now, when I go: "wbinfo -N venus" (where venus is a Windows UNC pc host name on 
the LAN), it responds: "192.168.0.12" (which is venus' IP address). But, when I 
go: "ping venus", it says: "ping: bad address: venus", and in the log file: 
ffp/var/log/samba/log.winbindd
it says: "winbindd/winbindd.c:request_len_recv(616)
request_len_recv: Invalid request size received: 1844 (expected 2096)"

When I try to copy a file from the Windows PC to the Linux box, going:
rsync -v "venus:e/my Documents/Temp/a.txt" . 
(where a.txt is the file I'd like to copy), it says: "ssh: Could not resolve 
hostname venus: Name or service not known", and in: 
ffp/var/log/samba/log.winbindd it says again:
"winbindd/winbindd.c:request_len_recv(616)
request_len_recv: Invalid request size received: 1844 (expected 2096)".

More info: I am running a Linux system whose kernel version is: 
"2.6.12.6-arm1". It's a D-Link DNS-323 NAS box with an ARM processor.
I have stopped and restarted winbindd.

Your help will be appreciated. Thanks in advance - Gail
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd problems

[Dermot]

Hi,

I am having problems with winbindd on a BDC but I am not sure where
the problem lies.

If I run `winbindd -n -i` on the BDC and watch the output from pdbdeit
-Lv I see:

winbindd version 3.5.4-0.70.el5_6.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
initialize_winbindd_cache: clearing cache and re-creating with version number 1
Could not init passdb idmap domain
ldap_initialize: Bad parameter to an ldap routine
Connection to LDAP server failed for the 1 try!
...
ldap_initialize: Bad parameter to an ldap routine
Connection to LDAP server failed for the 15 try!
ldap_initialize: Bad parameter to an ldap routine



I get a similar error if I restart the smb service:

ldap_initialize: Bad parameter to an ldap routine
Connection to LDAP server failed for the 1 try!
ldap_initialize: Bad parameter to an ldap routine
Connection to LDAP server failed for the 2 try!
...
...
Connection to LDAP server failed for the 15 try!
ldap_initialize: Bad parameter to an ldap routine
idmap_alloc module ldap already registered!
idmap_alloc module tdb already registered!
Idmap module passdb already registered!
Idmap module nss already registered!
ldap_initialize: Bad parameter to an ldap routine
Connection to LDAP server failed for the 1 try!

Can anyone offer any pointers as to what the problem might be or where
a means that might help me track it down?
Thanks,
Dermot.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) Cannot allocate gid above 20000!

[John H Terpstra]

On 05/23/2011 06:37 AM, Jelle de Jong wrote:

Hello everybody,

I got a few servers that where running stable and somehow winbindd
started complaining. There were no users added or any samba related
updates. Also the problems did not started on the same day one of the
servers started today and on other one months ago...

winbindd[14450]: [2011/05/23 13:33:13.442070,  0]
winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
winbindd[14450]:   Cannot allocate gid above 2!


Jelle,

In the [global] stanza do you perhaps have:

idmap gid = 0-2

If yes, you need to increase that upper limit.

If not, please share with us the output of:

testparm -s

Cheers,
John T.




# winbindd --version
Version 3.5.6

How can I fix my this?

Kind regards,

Jelle de Jong


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) Cannot allocate gid above 20000!

[Jelle de Jong]

Hello everybody,

I got a few servers that where running stable and somehow winbindd
started complaining. There were no users added or any samba related
updates. Also the problems did not started on the same day one of the
servers started today and on other one months ago...

winbindd[14450]: [2011/05/23 13:33:13.442070,  0]
winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id)
winbindd[14450]:   Cannot allocate gid above 2!

# winbindd --version
Version 3.5.6

How can I fix my this?

Kind regards,

Jelle de Jong
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbindd can't convert between SIDs and uid/gid

[Kai Lanz]

Samba 3.5.8 on OpenSolaris (SunOS 5.11) Intel platform; gcc 4.2.3;
built with "configure --with-winbind --with-krb5 --with-ldap --with-ads"

Samba is joined to our Windows-2008 AD domain. Pretty much everything  
works,

except that winbindd can't convert between SIDs and uid/gid:

1. wbinfo -r WIN\\lanz
(Returns nothing -- no output)

First I obtain my SID from "wbinfo -n WIN\\lanz", then:

2. wbinfo -S 
Could not convert  to uid

3. wbinfo -U 2104 <-- That's my correct Unix numerical uid
Could not convert uid 2104 to sid

4. wbinfo -G 37   <-- That's my correct Unix numerical gid
Could not convert gid 37 to sid

First I obtain my group SID on another machine, then:

5. wbinfo -Y 
Could not convert sid  to gid

These tests were all done with caching disabled on winbindd (-n option).
Note that nscd is NOT running (no daemon, service is disabled).

Here's the stuff I've tried that works:

Forward/reverse DNS
kinit/klist
getent
nslookup -query=SRV _ldap._tcp.dc._msdcs.su.win.stanford.edu
nmblookup
smbclient -L sestestns1 (from another machine, with anonymous login)
net ads testjoin
wbinfo -t
wbinfo -g
wbinfo -u
wbinfo --all-domains
wbinfo --user-sids
wbinfo -n WIN\\lanz
wbinfo -s 
wbinfo --name-to-sid 
wbinfo -D SU
Mounting a directory shared by Samba using Kerberos authentication  
(had to

   increase NGROUPS_MAX before this would work)

I'm hoping someone can suggest where the problem is likely to be,  
given these

examples of what works and what doesn't.

I ran "wbinfo -G 37" with winbindd debug level set to 10; here's the  
end of

the log entries I got:

[2011/05/12 11:11:49.492068, 10] winbindd/winbindd.c: 
593(process_request)

  process_request: Handling async request 22838:GID_TO_SID
[2011/05/12 11:11:49.492094,  3] winbindd/winbindd_gid_to_sid.c: 
46(winbindd_gid_to_sid_send)

  gid_to_sid 37
[2011/05/12 11:11:49.492136, 10] winbindd/winbindd_dual.c: 
1309(fork_domain_child)

  fork_domain_child called without domain.
[2011/05/12 11:11:49.493161, 10] winbindd/winbindd_dual.c: 
1342(fork_domain_child)

  Child process 22839
[2011/05/12 11:11:49.495592,  5] winbindd/winbindd_gid_to_sid.c: 
82(winbindd_gid_to_sid_recv)

  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2011/05/12 11:11:49.495627, 10] winbindd/winbindd.c: 
655(wb_request_done)

  wb_request_done[22838:GID_TO_SID]: NT_STATUS_NONE_MAPPED

I'm suspicious of the "fork_domain_child called without domain." Also,  
where

did it get the idea to convert S-0-0?

Excerpt from our smb.conf [global] section:

   workgroup = SU
   realm = SU.WIN.STANFORD.EDU
   client ntlmv2 auth = yes
   allow trusted domains = yes
   lanman auth = Yes
   client lanman auth = Yes
   client plaintext auth = Yes
   preferred master = Auto
   password server = sudc0.su.win.stanford.edu
   netbios name = sestestns1
   wins server = 171.64.7.155 171.64.7.177
   winbind enum groups = yes
   winbind enum users = yes
   winbind nested groups = no
   local master = no
   dns proxy = Yes
   name resolve order = lmhosts wins bcast host
   interfaces = e1000g0
   client schannel = No
   security = ads
   passdb backend = smbpasswd
   domain master = auto
   idmap backend =
   idmap uid = 65001-65500
   idmap gid = 21-31

--
Kai LanzStanford UniversitySchool of Earth Sciences

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd : Error message when login into the sama share ( nsswitch/winbindd_passdb.c:sid_to_name(126) )

[Benjamin Pavie]

Hi Everybody,

I have some error message each time someone connect to my samba share:
May  5 11:03:52 vishnu winbindd[10901]: [2011/05/05 11:03:52, 0]
nsswitch/winbindd_passdb.c:sid_to_name(126)
May  5 11:03:52 vishnu winbindd[10901]:   Possible deadlock: Trying to
lookup SID S-1-22-1-99 with passdb backend
May  5 11:03:52 vishnu winbindd[10901]: [2011/05/05 11:03:52, 0]
nsswitch/winbindd_passdb.c:sid_to_name(126)
May  5 11:03:52 vishnu winbindd[10901]:   Possible deadlock: Trying to
lookup SID S-1-1-0 with passdb backend
May  5 11:03:52 vishnu winbindd[10901]: [2011/05/05 11:03:52, 0]
nsswitch/winbindd_passdb.c:sid_to_name(126)
May  5 11:03:52 vishnu winbindd[10901]:   Possible deadlock: Trying to
lookup SID S-1-5-2 with passdb backend


Here is the command to access to the samba share:
smb://vishnu.dhcp.swmed.org/share/

Here is my smb.conf file:
grep -Ev "#|^;" /etc/samba/smb.conf | uniq

[global]

   workgroup = STANILAB
   password server = vishnu.dhcp.swmed.org
   security = share
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = true
   winbind offline logon = true



disable spoolss = yes
server string = Samba Server Version %v

netbios name = VISHNU

passdb backend = tdbsam

domain master = yes
preferred master = yes
os level = 35

load printers = no
cups options = raw
printcap name = /dev/null
disable spoolss = yes

username map = /etc/samba/smbusers
guest account = nobody

[homes]
comment = Home Directories
browseable = no
read only = yes

[share]
comment = Guest share
path = /home/share
browseable = yes
read only = yes
guest ok = yes


And the domainsid:

net getdomainsid
SID for domain VISHNU is: S-1-5-21-801058460-1949192029-466506960
Could not fetch domain SID

I probably mis-config something but I don't see what...

Benjamin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[miguel_gustavo]

Dear Jeremy,

I have the same issue in my customer. The samba's version is 3.0.36 and we
have issues with winbindd limit max 200 conections.

In pcap, we have the result:

GET_DFS_REFERRALS  and user anonymous is show in results.

in the beginning,we thought the problem was related to viruses.

Pcap: 

166390  3127.645327 192.168.24.247  192.168.24.13   SMB Session Setup 
AndX
Response
166392  3127.646862 192.168.24.2192.168.24.247  SMB Tree Connect 
AndX
Request, Path: \\DSFW\\IPC$
166393  3127.646884 192.168.24.247  192.168.24.2TCP microsoft-ds > 
miva-mqs
[ACK] Seq=520 Ack=2952 Win=16380 Len=0
166394  3127.647414 192.168.24.247  192.168.24.2SMB Tree Connect 
AndX
Response
166395  3127.648124 192.168.24.2192.168.24.247  SMB Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: 
166396  3127.648201 192.168.24.247  192.168.24.2SMB Trans2 Response,
QUERY_PATH_INFO, Error: STATUS_NETWORK_ACCESS_DENIED

I also discovered that the problem is occurring on connections that are in
CLOSE_WAIT state, so it is affecting the number of 200 connections.

Can you help me?

--
View this message in context: 
http://samba.2283325.n4.nabble.com/winbindd-Exceeding-200-client-connections-no-idle-connection-found-tp2453096p3433310.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd filling log file with ' final write to client failed: Broken pipe'

[Volker Lendecke]

On Fri, Apr 01, 2011 at 09:25:30AM +0200, Gabriele Paggi wrote:
> Hello Volker,
> 
> thank for your reply!
> 
> > Where is the real error here? This seems completely normal
> > to me with such a high debug level.
> 
> The error I'm referring to is:
> 
> [2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
>   final write to client failed: Broken pipe
> [2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
>   final write to client failed: Broken pipe
> 
> I can of course disregard it but I would still be wondering why it fails
> writing to the client :)

Oh, that's in response to a Solaris bug. Instead of just
closing the socket we write one byte before closing it. The
bug was that the winbind client did not get a 0 read size
when we just close the server end of a unix domain socket
and thus went into a timeout. Without this bug it can happen
that we can't write to that socket anymore, but it's very
hard to detect at runtime whether we have this bug. So we
live with this error message.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd filling log file with ' final write to client failed: Broken pipe'

[Gabriele Paggi]

Hello Volker,

thank for your reply!

> Where is the real error here? This seems completely normal
> to me with such a high debug level.

The error I'm referring to is:

[2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
  final write to client failed: Broken pipe
[2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
  final write to client failed: Broken pipe

I can of course disregard it but I would still be wondering why it fails
writing to the client :)

Have a nice day,
Gabriele


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd filling log file with " final write to client failed: Broken pipe"

[Matthieu Patou]

On 31/03/2011 23:08, Gabriele Paggi wrote:

Hello,

I've set up winbindd to authenticate local users against our active
directory servers and everything works fine.
I see plenty of the following lines in my logs and I'm wondering if
someone can help me troubleshooting this:

[2011/03/31 15:15:02, 10]
winbindd/winbindd_cache.c:cache_retrieve_response(2666)
   Retrieving response for pid 8749
[2011/03/31 15:15:02,  7]
winbindd/winbindd_idmap.c:winbindd_sid2gid_async(351)
   winbindd_sid2gid_async: Resolving
S-1-5-21-2615388863-3808077908-615857747-2195 to a gid
[2011/03/31 15:15:02, 10] winbindd/winbindd_dual.c:async_request(125)
   Sending request to child pid 8749 (domain='')
[2011/03/31 15:15:02, 10]
winbindd/winbindd_cache.c:cache_retrieve_response(2666)
   Retrieving response for pid 8749
[2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
   final write to client failed: Broken pipe
[2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
   final write to client failed: Broken pipe

Researches on the internet didn't help as this kind of error are
always associated with some functionality not working at all, but
that's not my case (apparently).

Look to me familiar with a bug that I reported to Gunther and that 
crashed my server this summer as far as I remember it's fixed in 3.5.x.


Gunther can you confirm ?

--

Matthieu Patou
Samba Teamhttp://samba.org
Private repo  http://git.samba.org/?p=mat/samba.git;a=summary


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd filling log file with " final write to client failed: Broken pipe"

[Volker Lendecke]

On Thu, Mar 31, 2011 at 09:08:12PM +0200, Gabriele Paggi wrote:
> I've set up winbindd to authenticate local users against our active
> directory servers and everything works fine.
> I see plenty of the following lines in my logs and I'm wondering if
> someone can help me troubleshooting this:
> 
> [2011/03/31 15:15:02, 10]
> winbindd/winbindd_cache.c:cache_retrieve_response(2666)
>   Retrieving response for pid 8749
> [2011/03/31 15:15:02,  7]
> winbindd/winbindd_idmap.c:winbindd_sid2gid_async(351)
>   winbindd_sid2gid_async: Resolving
> S-1-5-21-2615388863-3808077908-615857747-2195 to a gid
> [2011/03/31 15:15:02, 10] winbindd/winbindd_dual.c:async_request(125)
>   Sending request to child pid 8749 (domain='')
> [2011/03/31 15:15:02, 10]
> winbindd/winbindd_cache.c:cache_retrieve_response(2666)
>   Retrieving response for pid 8749
> [2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
>   final write to client failed: Broken pipe
> [2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
>   final write to client failed: Broken pipe

Where is the real error here? This seems completely normal
to me with such a high debug level.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbindd filling log file with " final write to client failed: Broken pipe"

[Gabriele Paggi]

Hello,

I've set up winbindd to authenticate local users against our active
directory servers and everything works fine.
I see plenty of the following lines in my logs and I'm wondering if
someone can help me troubleshooting this:

[2011/03/31 15:15:02, 10]
winbindd/winbindd_cache.c:cache_retrieve_response(2666)
  Retrieving response for pid 8749
[2011/03/31 15:15:02,  7]
winbindd/winbindd_idmap.c:winbindd_sid2gid_async(351)
  winbindd_sid2gid_async: Resolving
S-1-5-21-2615388863-3808077908-615857747-2195 to a gid
[2011/03/31 15:15:02, 10] winbindd/winbindd_dual.c:async_request(125)
  Sending request to child pid 8749 (domain='')
[2011/03/31 15:15:02, 10]
winbindd/winbindd_cache.c:cache_retrieve_response(2666)
  Retrieving response for pid 8749
[2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
  final write to client failed: Broken pipe
[2011/03/31 15:15:02,  2] winbindd/winbindd.c:remove_client(744)
  final write to client failed: Broken pipe

Researches on the internet didn't help as this kind of error are
always associated with some functionality not working at all, but
that's not my case (apparently).

Versions:
OS: RHEL 5.5
smbd: Version 3.3.8-0.52.el5_5
winbind: Version 3.3.8-0.52.el5_5

This is my smb.conf:

[global]
   workgroup = XXX
   password server = YYY, ZZZ
   realm = XXX.KKK.NET
   security = ads
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
   winbind cache time = 120

#log level = 0 winbind:10

   ldap connection timeout = 2
   ldap timeout = 2
   keepalive = 300

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   client schannel = auto
   allow trusted domains = no
   idmap uid = 33554432 - 4294967295
   idmap gid = 33554432 - 4294967295
   idmap config XXX : default = yes
   idmap config XXX : backend = rid
   idmap config XXX : range = 1000 - 33554431
   idmap cache time = 604800

Any help is, of course, highly appreciated :)

Cheers,
Gabriele


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd where to use it ? in which environnement ?

[David Touzeau]

Many thanks gaiseric

This help me..



Le vendredi 25 mars 2011 à 16:34 -0400, Gaiseric Vandal a écrit :
> gaiseric.vandal

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd where to use it ? in which environnement ?

[Gaiseric Vandal]

If you have domain with the following specs-  you do not need winbind
- samba PDC
- no samba member servers
- samba BDC's optional
- no trusted domains


You would need winbind in any of  following cases-
-  you have a Samba PDC but you need to trust Windows domains
   -  you have a Samba server that is a member of a domain.

In the two cases above-  winbind allocates and manages  unix uid's and 
gid's for the accounts from windows domains.


You may also need winbind if you have a samba PDC but also samba member 
server(s)-  again, to allocate unix uid's and gid's for users from the 
domain  (this depends on if you have a command LDAP/NIS backend for unix 
accounts.)




On 03/25/2011 04:21 PM, David Touzeau wrote:

Dear

I need help about know what is the real necessary to use Winbindd
daemon ?

After reading many wikis it seems that you need to use Winbindd only
when you need to connect samba to any "Microsoft Windows NT domains"
such has NT4 PDC or Active Directory.

Is it true that you "did not need" winbindd when you want Samba act has
a Primary Domain Controller ?

Best regards and thanks for your help.




   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbindd where to use it ? in which environnement ?

[David Touzeau]

Dear

I need help about know what is the real necessary to use Winbindd
daemon ?

After reading many wikis it seems that you need to use Winbindd only
when you need to connect samba to any "Microsoft Windows NT domains"
such has NT4 PDC or Active Directory.

Is it true that you "did not need" winbindd when you want Samba act has
a Primary Domain Controller ?

Best regards and thanks for your help.




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd log error

[TAKAHASHI Motonobu]

2010/12/14 Leonardo Carneiro :
> Hello everyone
>
> I have a Debian Lenny running Samba 3.4.7 + OpenLDAP as PDC. I'm
> having trouble with Winbind. He logs so much messages that my disk is
> almost full!
>
> here is the log:
>
(snip)
> Dec 13 16:18:41 fileserver winbindd[10085]: [2010/12/13 16:18:41,  0]
> winbindd/idmap_ldap.c:123(get_credentials)
> Dec 13 16:18:41 fileserver winbindd[10085]:   get_credentials: Unable
> to fetch auth credentials for cn=root,dc=dominio,dc=com,dc=br in ALLOC
> Dec 13 16:18:41 fileserver winbindd[10085]: [2010/12/13 16:18:41,  0]
> winbindd/idmap.c:589(idmap_alloc_init)
> Dec 13 16:18:41 fileserver winbindd[10085]:   ERROR: Initialization
> failed for alloc backend, deferred!

(snip)

> idmap alloc backend = ldap
> idmap alloc config : ldap_user_dn = cn=root,dc=dominio,dc=com,dc=br
> idmap alloc config : ldap_base_dn = ou=Usuarios,dc=dominio,dc=com,dc=br
> idmap alloc config : ldap_url = ldap://127.0.0.1


Have you registered the password for cn=root,dc=dominio,dc=com,dc=br with
"net idmap secret alloc "?

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbindd log error

[Leonardo Carneiro]

Hello everyone

I have a Debian Lenny running Samba 3.4.7 + OpenLDAP as PDC. I'm
having trouble with Winbind. He logs so much messages that my disk is
almost full!

here is the log:

Dec 13 16:18:14 fileserver smbd[10017]: [2010/12/13 16:18:14,  0]
lib/util_sock.c:539(read_fd_with_timeout)
Dec 13 16:18:14 fileserver smbd[10017]: [2010/12/13 16:18:14,  0]
lib/util_sock.c:1491(get_peer_addr_internal)
Dec 13 16:18:14 fileserver smbd[10017]:   getpeername failed. Error
was Transport endpoint is not connected
Dec 13 16:18:14 fileserver smbd[10017]:   read_fd_with_timeout: client
0.0.0.0 read error = Connection timed out.
Dec 13 16:18:39 fileserver winbindd[10085]: [2010/12/13 16:18:39,  0]
winbindd/idmap.c:201(smb_register_idmap_alloc)
Dec 13 16:18:39 fileserver winbindd[10085]:   idmap_alloc module tdb
already registered!
Dec 13 16:18:39 fileserver winbindd[10085]: [2010/12/13 16:18:39,  0]
winbindd/idmap.c:149(smb_register_idmap)
Dec 13 16:18:39 fileserver winbindd[10085]:   Idmap module passdb
already registered!
Dec 13 16:18:39 fileserver winbindd[10085]: [2010/12/13 16:18:39,  0]
winbindd/idmap.c:149(smb_register_idmap)
Dec 13 16:18:39 fileserver winbindd[10085]:   Idmap module nss already
registered!
Dec 13 16:18:39 fileserver winbindd[10085]: [2010/12/13 16:18:39,  0]
winbindd/idmap_ldap.c:123(get_credentials)
Dec 13 16:18:39 fileserver winbindd[10085]:   get_credentials: Unable
to fetch auth credentials for cn=root,dc=dominio,dc=com,dc=br in ALLOC
Dec 13 16:18:39 fileserver winbindd[10085]: [2010/12/13 16:18:39,  0]
winbindd/idmap.c:589(idmap_alloc_init)
Dec 13 16:18:39 fileserver winbindd[10085]:   ERROR: Initialization
failed for alloc backend, deferred!
Dec 13 16:18:41 fileserver winbindd[10085]: [2010/12/13 16:18:41,  0]
winbindd/idmap.c:201(smb_register_idmap_alloc)
Dec 13 16:18:41 fileserver winbindd[10085]:   idmap_alloc module tdb
already registered!
Dec 13 16:18:41 fileserver winbindd[10085]: [2010/12/13 16:18:41,  0]
winbindd/idmap.c:149(smb_register_idmap)
Dec 13 16:18:41 fileserver winbindd[10085]:   Idmap module passdb
already registered!
Dec 13 16:18:41 fileserver winbindd[10085]: [2010/12/13 16:18:41,  0]
winbindd/idmap.c:149(smb_register_idmap)
Dec 13 16:18:41 fileserver winbindd[10085]:   Idmap module nss already
registered!
Dec 13 16:18:41 fileserver winbindd[10085]: [2010/12/13 16:18:41,  0]
winbindd/idmap_ldap.c:123(get_credentials)
Dec 13 16:18:41 fileserver winbindd[10085]:   get_credentials: Unable
to fetch auth credentials for cn=root,dc=dominio,dc=com,dc=br in ALLOC
Dec 13 16:18:41 fileserver winbindd[10085]: [2010/12/13 16:18:41,  0]
winbindd/idmap.c:589(idmap_alloc_init)
Dec 13 16:18:41 fileserver winbindd[10085]:   ERROR: Initialization
failed for alloc backend, deferred!


Theses errors are fulling the daemon.log

Here is the idmap part of the smb.conf:

ldap passwd sync = yes
ldap ssl = off
ldap delete dn = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=root,dc=dominio,dc=com,dc=br
ldap suffix = dc=dominio,dc=com,dc=br
ldap group suffix = ou=Grupos
ldap user suffix = ou=Usuarios
ldap machine suffix = ou=Computadores
ldap idmap suffix = ou=ldapidmapsuffix
idmap backend = ldap://127.0.0.1
idmap alloc backend = ldap
idmap alloc config : ldap_user_dn = cn=root,dc=dominio,dc=com,dc=br
idmap alloc config : ldap_base_dn = ou=Usuarios,dc=dominio,dc=com,dc=br
idmap alloc config : ldap_url = ldap://127.0.0.1
   idmap uid = 1-2
   idmap gid = 1-2

Can someone shed some light on this?

Tks in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd(8)-> groups: cannot find name for group ID ... [SEC=UNCLASSIFIED]

[Wilkinson, Alex]

Hi all,

On one of my Linux AD clients (Ubuntu 10.04.1 LTS - 2.6.32-24-generic) when i 
log
in via ssh i get the following errors:

   groups: cannot find name for group ID 1
   groups: cannot find name for group ID 10001
   groups: cannot find name for group ID 10002
   groups: cannot find name for group ID 10003
   groups: cannot find name for group ID 10004

The login still succeeds perfectly fine i.e via winbindd(8) + Samba 3.4.7.

Looking at the debug output for an interactive winbindd(8) session i see:

   [ 2797]: gid 1 to sid
   Could not find domain for sid S-1-5-21-xx-xx-xx-x
   [ 2877]: getgrgid 10001
   child daemon request 55
   [ 2797]: gid 10001 to sid
   Could not find domain for sid S-1-5-21-xx-xx-xx-
   [ 2877]: getgrgid 10002
   child daemon request 55
   [ 2797]: gid 10002 to sid
   Could not find domain for sid S-1-5-21-xx-xx-xx-x
   [ 2877]: getgrgid 10003
   child daemon request 55
   [ 2797]: gid 10003 to sid
   Could not find domain for sid S-1-5-21-xx-xx-xx-
   [ 2877]: getgrgid 10004
   child daemon request 55
   [ 2797]: gid 10004 to sid
   Could not find domain for sid S-1-5-21-x-x-xx-

relevant smb.conf entry looks like:

   idmap backend   = tdb
   idmap uid   = 1-50
   idmap gid   = 1-50
   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range   = 1-50

Can anyone suggest what is wrong here or how to debug further ?

Thanks

  -Alex

IMPORTANT: This email remains the property of the Department of Defence and is 
subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have 
received this email in error, you are requested to contact the sender and 
delete the email.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd dead but subsys locked

[Jeremy Farrar]

winbind failed on on of the servers in my cluster yesterday. I have been
unable to get winbind to start ever since. The init.d script seems to start
winbind and a pid is created. When I run service winbind status I receive
winbindd dead but subsys locked.

So far I have manually deleted the pid. I have rebooted the machine. I have
reinstalled Samba. Any assistance would be greatly appreciated.

Here is a copy of smb.conf:

[global]
   server string = %h
   workgroup = DOMAIN
   netbios name = stlnas
   password server = stlDOMAINdc1.DOMAIN.local
   realm = DOMAIN.LOCAL
   security = ads
   idmap backend = tdb2
   idmap uid = 1-2
   idmap gid = 1-2
   template shell = /bin/bash
#   template homedir = /DOMAIN/home/%U
template homedir = /home/DOMAIN/%U
   winbind uid = 20001-20
   winbind gid = 20001-20
   winbind trusted domains only = no
   winbind use default domain = true
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes
   obey pam restrictions = yes
   printcap name = /etc/printcap
   socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY SO_BROADCAST
   clustering = yes
   # logs split per machine
   log file = %S.log
   log level = 2
   # max 50KB per log file, then rotate
   max log size = 50

#passdb backend = tdbsam

# Share Definitions
==

[DOMAIN]
comment = Home Directories
path = /DOMAIN
browseable = no
writable = yes
acl compatibility = auto
acl check permissions = True
nt acl support = yes
ea support = yes
acl map full control = True
map acl inherit = yes
inherit acls = yes


[logonscripts]
comment = File Sharing
path = /DOMAIN/shares/logonscripts
copy = DOMAIN
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd completely stopped responding

[Gaiseric Vandal]

idmap and winbind may be caching the entries (use "testparm -v" to look 
for cache or timeout values.)   windbind or idmap processes may load 
data when they start, cache it, but when the cache expires  they DON'T 
reload the data.


Just a guest.  I had this problem with samba 3.0.x but not 3.4.x.

On 10/18/2010 12:31 AM, Christian Huldt wrote:

I have a samba3 server (ubuntu, 3.4.7) joined to a samba4 that has been working 
very nicely but today I got errors:

net ads testjoin
says the join is OK, but
wbinfo -t

says
checking the trust secret via RPC calls failed
Could not check secret


and winbind logs on that machine (samba3) says:
lsa_lookupsids call failed with NT_STATUS_NO_MEMORY - retrying...

However, another samba3 machine that not really used works just fine...

I finally found two stuck winbind processes on the failing samba3 machine, 
after killing them and restarting winbind
everthing was working perfectly again, but I would like to understand the 
problem better.

What would cause winbindd to completely stop responding after running just fine 
for days?

Christian Huldt

   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd completely stopped responding

[Christian Huldt]

I have a samba3 server (ubuntu, 3.4.7) joined to a samba4 that has been working 
very nicely but today I got errors:

net ads testjoin 
says the join is OK, but 
wbinfo -t

says
checking the trust secret via RPC calls failed
Could not check secret


and winbind logs on that machine (samba3) says:
lsa_lookupsids call failed with NT_STATUS_NO_MEMORY - retrying...

However, another samba3 machine that not really used works just fine...

I finally found two stuck winbind processes on the failing samba3 machine, 
after killing them and restarting winbind 
everthing was working perfectly again, but I would like to understand the 
problem better.

What would cause winbindd to completely stop responding after running just fine 
for days?

Christian Huldt

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbindd foreign language issue

[Jeremy Allison]

On Thu, Sep 23, 2010 at 12:33:14PM -0400, Soohoon Lee wrote:
> Hi,
> Could somebody look at this problem?
> 
> In 3.5.5
> If I set "unix charset" to something other than UTF-8 like Chinese then
> 'getent passwd or groups ' doesn't list ADS users/groups in foreign
> languages.
> 'wbinfo -ug' works fine but I guess they are not transfered to nsswitch
> layer.
> 
> In 3.5.4
> even 'wbinfo -g' doesn't list ADS groups in foreign language. 'wbinfo -u' is
> OK.
> 
> In 3.4.9
> eveything works fine.

Can you log a bug at bugzilla.samba.org with some *explicit*
instructions on how to reproduce your problem please ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbindd foreign language issue

[Soohoon Lee]

Hi,
Could somebody look at this problem?

In 3.5.5
If I set "unix charset" to something other than UTF-8 like Chinese then
'getent passwd or groups ' doesn't list ADS users/groups in foreign
languages.
'wbinfo -ug' works fine but I guess they are not transfered to nsswitch
layer.

In 3.5.4
even 'wbinfo -g' doesn't list ADS groups in foreign language. 'wbinfo -u' is
OK.

In 3.4.9
eveything works fine.

Thanks,
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd GETGRENT results in trusted domains environment

[Sergey Tashkinov]

 Good day.
   1. We have configured two domain controllers on Windows 2003 R2. We
   named them TEST.LOCAL and CHILD.TEST.LOCAL respectively and made a
   trust relationships between them. 2. We have installed Samba 3.5.3 on
   Ubuntu 9.10, kernel 2.6.31-14 and configured it for using winbindd.
 We have encountered a problem with results that winbind returns
 upon a command GETGRENT. We have obtained those results with the
 command "getent group".
   In a case if both domain controllers are turned on everything works
   well and we can get groups of users from both domains, for example:
   r...@ubuntu:/home/user# getent group root:x:0: daemon:x:1: bin:x:2:
   sys:x:3: adm:x:4:user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9:
   uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:user
   fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26:
   sudo:x:27: audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34:
   operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42:
   utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50:
   games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: syslog:x:102:
   fuse:x:103: lpadmin:x:104:user ssl-cert:x:105: messagebus:x:106:
   crontab:x:107: mlocate:x:108: ssh:x:109: avahi-autoipd:x:110:
   avahi:x:111: netdev:x:112: couchdb:x:113: haldaemon:x:114:
   admin:x:115:user saned:x:116: pulse:x:117: pulse-access:x:118:
   gdm:x:119: user:x:1000: sambashare:x:120:user winbindd_priv:x:121:
   TEST\helpservicesgroup:x:13:TEST\support_388945a0
   TEST\telnetclients:x:14: TEST\domain computers:x:15:
   TEST\domain controllers:x:16: TEST\schema
   admins:x:17:TEST\administrator TEST\enterprise
   admins:x:18:TEST\administrator TEST\cert publishers:x:19:
   TEST\domain admins:x:100010:TEST\administrator TEST\domain
   users:x:100011: TEST\domain guests:x:100012: TEST\group policy creator
   owners:x:100013:TEST\administrator TEST\ras and ias servers:x:100014:
   TEST\dnsadmins:x:100015: TEST\dnsupdateproxy:x:100016:
   TEST\group1:x:100017: TEST\group2:x:100018: TEST\group3:x:100019:
   TEST\group4:x:100020: TEST\group5:x:100021: TEST\group6:x:100022:
   TEST\group7:x:100023: TEST\group8:x:100024: TEST\group9:x:100025:
   TEST\group10:x:100026: TEST\group11:x:100027: CHILD\domain
   computers:x:100030: CHILD\domain controllers:x:100031: CHILD\domain
   admins:x:100032:CHILD\administrator CHILD\domain users:x:100033:
   CHILD\domain guests:x:100034: CHILD\group policy creator
   owners:x:100035:CHILD\administrator
   If we turn off the domain CHILD.TEST.LOCAL then "getent group" doesn't
   return any groups from neither domains, even from TEST.LOCAL.
   r...@ubuntu:/home/user# getent group root:x:0: daemon:x:1: bin:x:2:
   sys:x:3: adm:x:4:user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9:
   uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:user
   fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26:
   sudo:x:27: audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34:
   operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42:
   utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50:
   games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: syslog:x:102:
   fuse:x:103: lpadmin:x:104:user ssl-cert:x:105: messagebus:x:106:
   crontab:x:107: mlocate:x:108: ssh:x:109: avahi-autoipd:x:110:
   avahi:x:111: netdev:x:112: couchdb:x:113: haldaemon:x:114:
   admin:x:115:user saned:x:116: pulse:x:117: pulse-access:x:118:
   gdm:x:119: user:x:1000: sambashare:x:120:user winbindd_priv:x:121:
   But Samba 3.2.15 returned groups from TEST domain in both cases.
   The configuration files we used in a test environment for Samba,
   Nsswitch and PAM are listed below.
   #/etc/smb.conf [global] security = ads encrypt passwords = yes
   password server = ws2003.test.local workgroup = test realm =
   CHILD.LOCAL netbios name = ubuntu allow trusted domains = yes
   passwd program = /usr/bin/passwd %u passwd chat =
   *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n
   .
   winbind separator = + winbind uid = 10-200 winbind gid =
   10-200 winbind enum users = yes winbind enum groups = yes
   template homedir = /home/winnt/%D/%U template shell = /bin/bash
   server string = %h server log file = /var/log/samba/log.%m max log
   size = 1000 syslog = 0
   debug level = 11
   [public] comment = Public path=/home/public browsable=yes writable=yes
   admin users=user
   # /etc/nsswitch.conf passwd: files winbind group:  files winbind
   shadow: compat
   hosts:  files mdns4_minimal [NOTFOUND=return] dns mdns4 networks:
   files
   protocols:  db files services: db files ethers: db files rpc:  db
   files
   netgroup: nis
   # /etc/pam.d/samba auth sufficient pam_winbind.so account sufficient
pam_winbind.so session sufficient pam_winbind.so
   @include common-auth @include common-account @include common-session

   It is important for us to get group 

[Samba] winbindd Idmap and smbd errors failures and warnings in logs

[Jelle de Jong]

Hello everybody,

I configured a running samba server that seems to work, except that
the logs are full with failures, errors and warnings. They seem to be
related to winbindd idmap and smbd endpoints.

I attached some of my debug information, can somebody help explaining
these errors so I can try solving them and so wont happen any more.

Thanks in advance.

With kind regards,

Jelle de Jong
#---

# tail -n 400 -f /var/log/syslog
Jun 22 12:29:41 cassidy smbd[18872]: [2010/06/22 12:29:41,  0] 
lib/util_sock.c:1491(get_peer_addr_internal)
Jun 22 12:29:41 cassidy smbd[18872]:   getpeername failed. Error was Transport 
endpoint is not connected
Jun 22 12:29:41 cassidy smbd[18872]:   read_fd_with_timeout: client 0.0.0.0 
read error = Connection reset by peer.
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)
Jun 22 12:29:41 cassidy winbindd[16249]:   idmap_alloc module tdb already 
registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:149(smb_register_idmap)
Jun 22 12:29:41 cassidy winbindd[16249]:   Idmap module passdb already 
registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:149(smb_register_idmap)
Jun 22 12:29:41 cassidy winbindd[16249]:   Idmap module nss already registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap_ldap.c:1470(idmap_ldap_set_mapping)
Jun 22 12:29:41 cassidy winbindd[16249]:   ldap_set_mapping_internals: Failed 
to add S-1-5-32-544 to 8573 mapping [gidNumber]
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap_ldap.c:1472(idmap_ldap_set_mapping)
Jun 22 12:29:41 cassidy winbindd[16249]:   ldap_set_mapping_internals: Error 
was: (NULL) (Already exists)
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)
Jun 22 12:29:41 cassidy winbindd[16249]:   idmap_alloc module tdb already 
registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:149(smb_register_idmap)
Jun 22 12:29:41 cassidy winbindd[16249]:   Idmap module passdb already 
registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:149(smb_register_idmap)
Jun 22 12:29:41 cassidy winbindd[16249]:   Idmap module nss already registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap_ldap.c:1470(idmap_ldap_set_mapping)
Jun 22 12:29:41 cassidy winbindd[16249]:   ldap_set_mapping_internals: Failed 
to add S-1-5-32-545 to 8574 mapping [gidNumber]
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap_ldap.c:1472(idmap_ldap_set_mapping)
Jun 22 12:29:41 cassidy winbindd[16249]:   ldap_set_mapping_internals: Error 
was: (NULL) (Already exists)
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)
Jun 22 12:29:41 cassidy winbindd[16249]:   idmap_alloc module tdb already 
registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:149(smb_register_idmap)
Jun 22 12:29:41 cassidy winbindd[16249]:   Idmap module passdb already 
registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap.c:149(smb_register_idmap)
Jun 22 12:29:41 cassidy winbindd[16249]:   Idmap module nss already registered!
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap_ldap.c:1470(idmap_ldap_set_mapping)
Jun 22 12:29:41 cassidy winbindd[16249]:   ldap_set_mapping_internals: Failed 
to add S-1-5-32-546 to 8575 mapping [gidNumber]
Jun 22 12:29:41 cassidy winbindd[16249]: [2010/06/22 12:29:41,  0] 
winbindd/idmap_ldap.c:1472(idmap_ldap_set_mapping)
Jun 22 12:29:41 cassidy winbindd[16249]:   ldap_set_mapping_internals: Error 
was: (NULL) (Already exists)
Jun 22 12:29:42 cassidy smbd[18876]: [2010/06/22 12:29:42,  0] 
lib/util_sock.c:1491(get_peer_addr_internal)
Jun 22 12:29:42 cassidy smbd[18876]:   getpeername failed. Error was Transport 
endpoint is not connected
Jun 22 12:29:42 cassidy smbd[18876]: [2010/06/22 12:29:42,  0] 
lib/util_sock.c:539(read_fd_with_timeout)
Jun 22 12:29:42 cassidy smbd[18876]: [2010/06/22 12:29:42,  0] 
lib/util_sock.c:1491(get_peer_addr_internal)
Jun 22 12:29:42 cassidy smbd[18876]:   getpeername failed. Error was Transport 
endpoint is not connected
Jun 22 12:29:42 cassidy smbd[18876]:   read_fd_with_timeout: client 0.0.0.0 
read error = Connection reset by peer.
Jun 22 12:29:42 cassidy smbd[18878]: [2010/06/22 12:29:42,  0] 
lib/util_sock.c:1491(get_peer_addr_internal)
Jun 22 12:29:42 cassidy smbd[18878]:   getpeername failed. Error was Transport 
endpoint is not connected
Jun 22 12:29:42 cassidy smbd[18878]: [2010/06/22 12:29:42,  0] 
lib/util_sock.c:539(read_fd_with_timeout)
Jun 22 12:29:42 cassidy 

[Samba] Winbindd & Domain Controllers

[David Norman]

How intensely does Samba (winbindd) interact with a DC after the initial 
login ?
I'm looking at a situation where the DC is in a different area to the 
samba system, and is liable to lose power during maintenance. No other 
DCs will be available. The Windows apps that use samba need to keep on 
running. Is an unavailable DC an issue ? Can I use the winbindd caching 
options to help ?


Thanks,
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd error:

[David Southwell]

> On Sat, 9 Jan 2010, David Southwell wrote:
> > Date: Sat, 9 Jan 2010 22:23:53 +
> > From: David Southwell 
> > To: samba@lists.samba.org
> > Subject: [Samba] winbindd error:
> >
> >
> > Can anyone tell me what might be going on here?
> >
> > Thanks in advance
> > David
> >
> > Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
> > winbindd/idmap.c:smb_register_idmap_alloc(201)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module tdb already
> > registered!
> > Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
> > winbindd/idmap.c:smb_register_idmap(149)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module passdb already
> > registered!
> > Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
> > winbindd/idmap.c:smb_register_idmap(149)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module nss already
> > registered! Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15, 
> > 0]
> > winbindd/idmap.c:idmap_alloc_init(589)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   ERROR: Initialization failed for
> > alloc backend, deferred!
> > Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
> > winbindd/idmap.c:smb_register_idmap_alloc(201)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module ldap already
> > registered!
> > Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
> > winbindd/idmap.c:smb_register_idmap_alloc(201)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module tdb already
> > registered!
> > Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
> > winbindd/idmap.c:smb_register_idmap(149)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module passdb already
> > registered!
> > Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
> > winbindd/idmap.c:smb_register_idmap(149)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module nss already
> > registered! Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15, 
> > 0]
> > winbindd/idmap.c:idmap_alloc_init(589)
> > Jan  9 22:02:15 dns1 winbindd[19219]:   ERROR: Initialization failed for
> > alloc backend, deferred!
> 
> David,
> 
> Can you give us your smb.conf file to browse?
> 
> Additionally, give us some more info on your system.  RHEL, Debin?  Is
> your samba installed from source or package (can both be on your
> system??) and what version?
> 
> Did you make any changes recently?
> 
> ---Robert Freeman-Day

I found the cause it was a duplicated entry of a share in smb.conf. I do not 
know how this happened. I had made some manual alterations to smb.conf and 
subsequently made some further changes using SWAT. During this process I must 
have duplicated an entry but have no record as to how it occured.

Thanks for trying to help
David
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd error:

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, 9 Jan 2010, David Southwell wrote:


Date: Sat, 9 Jan 2010 22:23:53 +
From: David Southwell 
To: samba@lists.samba.org
Subject: [Samba] winbindd error:


Can anyone tell me what might be going on here?

Thanks in advance
David
:
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:smb_register_idmap_alloc(201)
Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module tdb already
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module passdb already
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module nss already registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:idmap_alloc_init(589)
Jan  9 22:02:15 dns1 winbindd[19219]:   ERROR: Initialization failed for alloc
backend, deferred!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:smb_register_idmap_alloc(201)
Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module ldap already
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:smb_register_idmap_alloc(201)
Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module tdb already
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module passdb already
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module nss already registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0]
winbindd/idmap.c:idmap_alloc_init(589)
Jan  9 22:02:15 dns1 winbindd[19219]:   ERROR: Initialization failed for alloc
backend, deferred!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



David,

Can you give us your smb.conf file to browse?

Additionally, give us some more info on your system.  RHEL, Debin?  Is 
your samba installed from source or package (can both be on your 
system??) and what version?


Did you make any changes recently?

- ---Robert Freeman-Day
- ---
I would really like you to be on my side,
but the side you show me isn't what I had in mind.

- -Judybats
GPG Public Key:
http:keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktJHLUACgkQup357T5MfTbfDgCfbQMpNzQ5BwSiEoHeqAzPdnPs
l+AAnjSGNrfe8gOKHsfHMU0eVJHndYhZ
=iL2Y
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd error:

[David Southwell]

Can anyone tell me what might be going on here?

Thanks in advance
David
:
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:smb_register_idmap_alloc(201)
Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module tdb already 
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module passdb already 
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module nss already registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:idmap_alloc_init(589)
Jan  9 22:02:15 dns1 winbindd[19219]:   ERROR: Initialization failed for alloc 
backend, deferred!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:smb_register_idmap_alloc(201)
Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module ldap already 
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:smb_register_idmap_alloc(201)
Jan  9 22:02:15 dns1 winbindd[19219]:   idmap_alloc module tdb already 
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module passdb already 
registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:smb_register_idmap(149)
Jan  9 22:02:15 dns1 winbindd[19219]:   Idmap module nss already registered!
Jan  9 22:02:15 dns1 winbindd[19219]: [2010/01/09 22:02:15,  0] 
winbindd/idmap.c:idmap_alloc_init(589)
Jan  9 22:02:15 dns1 winbindd[19219]:   ERROR: Initialization failed for alloc 
backend, deferred!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd & Domain group

[Dale Schroeder]

Edgardo,

Which group is associated with gid 1?
   getent group|grep 1

What gid has winbind assigned to "domain users"?
   getent group|grep "domain users"

Dale


Edgardo Ghibaudo wrote:

Domain Type: Active Directory Windows 2000 Server
smb.conf
[global]
workgroup = TEST
realm = TEST
server string = SRVBIND TEST-SITE (samba 3.3.4)
security = ADS
passdb backend = tdbsam
load printers = No
show add printer wizard = No
idmap uid = 1-20
idmap gid = 1-20
winbind enum users = Yes
winbind enum groups = Yes
acl group control = Yes
map acl inherit = Yes
[comune]
comment = DISCO COMUNE
path = /home/comune
valid users = @TEST\Everyone
write list = @TEST\Everyone
read only = No
create mask = 0774
directory mask = 0774
follow symlinks = No

nsswitch.conf
passwd: compat winbind
group:  compat winbind
shadow: compat
hosts:  files dns wins
networks:   files dns
protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis

Tnanks, Edgardo
-Messaggio originale-
Da: Dale Schroeder [mailto:d...@briannassaladdressing.com] 
Inviato: giovedì 13 agosto 2009 21.29

A: Edgardo Ghibaudo
Oggetto: Re: [Samba] winbindd & Domain group

Winbind should get primary group information from the domain controller.
Please provide domain type (AD, NT, Samba) and relevant parts of 
smb.conf and nsswitch.conf.


Dale

Edgardo Ghibaudo wrote:
  

Hi,
I'm using samba rel.3.3.4.
The domain group associated to the domain user is always 1 that means "Domain 
Users" for all the domain users
$> getent passwd | grep pippo
DOMAIN\pippo:*:10015:1:PIPPO:/home/DOMAIN/pippo:/bin/false
 
Do you know how is it possible to assign a different domain group ?

How is it possible that winbindd intercepts another domain group instead of  the default 
"Domain Users" ?
 
Thanks in advance,

Edgardo Ghibaudo


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd & Domain group

[Edgardo Ghibaudo]

Hi,
I’m using samba rel.3.3.4.
The domain group associated to the domain user is always 1 that means 
“Domain Users” for all the domain users
$> getent passwd | grep pippo
DOMAIN\pippo:*:10015:1:PIPPO:/home/DOMAIN/pippo:/bin/false
 
Do you know how is it possible to assign a different domain group ?
How is it possible that winbindd intercepts another domain group instead of  
the default “Domain Users” ?
 
Thanks in advance,
Edgardo Ghibaudo

--http://www.provincia.biella.it--

Vuoi rimanere sempre aggiornato sulle nostre attivita'? 
Visita la pagina dei feed RSS sul nostro sito ed  iscriviti alla sezione di 
interesse.

--Avviso--
Questo messaggio e i suoi allegati sono riservati esclusivamente  alle persone 
in 
indirizzo e possono contenere informazioni confidenziali. Se questo  messaggio  
vi  e' 
pervenuto per errore, vi informiamo  che ogni suo uso e'proibito. 
In  questo   caso  rispedite immediatamente il messaggio al mittente e 
cancellatelo. 
Per ogni  chiarimento contattateci scrivendo  a c...@provincia.biella.it. 
Grazie -Il Webmaster.
--Warning-
This message and its attachments are addressed solely to  the persons above and 
may 
contain confidential information. If you have received the message in error, be 
 
informed that any use of the content hereof is prohibited.
Please return it  immediately  to the sender and  delete the message. Should 
you have 
any questions, please  contact us by replying to c...@provincia.biella.it. 
The Webmaster.
--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jeremy Allison]

On Tue, Jul 14, 2009 at 04:09:18PM +0200, Rene wrote:
>
> Hi there,
>
> got the same problem on a Samba 3.3.1 installation.
>
> winbindd log is filling up faster than logrotate is able to clean it,  
> and my machine finally ends up with a full partition.
>
> Searched the Web now half the day and found that it should be solved in  
> 3.2.8. Is there any other known Issue how this behavior can occur?

No, this should be fixed in the latest 3.3.x (and 3.2.8 and above).

Can you try upgrading to 3.3.6 (latest 3.3.x release) or 3.4.0
and let us know if the problem happens again please ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[John H Terpstra - Samba Team]

Rene wrote:
> Jeremy Allison schrieb:
>> On Mon, Jul 13, 2009 at 11:53:15AM -0400, Linux Addict wrote:
>>> On Sun, Mar 22, 2009 at 3:37 PM, Elvar  wrote:
>>>

 Elder Souza wrote:

> No prob Jeremy, thanx for your help!
>
> Elder Souza
> (71) 9972-7573 / (71) 8801-5734
>
>
> On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison  wrote:
>
>
>
>> On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:
>>
>>
>>> It has been fixed after what version? Do you know?
>>>
>>>
>> Don't have the time to check the release
>> notes right now, but it's definately fixed
>> in 3.0.32 and 3.2.4.
>>
>> Jeremy.
>>
>>
>>
 I just downloaded version 3.0.33 and when I view the local.h file I
 still
 see 200 defined as the max simultaneous connections. Is it really
 fixed?
 Some of my installations require more than 200 simultaneous
 connections. I'm
 still using an older version but until I modified this to 400+ I had
 problems.

 /* Max number of simultaneous winbindd socket connections. */
 #define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200





 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>> I am using  3.2.4 but I still get this messages. I had many production
>>> servers hit 100% CPU due to winbind. I had to stop winbind 3 times
>>> through
>>> rc script to stop winbind.
>>>
>>> I didn't have verbose log enabled, but I would go straight and
>>> upgrade if
>>> you guys think this is resolved in latest versions.
>>
>> Ah. My statement that this was fixed in 3.2.4 was wrong, sorry
>> about that.
>>
>> I've checked back in the release notes and the fix for this
>> bug (3204) was discovered by Richard Sharpe in Jan 2009,
>> and 3.2.4 dates from 18 September 2008.
>>
>> The fix went into the 3.2 tree on 2009-01-08, and so
>> it will have been fixed on the 03 February 2009 release
>> Samba 3.2.8 and above. Sorry for the mistake in claiming
>> it was fixed in 3.2.4.
>>
>> Jeremy.
> 
> 
> Hi there,
> 
> got the same problem on a Samba 3.3.1 installation.
> 
> winbindd log is filling up faster than logrotate is able to clean it,
> and my machine finally ends up with a full partition.
> 
> Searched the Web now half the day and found that it should be solved in
> 3.2.8. Is there any other known Issue how this behavior can occur?
> 
> 
> René

The same problem was experienced in a 4200 user site with 3.3.2 but has
not happened since 3.3.4 went in.

The problem first occurred with 3.0.30, also with 3.2.3, then moved to
3.3.2, and in each case was highly intermittent and we could not get a
lock on what was causing it because it was always a sudden-death problem
that blew up the /var/log/samba file system.  At its worst the problem
ate up 72GB of storage in a matter of minutes.  Also, only one server
out of a dozen was ever affected.  This makes the matter highly
suspicious.

I would suggest moving to 3.3.4 or later, but do not rule out that you
may have a platform integrity problem. Perhaps one of the library files
is damaged.

cheers,
John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Rene]

Jeremy Allison schrieb:

On Mon, Jul 13, 2009 at 11:53:15AM -0400, Linux Addict wrote:

On Sun, Mar 22, 2009 at 3:37 PM, Elvar  wrote:



Elder Souza wrote:


No prob Jeremy, thanx for your help!

Elder Souza
(71) 9972-7573 / (71) 8801-5734


On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison  wrote:




On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:



It has been fixed after what version? Do you know?



Don't have the time to check the release
notes right now, but it's definately fixed
in 3.0.32 and 3.2.4.

Jeremy.




I just downloaded version 3.0.33 and when I view the local.h file I still
see 200 defined as the max simultaneous connections. Is it really fixed?
Some of my installations require more than 200 simultaneous connections. I'm
still using an older version but until I modified this to 400+ I had
problems.

/* Max number of simultaneous winbindd socket connections. */
#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




I am using  3.2.4 but I still get this messages. I had many production
servers hit 100% CPU due to winbind. I had to stop winbind 3 times through
rc script to stop winbind.

I didn't have verbose log enabled, but I would go straight and upgrade if
you guys think this is resolved in latest versions.


Ah. My statement that this was fixed in 3.2.4 was wrong, sorry
about that.

I've checked back in the release notes and the fix for this
bug (3204) was discovered by Richard Sharpe in Jan 2009,
and 3.2.4 dates from 18 September 2008.

The fix went into the 3.2 tree on 2009-01-08, and so
it will have been fixed on the 03 February 2009 release
Samba 3.2.8 and above. Sorry for the mistake in claiming
it was fixed in 3.2.4.

Jeremy.



Hi there,

got the same problem on a Samba 3.3.1 installation.

winbindd log is filling up faster than logrotate is able to clean it, 
and my machine finally ends up with a full partition.


Searched the Web now half the day and found that it should be solved in 
3.2.8. Is there any other known Issue how this behavior can occur?



René




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jeremy Allison]

On Mon, Jul 13, 2009 at 11:53:15AM -0400, Linux Addict wrote:
> On Sun, Mar 22, 2009 at 3:37 PM, Elvar  wrote:
> 
> >
> >
> > Elder Souza wrote:
> >
> >> No prob Jeremy, thanx for your help!
> >>
> >> Elder Souza
> >> (71) 9972-7573 / (71) 8801-5734
> >>
> >>
> >> On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison  wrote:
> >>
> >>
> >>
> >>> On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:
> >>>
> >>>
>  It has been fixed after what version? Do you know?
> 
> 
> >>> Don't have the time to check the release
> >>> notes right now, but it's definately fixed
> >>> in 3.0.32 and 3.2.4.
> >>>
> >>> Jeremy.
> >>>
> >>>
> >>>
> >>
> > I just downloaded version 3.0.33 and when I view the local.h file I still
> > see 200 defined as the max simultaneous connections. Is it really fixed?
> > Some of my installations require more than 200 simultaneous connections. I'm
> > still using an older version but until I modified this to 400+ I had
> > problems.
> >
> > /* Max number of simultaneous winbindd socket connections. */
> > #define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> 
> I am using  3.2.4 but I still get this messages. I had many production
> servers hit 100% CPU due to winbind. I had to stop winbind 3 times through
> rc script to stop winbind.
> 
> I didn't have verbose log enabled, but I would go straight and upgrade if
> you guys think this is resolved in latest versions.

Ah. My statement that this was fixed in 3.2.4 was wrong, sorry
about that.

I've checked back in the release notes and the fix for this
bug (3204) was discovered by Richard Sharpe in Jan 2009,
and 3.2.4 dates from 18 September 2008.

The fix went into the 3.2 tree on 2009-01-08, and so
it will have been fixed on the 03 February 2009 release
Samba 3.2.8 and above. Sorry for the mistake in claiming
it was fixed in 3.2.4.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Linux Addict]

On Mon, Jul 13, 2009 at 11:53 AM, Linux Addict wrote:

>
>
> On Sun, Mar 22, 2009 at 3:37 PM, Elvar  wrote:
>
>>
>>
>> Elder Souza wrote:
>>
>>> No prob Jeremy, thanx for your help!
>>>
>>> Elder Souza
>>> (71) 9972-7573 / (71) 8801-5734
>>>
>>>
>>> On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison  wrote:
>>>
>>>
>>>
 On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:


> It has been fixed after what version? Do you know?
>
>
 Don't have the time to check the release
 notes right now, but it's definately fixed
 in 3.0.32 and 3.2.4.

 Jeremy.



>>>
>> I just downloaded version 3.0.33 and when I view the local.h file I still
>> see 200 defined as the max simultaneous connections. Is it really fixed?
>> Some of my installations require more than 200 simultaneous connections. I'm
>> still using an older version but until I modified this to 400+ I had
>> problems.
>>
>> /* Max number of simultaneous winbindd socket connections. */
>> #define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> I am using  3.2.4 but I still get this messages. I had many production
> servers hit 100% CPU due to winbind. I had to stop winbind 3 times through
> rc script to stop winbind.
>
> I didn't have verbose log enabled, but I would go straight and upgrade if
> you guys think this is resolved in latest versions.
>
>
>
>   winbindd: Exceeding 200 client connections, no idle connection found
> [2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(955)
>   winbindd: Exceeding 200 client connections, no idle connection found
> [2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(974)
>   winbindd: Exceeding 200 client connections, no idle connection found
> [2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(955)
>   winbindd: Exceeding 200 client connections, no idle connection found
> [2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(974)
>   winbindd: Exceeding 200 client connections, no idle connection found
> [2009/07/09 16:51:41,  1] lib/util_tdb.c:tdb_validate_and_backup(1424)
>   tdb '/var/lib/samba/winbindd_cache.tdb' is valid
> [2009/07/09 16:51:41,  1] lib/util_tdb.c:tdb_validate_and_backup(1434)
>   Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb
> '/var/lib/samba/winbindd_cache.tdb'
> [2009/07/09 16:51:41,  0]
> winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
>   initialize_winbindd_cache: clearing cache and re-creating with version
> number 1
> [2009/07/09 16:51:42,  1] lib/util_tdb.c:tdb_validate_and_backup(1424)
>   tdb '/var/lib/samba/winbindd_cache.tdb' is valid
> [2009/07/09 16:51:42,  1] lib/util_tdb.c:tdb_validate_and_backup(1434)
>   Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb
> '/var/lib/samba/winbindd_cache.tdb'
> u...@hostname$ rpm -qa |grep sam
> samba-client-3.2.4-1
> samba-3.2.4-1
> samba-debuginfo-3.2.4-1
> samba-swat-3.2.4-1
> samba-common-3.2.4-1
> samba-doc-3.2.4-1
>
>
>
>
>
>
Looks like this where the bug was tracked.

https://bugzilla.samba.org/show_bug.cgi?id=3204
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Linux Addict]

On Sun, Mar 22, 2009 at 3:37 PM, Elvar  wrote:

>
>
> Elder Souza wrote:
>
>> No prob Jeremy, thanx for your help!
>>
>> Elder Souza
>> (71) 9972-7573 / (71) 8801-5734
>>
>>
>> On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison  wrote:
>>
>>
>>
>>> On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:
>>>
>>>
 It has been fixed after what version? Do you know?


>>> Don't have the time to check the release
>>> notes right now, but it's definately fixed
>>> in 3.0.32 and 3.2.4.
>>>
>>> Jeremy.
>>>
>>>
>>>
>>
> I just downloaded version 3.0.33 and when I view the local.h file I still
> see 200 defined as the max simultaneous connections. Is it really fixed?
> Some of my installations require more than 200 simultaneous connections. I'm
> still using an older version but until I modified this to 400+ I had
> problems.
>
> /* Max number of simultaneous winbindd socket connections. */
> #define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




I am using  3.2.4 but I still get this messages. I had many production
servers hit 100% CPU due to winbind. I had to stop winbind 3 times through
rc script to stop winbind.

I didn't have verbose log enabled, but I would go straight and upgrade if
you guys think this is resolved in latest versions.



  winbindd: Exceeding 200 client connections, no idle connection found
[2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(955)
  winbindd: Exceeding 200 client connections, no idle connection found
[2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(974)
  winbindd: Exceeding 200 client connections, no idle connection found
[2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(955)
  winbindd: Exceeding 200 client connections, no idle connection found
[2009/07/09 16:50:36,  0] winbindd/winbindd.c:process_loop(974)
  winbindd: Exceeding 200 client connections, no idle connection found
[2009/07/09 16:51:41,  1] lib/util_tdb.c:tdb_validate_and_backup(1424)
  tdb '/var/lib/samba/winbindd_cache.tdb' is valid
[2009/07/09 16:51:41,  1] lib/util_tdb.c:tdb_validate_and_backup(1434)
  Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb
'/var/lib/samba/winbindd_cache.tdb'
[2009/07/09 16:51:41,  0]
winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
  initialize_winbindd_cache: clearing cache and re-creating with version
number 1
[2009/07/09 16:51:42,  1] lib/util_tdb.c:tdb_validate_and_backup(1424)
  tdb '/var/lib/samba/winbindd_cache.tdb' is valid
[2009/07/09 16:51:42,  1] lib/util_tdb.c:tdb_validate_and_backup(1434)
  Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb
'/var/lib/samba/winbindd_cache.tdb'
u...@hostname$ rpm -qa |grep sam
samba-client-3.2.4-1
samba-3.2.4-1
samba-debuginfo-3.2.4-1
samba-swat-3.2.4-1
samba-common-3.2.4-1
samba-doc-3.2.4-1
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd and group cache

[Alexander Födisch]

Hi,

Sometimes I do not see the changes of domain group memberships with "getent 
group" until I restart winbindd.
Is there a possibility to flush the cache? In smb.conf we set up "winbind cache time 
= 60".

Winbindd-Version:
Version 3.0.28-0.5-1657-SUSE-CODE10


Thanks


smime.p7s
Description: S/MIME Cryptographic Signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd stays at 100% CPU having joined a domain

[Thomas Adam]

[ Please would anyone replying to this maintain the Cc list here as
neither myself or my dear colleague are subscribed to this mailing list. ]

Hello all,

I am trying to track down an oddity with winbindd.  We're using samba only
to join a given domain -- so the config file is very minimal, as per:

 [global]
 workgroup = TEDDYBEARS
 netbios name = SMOOTHWALL
 realm = TEDDYBEARS.LOCAL
 security = ads
 password server = ad.teddybears.local
 winbind separator = /
 winbind enum users = yes
 winbind enum groups = yes

Shortly after joining a domain though, winbindd will suddenly start using
100% CPU and sit there.

Attaching strace to this process shows nothing -- literally, it's making
no system calls whatsoever.  Attaching gdb to this running process and
using "next" reveals that it's doing the following:

memcpy() -> tdb_read() -> tdb_find()

... and then stops in tdb_find() claiming there's no more line numbers to
look at.  So on the tentative premise the problem lies in tbd_find(), I
didn't find anything obvious, but noticed the following call-chain is
happening:

tdb_find()
  |---> tdb_key_compare()
  +---> tdb_parse_data()

Not knowing *anything* about samba internals, can someone suggest whether
this is even a relevant starting point?

We're currently using samba 3.2.8 -- and in trying to diagnose this, have
gone through some releases, trying samba 3.2.10 and then samba 3.3.3 --
alas, this problem still remains in both those versions.  Our use of Samba
is deployed as part of a commercial product.  The kernel we're running is 
2.6.16.60-3-smp.

Is there something that we're not adding to our configuration file (as in
the above) which might aid in solving this?  It's certainly a difficult
problem to replicate -- and perhaps the only likely aspect worth
mentioning is that samba is being asked to join a domain against Windows
Server 2008 -- should that be relevant.

Having done a lot of background work trying to track this down, there's
almost no information about this in the mailing list archives which
suggests to me some very odd corner-case bug, a problem with Samba and
Windows Server 2008, or a configuration problem.  Given that the
configuration referenced above is the same for all customers (barring the
obvious changes for values on netbios, workgroup, realm, etc.) it's likely
to be something else, but I am open to suggestions.

I'm attaching a version of a backtrace from GDB of a running version of
winbindd exhibiting this problem.  The version of winbind is from version 
3.2.4.  There's two backtraces of the same process for comparison.

If there's any further information, don't hesitiate to let me know.

Kindly,

-- 
Thomas Adam
Senior Developer
Smoothwall Ltd.

Email:  thomas.a...@smoothwall.net

SmoothWall Limited
1 John Charles Way
Leeds LS12 6QA
United Kingdom

Phone: 1 800 959 3760 (USA, Canada and North America)
   0870 1 999 500 (United Kingdom)
   +44 870 1 999 500  (all other countries)
Fax:   +44 870 1 991 399

Web: http://www.smoothwall.net/

SmoothWall Limited is registered in England, Company Number: 429824i7

This email and any attachments transmitted with it are confidential to
the intended recipient(s) and may not be communicated to any other
person or published by any means without the express permission of
SmoothWall Limited.  Any views expressed in this message are solely
those of the author.  See:  http://smoothwall.net/company/email.php 
for the full text of this notice.
#0  0x402aa970 in tdb_find () from /modules/guardian/usr/lib/libtdb.so.1
#1  0x402aaa8d in tdb_update_hash () from /modules/guardian/usr/lib/libtdb.so.1
#2  0x402ab3c4 in tdb_store () from /modules/guardian/usr/lib/libtdb.so.1
#3  0x0812a48e in tdb_store_bystring ()
#4  0x0837f493 in netsamlogon_cache_store ()
#5  0x080aea38 in winbindd_dual_pam_auth_crap ()
#6  0x080c45d4 in child_process_request ()
#7  0x080c6a58 in fork_domain_child ()
#8  0x080c4191 in schedule_async_request ()
#9  0x080c3afe in async_request ()
#10 0x0809d467 in init_child_connection ()
#11 0x080c430e in async_domain_request ()
#12 0x0809cab8 in add_trusted_domains ()
#13 0x0809d1b8 in rescan_trusted_domains ()
#14 0x080946eb in process_loop ()
#15 0x0809571e in main ()


#0  0x4038979c in memcpy () from /lib/libc.so.6
#1  0x402af1a2 in tdb_read () from /modules/guardian/usr/lib/libtdb.so.1
#2  0x402afb6a in tdb_rec_read () from /modules/guardian/usr/lib/libtdb.so.1
#3  0x402aa90c in tdb_find () from /modules/guardian/usr/lib/libtdb.so.1
#4  0x402aaa8d in tdb_update_hash () from /modules/guardian/usr/lib/libtdb.so.1
#5  0x402ab3c4 in tdb_store () from /modules/guardian/usr/lib/libtdb.so.1
#6  0x0812a48e in tdb_store_bystring ()
#7  0x0837f493 in netsamlogon_cache_store ()
#8  0x080aea38 in winbindd_dual_pam_auth_crap ()
#9  0x080c45d4 in child_process_request ()
#10 0x080c6a58 in fork_domain_child ()
#11 0x080c4191 in schedule_async_request ()
#12 0x080c3afe in async_request ()
#13 0x0809d467 in init_child_connection ()
#

Re: [Samba] winbindd stays at 100% CPU having joined a domain

[Volker Lendecke]

On Tue, May 05, 2009 at 02:47:13PM +0100, Thomas Adam wrote:
> On Tue, May 05, 2009 at 03:40:15PM +0200, Volker Lendecke wrote:
> > On Tue, May 05, 2009 at 09:43:36AM +0100, Thomas Adam wrote:
>  > Attaching strace to this process shows nothing -- literally, it's making
> > > no system calls whatsoever.  Attaching gdb to this running process and
> > > using "next" reveals that it's doing the following:
> > > 
> > > memcpy() -> tdb_read() -> tdb_find()
> > 
> > Very likely that is a corrupted tdb file, probably the
> > netsamlogon_cache.tdb. What kind of file system do you run
> > this on?
> 
> This is in ext3.

Ok, this indicates that you're running on Linux.

> The particular file in question has an access time of Jan 23rd 2009.  Are
> these files periodically removed by samba such as when it restarts, or are
> they somehow persistent?  Certainly the timestamp on the
> netsamlogon_cache.tdb file suggests it's persistent.  Are they meant to be
> cleared, even?

Linux has the problem that when writing to a file using
mmap, the mtime is not updated. netsamlogon_cache is a
persistent database that is not cleared, it's only
overwritten by new entries. But you can safely delete it
while Samba/winbind are shut down. If this happens
frequently, you might want to look at smbd or winbind
processes crashing hard and try to find more info on those,
or you might want to look at possibly flaky hardware.

Volker


pgpOJIqEtE98y.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd stays at 100% CPU having joined a domain

[Thomas Adam]

On Tue, May 05, 2009 at 03:40:15PM +0200, Volker Lendecke wrote:
> On Tue, May 05, 2009 at 09:43:36AM +0100, Thomas Adam wrote:
 > Attaching strace to this process shows nothing -- literally, it's making
> > no system calls whatsoever.  Attaching gdb to this running process and
> > using "next" reveals that it's doing the following:
> > 
> > memcpy() -> tdb_read() -> tdb_find()
> 
> Very likely that is a corrupted tdb file, probably the
> netsamlogon_cache.tdb. What kind of file system do you run
> this on?

This is in ext3.

I've just looked at the machine in question and there's the following
files:

./var/locks/gencache.tdb
./var/locks/idmap_cache.tdb
./var/locks/messages.tdb
./var/locks/winbindd_cache.tdb
./var/locks/netsamlogon_cache.tdb
./var/locks/connections.tdb
./var/locks/mutex.tdb

The particular file in question has an access time of Jan 23rd 2009.  Are
these files periodically removed by samba such as when it restarts, or are
they somehow persistent?  Certainly the timestamp on the
netsamlogon_cache.tdb file suggests it's persistent.  Are they meant to be
cleared, even?

Kindly,

-- 
Thomas Adam
Senior Developer
Smoothwall Ltd.

Email:  thomas.a...@smoothwall.net

SmoothWall Limited
1 John Charles Way
Leeds LS12 6QA
United Kingdom

Phone: 1 800 959 3760 (USA, Canada and North America)
   0870 1 999 500 (United Kingdom)
   +44 870 1 999 500  (all other countries)
Fax:   +44 870 1 991 399

Web: http://www.smoothwall.net/

SmoothWall Limited is registered in England, Company Number: 429824i7

This email and any attachments transmitted with it are confidential to
the intended recipient(s) and may not be communicated to any other
person or published by any means without the express permission of
SmoothWall Limited.  Any views expressed in this message are solely
those of the author.  See:  http://smoothwall.net/company/email.php 
for the full text of this notice.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd stays at 100% CPU having joined a domain

[Volker Lendecke]

On Tue, May 05, 2009 at 09:43:36AM +0100, Thomas Adam wrote:
> [ Please would anyone replying to this maintain the Cc list here as my
> dear colleague is not subscribed to this mailing list. ]
> 
> Hello all,
> 
> I am trying to track down an oddity with winbindd.  We're using samba only
> to join a given domain -- so the config file is very minimal, as per:
> 
>  [global]
>  workgroup = TEDDYBEARS
>  netbios name = SMOOTHWALL
>  realm = TEDDYBEARS.LOCAL
>  security = ads
>  password server = ad.teddybears.local
>  winbind separator = /
>  winbind enum users = yes
>  winbind enum groups = yes
> 
> Shortly after joining a domain though, winbindd will suddenly start using
> 100% CPU and sit there.
> 
> Attaching strace to this process shows nothing -- literally, it's making
> no system calls whatsoever.  Attaching gdb to this running process and
> using "next" reveals that it's doing the following:
> 
> memcpy() -> tdb_read() -> tdb_find()

Very likely that is a corrupted tdb file, probably the
netsamlogon_cache.tdb. What kind of file system do you run
this on?

Volker


pgp7p1gE8wlFE.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd stays at 100% CPU having joined a domain

[Thomas Adam]

[ Please would anyone replying to this maintain the Cc list here as my
dear colleague is not subscribed to this mailing list. ]

Hello all,

I am trying to track down an oddity with winbindd.  We're using samba only
to join a given domain -- so the config file is very minimal, as per:

 [global]
 workgroup = TEDDYBEARS
 netbios name = SMOOTHWALL
 realm = TEDDYBEARS.LOCAL
 security = ads
 password server = ad.teddybears.local
 winbind separator = /
 winbind enum users = yes
 winbind enum groups = yes

Shortly after joining a domain though, winbindd will suddenly start using
100% CPU and sit there.

Attaching strace to this process shows nothing -- literally, it's making
no system calls whatsoever.  Attaching gdb to this running process and
using "next" reveals that it's doing the following:

memcpy() -> tdb_read() -> tdb_find()

... and then stops in tdb_find() claiming there's no more line numbers to
look at.  So on the tentative premise the problem lies in tbd_find(), I
didn't find anything obvious, but noticed the following call-chain is
happening:

tdb_find()
  |---> tdb_key_compare()
  +---> tdb_parse_data()

Not knowing *anything* about samba internals, can someone suggest whether
this is even a relevant starting point?

We're currently using samba 3.2.8 -- and in trying to diagnose this, have
gone through some releases, trying samba 3.2.10 and then samba 3.3.3 --
alas, this problem still remains in both those versions.  Our use of Samba
is deployed as part of a commercial product.  The kernel we're running is 
2.6.16.60-3-smp.

Is there something that we're not adding to our configuration file (as in
the above) which might aid in solving this?  It's certainly a difficult
problem to replicate -- and perhaps the only likely aspect worth
mentioning is that samba is being asked to join a domain against Windows
Server 2008 -- should that be relevant.

Having done a lot of background work trying to track this down, there's
almost no information about this in the mailing list archives which
suggests to me some very odd corner-case bug, a problem with Samba and
Windows Server 2008, or a configuration problem.  Given that the
configuration referenced above is the same for all customers (barring the
obvious changes for values on netbios, workgroup, realm, etc.) it's likely
to be something else, but I am open to suggestions.

I'm attaching a version of a backtrace from GDB of a running version of
winbindd exhibiting this problem.  The version of winbind is from version 
3.2.4.  There's two backtraces of the same process for comparison.

If there's any further information, don't hesitiate to let me know.

Kindly,

-- 
Thomas Adam
Senior Developer
Smoothwall Ltd.

Email:  thomas.a...@smoothwall.net

SmoothWall Limited
1 John Charles Way
Leeds LS12 6QA
United Kingdom

Phone: 1 800 959 3760 (USA, Canada and North America)
   0870 1 999 500 (United Kingdom)
   +44 870 1 999 500  (all other countries)
Fax:   +44 870 1 991 399

Web: http://www.smoothwall.net/

SmoothWall Limited is registered in England, Company Number: 429824i7

This email and any attachments transmitted with it are confidential to
the intended recipient(s) and may not be communicated to any other
person or published by any means without the express permission of
SmoothWall Limited.  Any views expressed in this message are solely
those of the author.  See:  http://smoothwall.net/company/email.php 
for the full text of this notice.
#0  0x402aa970 in tdb_find () from /modules/guardian/usr/lib/libtdb.so.1
#1  0x402aaa8d in tdb_update_hash () from /modules/guardian/usr/lib/libtdb.so.1
#2  0x402ab3c4 in tdb_store () from /modules/guardian/usr/lib/libtdb.so.1
#3  0x0812a48e in tdb_store_bystring ()
#4  0x0837f493 in netsamlogon_cache_store ()
#5  0x080aea38 in winbindd_dual_pam_auth_crap ()
#6  0x080c45d4 in child_process_request ()
#7  0x080c6a58 in fork_domain_child ()
#8  0x080c4191 in schedule_async_request ()
#9  0x080c3afe in async_request ()
#10 0x0809d467 in init_child_connection ()
#11 0x080c430e in async_domain_request ()
#12 0x0809cab8 in add_trusted_domains ()
#13 0x0809d1b8 in rescan_trusted_domains ()
#14 0x080946eb in process_loop ()
#15 0x0809571e in main ()


#0  0x4038979c in memcpy () from /lib/libc.so.6
#1  0x402af1a2 in tdb_read () from /modules/guardian/usr/lib/libtdb.so.1
#2  0x402afb6a in tdb_rec_read () from /modules/guardian/usr/lib/libtdb.so.1
#3  0x402aa90c in tdb_find () from /modules/guardian/usr/lib/libtdb.so.1
#4  0x402aaa8d in tdb_update_hash () from /modules/guardian/usr/lib/libtdb.so.1
#5  0x402ab3c4 in tdb_store () from /modules/guardian/usr/lib/libtdb.so.1
#6  0x0812a48e in tdb_store_bystring ()
#7  0x0837f493 in netsamlogon_cache_store ()
#8  0x080aea38 in winbindd_dual_pam_auth_crap ()
#9  0x080c45d4 in child_process_request ()
#10 0x080c6a58 in fork_domain_child ()
#11 0x080c4191 in schedule_async_request ()
#12 0x080c3afe in async_request ()
#13 0x0809d467 in init_child_connection ()
#14 0x080c430e i

[Samba] winbindd: idmap_init: Ignoring domain

[MargoAndTodd]

Hi All,

When I restart smbd and winbindd, I see the
following error message:

rn1 winbindd[8289]:   Initializing idmap domains
Apr  6 15:15:13 rn1 winbindd[8289]:
   [2009/04/06 15:15:13, 0] nsswitch/idmap.c:idmap_init(388)
rn1 winbindd[8289]: idmap_init: Ignoring domain FOO

How do I stop/correct this error message?

Many thanks,
-T


Two file (smb.conf, nsswitch.conf):

 testparm -s | more 
[global]
workgroup = FOO
netbios name = SERVER
server string = Samba Server
interfaces = eth0, 127.0.0.1
null passwords = Yes
passdb backend = tdbsam
guest account = pcguest
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n 
*ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*

username map = /etc/samba/smbusers
unix password sync = Yes
syslog = 2
log file = /var/log/samba/samba-log.%m
max log size = 50
name resolve order = host wins
deadtime = 20160
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
add user script = /usr/sbin/useradd -m -G users '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -A '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d 
/var/lib/nobody '%u'

logon script = scripts\logon.bat
logon path =
logon drive = X:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
lock directory = /var/lock/samba
idmap uid = 500-700
idmap gid = 100-300
comment = Samba (NetBIOS) Server on rn1.FOO.local
hosts allow = 192.168.255., 127.0.0.
hosts deny = ALL
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
strict locking = No
volume = CentOS, %v
wide links = No


~~/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group:  files winbind
hosts:  files wins dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:files nisplus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elvar]

Elder Souza wrote:

No prob Jeremy, thanx for your help!

Elder Souza
(71) 9972-7573 / (71) 8801-5734


On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison  wrote:

  

On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:


It has been fixed after what version? Do you know?
  

Don't have the time to check the release
notes right now, but it's definately fixed
in 3.0.32 and 3.2.4.

Jeremy.




I just downloaded version 3.0.33 and when I view the local.h file I 
still see 200 defined as the max simultaneous connections. Is it really 
fixed? Some of my installations require more than 200 simultaneous 
connections. I'm still using an older version but until I modified this 
to 400+ I had problems.


/* Max number of simultaneous winbindd socket connections. */
#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbindd Takes 100% CPU.

[Linux Addict]

Environment:
RHEL4 U6
Samba 3.2.8

After the installation, Winbind is taking 100% CPU. A restart seems to fix
most of the times, but cant figure out the reason winbind takes all CPU. Is
there any bugs worked already. If not, please someone help me resolve this.

Let me know what kind of logs you may need.


~LA
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbindd did not start

[Michael Schmitz]

Hello all,
 
I have a problem with starting the winbind daemon. I want to connect to a 
win2003 server domain.
 
I get the following error message when i start winbindd with:
 
winbind -d10 -i
 
winbindd version 3.2.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
initialize_winbindd_cache: clearing cache and re-creating with version number 1
Could not fetch our SID - did we join?
unable to initialize domain list

in log.winbind i can read 
 
[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1132)
  winbindd version 3.2.7 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/01/19 10:18:51,  0] 
winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
  initialize_winbindd_cache: clearing cache and re-creating with version number 
1
[2009/01/19 10:18:51,  0] winbindd/winbindd_util.c:init_domain_list(736)
  Could not fetch our SID - did we join?
[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1274)
  unable to initialize domain list

net rpc join 
Joined domain HUDE.
 
is successful
 
net ads join -U Administrator
Joined 'SERVER02' to realm 'HUDE.LOCAL'

is also successful
 
I don't know where the problem is.
 
Best regards
M.Schmitz
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd did not start

[Michael Schmitz]

Hello all,
 
I have a problem with starting the winbind daemon. I want to connect to a 
win2003 server domain.
 
I get the following error message when i start winbindd with:
 
winbind -d10 -i
 
winbindd version 3.2.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
initialize_winbindd_cache: clearing cache and re-creating with version number 1
Could not fetch our SID - did we join?
unable to initialize domain list

in log.winbind i can read 
 
[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1132)
  winbindd version 3.2.7 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/01/19 10:18:51,  0] 
winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
  initialize_winbindd_cache: clearing cache and re-creating with version number 
1
[2009/01/19 10:18:51,  0] winbindd/winbindd_util.c:init_domain_list(736)
  Could not fetch our SID - did we join?
[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1274)
  unable to initialize domain list

net rpc join 
Joined domain HUDE.
 
is successful
 
net ads join -U Administrator
Joined 'SERVER02' to realm 'HUDE.LOCAL'

is also successful
 
I don't know where the problem is.
 
Best regards
M.Schmitz
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd did not start

[Michael Schmitz]

Hello all,
 
I have a problem with starting the winbind daemon. I want to connect to a 
win2003 server domain.
 
I get the following error message when i start winbindd with:
 
winbind -d10 -i
 
winbindd version 3.2.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
initialize_winbindd_cache: clearing cache and re-creating with version number 1
Could not fetch our SID - did we join?
unable to initialize domain list

in log.winbind i can read 
 
[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1132)
  winbindd version 3.2.7 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/01/19 10:18:51,  0] 
winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
  initialize_winbindd_cache: clearing cache and re-creating with version number 
1
[2009/01/19 10:18:51,  0] winbindd/winbindd_util.c:init_domain_list(736)
  Could not fetch our SID - did we join?
[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1274)
  unable to initialize domain list

net rpc join 
Joined domain HUDE.
 
is successful
 
net ads join -U Administrator
Joined 'SERVER02' to realm 'HUDE.LOCAL'

is also successful
 
I don't know where the problem is.
 
Best regards
M.Schmitz
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd did not start

[Michael Schmitz]

Hello all,

I have a problem with starting the winbind daemon. I want to connect to a 
win2003 server domain.

I get the following error message when i start winbindd with:

winbind -d10 -i

winbindd version 3.2.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
initialize_winbindd_cache: clearing cache and re-creating with version number 1
Could not fetch our SID - did we join?
unable to initialize domain list

in log.winbind i can read 

[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1132)
  winbindd version 3.2.7 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/01/19 10:18:51,  0] 
winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
  initialize_winbindd_cache: clearing cache and re-creating with version number 
1
[2009/01/19 10:18:51,  0] winbindd/winbindd_util.c:init_domain_list(736)
  Could not fetch our SID - did we join?
[2009/01/19 10:18:51,  0] winbindd/winbindd.c:main(1274)
  unable to initialize domain list

net rpc join 
Joined domain HUDE.

is successful

net ads join -U Administrator
Joined 'SERVER02' to realm 'HUDE.LOCAL'

is also successful

I don't know where the problem is.

Best regards
M.Schmitz
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd consuming 99% CPU

[Sagar Borikar]

ance
Sagar


--- On Wed, 11/5/08, Gerald (Jerry) Carter <[EMAIL PROTECTED]> wrote:

> From: Gerald (Jerry) Carter <[EMAIL PROTECTED]>
> Subject: Re: [Samba] winbindd consuming 99% CPU
> To: [EMAIL PROTECTED]
> Cc: samba@lists.samba.org, [EMAIL PROTECTED]
> Date: Wednesday, November 5, 2008, 7:48 PM
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Sagar Borikar wrote:
> > Hi All,
> > 
> > We are currently caught up in a weird situation while
> using samba 
> > 3.0.28. There is a requirement from the customer that
> we should support
> > ADS with 64000 objects. When we implemented the
> feature, we found
> > couple of things mentioned below:
> > 
> > 1. After joining ADS with 64k users, samba takes
> around 20 - 25 min 
> > to populate idmap_cache.tdb and winbindd_cache.tdb
> This is because
> > we haven't turned of enumeration and we would be
> fixing it for
> > next maintenance release of the NAS product.
> > 
> > 2.  We periodically check the quota state of all the
> users 
> > using repquota command. It refers to
> /etc/nsswitch.conf for mapping
> > user ids to names. And winbindd inherently should look
> for its
> > cache as it is populated completely to do the
> conversion.
> > 
> > But we observed that every time the repquota command
> is invoked, 
> > winbindd starts consuming 98% of CPU. It fetches the
> info from
> > ADS and not from local cache. So we are wondering why
> it doesn't
> > make use of local cache for mapping the ids to names?
> 
> Sagar,
> 
> The enumeration is killing you performance wise.  As a
> workaround
> you could try in creasing the "winbind cache
> time" to something like
> 1 or 2 hours.  But there is a constant struggle between
> cache times
> and accuracy.
> 
> 
> 
> 
> cheers, jerry
> - --
> =
> Samba---
> http://www.samba.org
> Likewise Software  - 
> http://www.likewisesoftware.com
> "What man is a man who does not make the world
> better?"  --Balian
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
> 
> iD8DBQFJEatJIR7qMdg1EfYRAhmyAJ9CcrZLclYZ+P8q0hHI7EsUt7kRKwCg0km4
> LWFcHLKbEfl8UMYnd4JWqpA=
> =3KW6
> -END PGP SIGNATURE-


  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd consuming 99% CPU

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sagar Borikar wrote:
> Hi All,
> 
> We are currently caught up in a weird situation while using samba 
> 3.0.28. There is a requirement from the customer that we should support
> ADS with 64000 objects. When we implemented the feature, we found
> couple of things mentioned below:
> 
> 1. After joining ADS with 64k users, samba takes around 20 - 25 min 
> to populate idmap_cache.tdb and winbindd_cache.tdb This is because
> we haven't turned of enumeration and we would be fixing it for
> next maintenance release of the NAS product.
> 
> 2.  We periodically check the quota state of all the users 
> using repquota command. It refers to /etc/nsswitch.conf for mapping
> user ids to names. And winbindd inherently should look for its
> cache as it is populated completely to do the conversion.
> 
> But we observed that every time the repquota command is invoked, 
> winbindd starts consuming 98% of CPU. It fetches the info from
> ADS and not from local cache. So we are wondering why it doesn't
> make use of local cache for mapping the ids to names?

Sagar,

The enumeration is killing you performance wise.  As a workaround
you could try in creasing the "winbind cache time" to something like
1 or 2 hours.  But there is a constant struggle between cache times
and accuracy.




cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJEatJIR7qMdg1EfYRAhmyAJ9CcrZLclYZ+P8q0hHI7EsUt7kRKwCg0km4
LWFcHLKbEfl8UMYnd4JWqpA=
=3KW6
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd consuming 99% CPU

[Sagar Borikar]

Hi All,

We are currently caught up in a weird situation while using samba 3.0.28. There 
is a requirement from the customer that we should support ADS with 64000 
objects. When we implemented the feature, we found couple of things mentioned 
below:

1. After joining ADS with 64k users, samba takes around 20 - 25 min to populate 
idmap_cache.tdb and winbindd_cache.tdb This is because we haven't turned of 
enumeration and we would be fixing it for next maintenance release of the NAS 
product. 

2.  We periodically check the quota state of all the users using repquota 
command. It refers to /etc/nsswitch.conf for mapping user ids to names. And 
winbindd inherently should look for its cache as it is populated completely to 
do the conversion.  

But we observed that every time the repquota command is invoked, winbindd 
starts consuming 98% of CPU. It fetches the info from ADS and not from local 
cache. So we are wondering why it doesn't make use of local cache for mapping 
the ids to names?

Here is the system info:

Kernel : 2.6.18
Samba - 3.0.28a
arch - mips 1GHz

All your help is really appreciated. 

Thanks 

Sagar


  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elder Souza]

No prob Jeremy, thanx for your help!

Elder Souza
(71) 9972-7573 / (71) 8801-5734


On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison <[EMAIL PROTECTED]> wrote:

> On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:
> > It has been fixed after what version? Do you know?
>
> Don't have the time to check the release
> notes right now, but it's definately fixed
> in 3.0.32 and 3.2.4.
>
> Jeremy.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jeremy Allison]

On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote:
> It has been fixed after what version? Do you know?

Don't have the time to check the release
notes right now, but it's definately fixed
in 3.0.32 and 3.2.4.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elder Souza]

It has been fixed after what version? Do you know?


Elder Souza
(71) 9972-7573 / (71) 8801-5734


On Tue, Oct 21, 2008 at 5:41 PM, Jeremy Allison <[EMAIL PROTECTED]> wrote:

> On Tue, Oct 21, 2008 at 05:33:09PM -0300, Elder Souza wrote:
> > Ok, but it's a production server and I will create another and test 3.2.4
> > version.
>
> If you want to stay on 3.0.x 3.0.32 is the latest version.
>
> > Another question: Why winbind can't free connections and how can I
> set/change a
> > timeout value for these connections?
>
> It's a bug that has been fixed.
>
> Jeremy.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jeremy Allison]

On Tue, Oct 21, 2008 at 05:33:09PM -0300, Elder Souza wrote:
> Ok, but it's a production server and I will create another and test 3.2.4
> version.

If you want to stay on 3.0.x 3.0.32 is the latest version.

> Another question: Why winbind can't free connections and how can I set/change 
> a
> timeout value for these connections?

It's a bug that has been fixed.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elder Souza]

Ok, but it's a production server and I will create another and test 3.2.4
version.

Another question: Why winbind can't free connections and how can I
set/change a timeout value for these connections?

Elder Souza
(71) 9972-7573 / (71) 8801-5734


On Tue, Oct 21, 2008 at 5:19 PM, Jeremy Allison <[EMAIL PROTECTED]> wrote:

> On Tue, Oct 21, 2008 at 05:17:19PM -0300, Elder Souza wrote:
> > Linux CentOS 5 Final with:
> >
> >- samba-common-3.0.25b-1.el5_1.4
> >- samba-client-3.0.25b-1.el5_1.4
> >- samba-3.0.25b-1.el5_1.4
> >
> >
> > Elder Souza
> > (71) 9972-7573 / (71) 8801-5734
>
> Ancient. Please upgrade to at least 3.0.32.
>
> Jeremy.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jeremy Allison]

On Tue, Oct 21, 2008 at 05:17:19PM -0300, Elder Souza wrote:
> Linux CentOS 5 Final with:
> 
>- samba-common-3.0.25b-1.el5_1.4
>- samba-client-3.0.25b-1.el5_1.4
>- samba-3.0.25b-1.el5_1.4
> 
> 
> Elder Souza
> (71) 9972-7573 / (71) 8801-5734

Ancient. Please upgrade to at least 3.0.32.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elder Souza]

Linux CentOS 5 Final with:

   - samba-common-3.0.25b-1.el5_1.4
   - samba-client-3.0.25b-1.el5_1.4
   - samba-3.0.25b-1.el5_1.4


Elder Souza
(71) 9972-7573 / (71) 8801-5734


On Tue, Oct 21, 2008 at 4:11 PM, Jeremy Allison <[EMAIL PROTECTED]> wrote:

> On Tue, Oct 21, 2008 at 02:40:55PM -0300, Elder Souza wrote:
> > Hi!
> >
> > Somebody knows how can i fix this error? My squid allways show user/pass
> > popup in ADS+Squid authentication scheme (auth_proxy).
> >
> > I got a lot of "winbindd: Exceeding 200 client connections, no idle
> > connection found" message in winbind.log
>
> What Samba version are you using ? This is something that
> has been fixed in the 3.2.4 release.
>
> Jeremy.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jeremy Allison]

On Tue, Oct 21, 2008 at 02:40:55PM -0300, Elder Souza wrote:
> Hi!
> 
> Somebody knows how can i fix this error? My squid allways show user/pass
> popup in ADS+Squid authentication scheme (auth_proxy).
> 
> I got a lot of "winbindd: Exceeding 200 client connections, no idle
> connection found" message in winbind.log

What Samba version are you using ? This is something that
has been fixed in the 3.2.4 release.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elder Souza]

Hi!

Somebody knows how can i fix this error? My squid allways show user/pass
popup in ADS+Squid authentication scheme (auth_proxy).

I got a lot of "winbindd: Exceeding 200 client connections, no idle
connection found" message in winbind.log
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] winbindd freezes on name requests

[Sledz, Steffen]

> We're running samba-winbind-3.2.0-22.1 on an openSUSE 11.0 
> system. But we have the problem that winbindd freezes when 
> commands request (many) names to UID/GIDs mapped from SIDs 
> (e.g. id or mc).

Sometimes problems just disappear. :)

Yesterday openSUSE published a patch which updates Samba to 3.2.3. Now 
everything works fine.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd freezes on name requests

[Sledz, Steffen]

We're running samba-winbind-3.2.0-22.1 on an openSUSE 11.0 system. But we have 
the problem that winbindd freezes when commands request (many) names to 
UID/GIDs mapped from SIDs (e.g. id or mc).

id -g username
  --> OK (reports gid of primary group)

id -n -g username
  --> OK (reports name of primary group)

id -G username
  --> OK (reports gids of 267 groups)

id -n -G username
  --> freeze  :(

Is this a (known) bug? Is there a fix available? Or is this just a 
misconfiguration?

Steffen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd behaving oddly

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glenn Bailey wrote:
> Ok wow,
> 
> Looks like the likewise solution is exactly what I've been looking
> for, as I've been developing an internal solution that was basically
> a stripped down samba that wouldn't conflict with any other existing
> samba installs.

Cool.  Glad it helped.





jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoFhIIR7qMdg1EfYRAle6AKDjVqNE4S+oiKM1RU5UqWpjqVFOzACg1yTN
snCBv8eMRTSkfMc8n9Ci0H4=
=HJWG
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] winbindd behaving oddly

[Glenn Bailey]

Ok wow,

Looks like the likewise solution is exactly what I've been looking
for, as I've been developing an internal solution that was basically
a stripped down samba that wouldn't conflict with any other existing
samba installs.

FYI,

I threw my group membership settings in /etc/security/pam_winbind.conf
with the following format:

[global]
require_membership_of=GROUP1
require_membership_of=GROUP2

and this worked just fine ..

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 6:53 AM
To: Glenn Bailey
Cc: samba@lists.samba.org
Subject: Re: [Samba] winbindd behaving oddly

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glenn Bailey wrote:
> Hello folks,
>
> Been beating my head with an winbind and pam just behaving oddly. I
> have following various HOW-TO's, wiki's, and docs, and just can't seem
> to get past a wall. Here a some of the issues:

If you just want desktop or server logins and not File/Print, you might want to 
try likewise-open (http://www.likewisesoftware.com/community/).

> - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password'
> in the logs. Here's an exact snippet:
>
> Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request
> failed: Wrong Password, PAM error was Authentication failure (7), NT
> error was NT_STATUS_WRONG_PASSWORD
>
> I get this w/o even entering a password. If I break out and just hit
> it 2 more times it will lock the account out as expected.
>
> - require_membership_of seems to be flat out ignored.

Works for me.  but I define it in /etc/security/pam_winbind.conf


> authrequired  /lib/security/$ISA/pam_env.so
> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
> authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass 
> use_first_pass
> authrequired  /lib/security/$ISA/pam_deny.so

I stack pam_winbind before pam_unix

> account required  /lib/security/$ISA/pam_unix.so
> account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass
> account required  /lib/security/$ISA/pam_permit.so

Don't need use_first_pass

> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
> passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok 
> md5 shadow
> passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass
> passwordrequired  /lib/security/$ISA/pam_deny.so

need useauthtok and not use_first_pass here.

> session required  /lib/security/$ISA/pam_limits.so
> session required  /lib/security/$ISA/pam_unix.so
> session required  /lib/security/$ISA/pam_winbind.so use_first_pass 
> require_membership_of=some_group

The require- option is enforced in auth and not session.






cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFInDO3IR7qMdg1EfYRAm7eAKC75KUD+LH4BJ5JmhoX2N87sPf/wQCg0qmt
U3OgUlotANWOvyAWkLt+0mo=
=M+6M
-END PGP SIGNATURE-

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd behaving oddly

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glenn Bailey wrote:
> Hello folks,
> 
> Been beating my head with an winbind and pam just behaving oddly. I have 
> following
> various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. 
> Here a
> some of the issues:

If you just want desktop or server logins and not File/Print, you might
want to try likewise-open (http://www.likewisesoftware.com/community/).

> - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' 
> in the logs. Here's an exact snippet:
> 
> Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: 
> Wrong Password, PAM error was Authentication failure (7), NT error was 
> NT_STATUS_WRONG_PASSWORD
> 
> I get this w/o even entering a password. If I break out and just hit it 2 
> more times it will lock the account out
> as expected.
> 
> - require_membership_of seems to be flat out ignored. 

Works for me.  but I define it in /etc/security/pam_winbind.conf


> authrequired  /lib/security/$ISA/pam_env.so
> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
> authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass 
> use_first_pass
> authrequired  /lib/security/$ISA/pam_deny.so

I stack pam_winbind before pam_unix

> account required  /lib/security/$ISA/pam_unix.so
> account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass
> account required  /lib/security/$ISA/pam_permit.so

Don't need use_first_pass

> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
> passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok 
> md5 shadow
> passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass
> passwordrequired  /lib/security/$ISA/pam_deny.so

need useauthtok and not use_first_pass here.

> session required  /lib/security/$ISA/pam_limits.so
> session required  /lib/security/$ISA/pam_unix.so
> session required  /lib/security/$ISA/pam_winbind.so use_first_pass 
> require_membership_of=some_group

The require- option is enforced in auth and not session.






cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFInDO3IR7qMdg1EfYRAm7eAKC75KUD+LH4BJ5JmhoX2N87sPf/wQCg0qmt
U3OgUlotANWOvyAWkLt+0mo=
=M+6M
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd behaving oddly

[Glenn Bailey]

Hello folks,

Been beating my head with an winbind and pam just behaving oddly. I have 
following
various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. 
Here a
some of the issues:

- the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the 
logs. Here's
an exact snippet:

Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: 
Wrong Password, PAM error was Authentication failure (7), NT error was 
NT_STATUS_WRONG_PASSWORD

I get this w/o even entering a password. If I break out and just hit it 2 more 
times it will lock the account out
as expected.

- require_membership_of seems to be flat out ignored. it will work if I have 
one group, and put it in
the 'auth' section of the system-auth file but I have multiple groups. If I put 
mutiple groups under the
'auth' section it will try to authenticate for each group and lock the account 
out if the password is
typed a single time. Putting this in the 'session' section it is flat out 
ignored. Here's my system-auth:

authrequired  /lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass 
use_first_pass
authrequired  /lib/security/$ISA/pam_deny.so

account required  /lib/security/$ISA/pam_unix.so
account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass
account required  /lib/security/$ISA/pam_permit.so

passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 
shadow
passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass
passwordrequired  /lib/security/$ISA/pam_deny.so

session required  /lib/security/$ISA/pam_limits.so
session required  /lib/security/$ISA/pam_unix.so
session required  /lib/security/$ISA/pam_winbind.so use_first_pass 
require_membership_of=some_group

glenn @ terremark worldwide
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd high CPU usage

[Jeremy Allison]

On Wed, Jul 09, 2008 at 10:31:41AM +0200, Franky Van Liedekerke wrote:
> Hi,
> 
> I'm using squid+samba/winbindd to do proxy authentication for a AD domain.
> Using samba 3.0.29 this was working fine.
> This week I saw 3.2 was released stable, so I decided to upgrade. The
> compile (using solaris 8, 64bit, gcc 3.4.6) went well and I copied the
> secrets.tdb to the new version, so I wouldn't need to rejoin the domain.
> After this starting samba also succeeded, "wbinfo -t" and all worked just
> fine. Even using the ntlm_auth binary worked ok to authenticate a user. So I
> thought it to be safe to switch squid to the new version.
> But about 2 minutes after squid is started to use the ntlm_auth binary from
> the new samba, winbindd is starting to use 99% of the cpu (and this was not
> the case in 3.0.29).

Can you attach to the winbindd process eating the CPU with
strace (truss on Solaris I think) and let us know what it is doing ?

Thanks,

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd high CPU usage

[Franky Van Liedekerke]

Hi,

I'm using squid+samba/winbindd to do proxy authentication for a AD domain.
Using samba 3.0.29 this was working fine.
This week I saw 3.2 was released stable, so I decided to upgrade. The
compile (using solaris 8, 64bit, gcc 3.4.6) went well and I copied the
secrets.tdb to the new version, so I wouldn't need to rejoin the domain.
After this starting samba also succeeded, "wbinfo -t" and all worked just
fine. Even using the ntlm_auth binary worked ok to authenticate a user. So I
thought it to be safe to switch squid to the new version.
But about 2 minutes after squid is started to use the ntlm_auth binary from
the new samba, winbindd is starting to use 99% of the cpu (and this was not
the case in 3.0.29).
Here is my samba config:

[global]
security = ADS
workgroup = 
realm = .BE
winbind separator = +
encrypt passwords = true
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no

Has anybody else seen behaviour like this? Or any clue on how to resolve
this (maybe some new winbindd settings)?

Franky
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elvar]

Jason Haar wrote:

Elvar wrote:


I meant to respond to this a long time ago and I'm sorry for the 
delay. Yes, I'm using NTLM to authenticate the users to Active 
Directory requiring specific group membership. If the users don't 
belong to group "Internet Access" they are denied out. I can stomach 
the lack of encryption, but with basic proxy auth can they still 
authenticate to AD?


Absolutely. There is no difference in Squid's ntlm_auth functionality 
between choosing Basic or NTLM/Negotiate. ie you can still do 
group-based access controls using Basic.




Ok, I set this up using only basic and not NTLM and the problem I'm 
seeing is that it prompts the users for their credentials instead of 
passing automatically in the background. With NTLM they don't have to 
type in their username and password which is what I need. They will 
never be ok with having to type in their creds all the time. I'm 
guessing I'm stuck with NTLM then?



Regards,
Elvar

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elvar]

Jason Haar wrote:

Elvar wrote:


I meant to respond to this a long time ago and I'm sorry for the 
delay. Yes, I'm using NTLM to authenticate the users to Active 
Directory requiring specific group membership. If the users don't 
belong to group "Internet Access" they are denied out. I can stomach 
the lack of encryption, but with basic proxy auth can they still 
authenticate to AD?


Absolutely. There is no difference in Squid's ntlm_auth functionality 
between choosing Basic or NTLM/Negotiate. ie you can still do 
group-based access controls using Basic.



Excellent, I'll try this out asap. Thanks!


Regards,
Elvar

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jason Haar]

Elvar wrote:


I meant to respond to this a long time ago and I'm sorry for the 
delay. Yes, I'm using NTLM to authenticate the users to Active 
Directory requiring specific group membership. If the users don't 
belong to group "Internet Access" they are denied out. I can stomach 
the lack of encryption, but with basic proxy auth can they still 
authenticate to AD?


Absolutely. There is no difference in Squid's ntlm_auth functionality 
between choosing Basic or NTLM/Negotiate. ie you can still do 
group-based access controls using Basic.


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elvar]

Jason Haar wrote:

Elvar wrote:


Yes, Squid comes with it's own NTLM AUTH mechanism but it does not 
support the --require-membership option which allows me to force 
users to be a part of a specific "internet access" group. That's why 
I'm using winbindd.


This isn't the trusted domain issue that showed up about a month ago 
is it? i.e do you have trusted domains where their domain controllers 
are some distance away over a WAN link?


You don't mention it explicitly, but I'm guessing you're using NTLM 
proxy authentication? As such it means Squid (and winbind for that 
matter) cannot cache any of the authentication requests - they all 
must go through to the backend domain controllers. And if they are 
remote (ie high latency compared with LAN-connected DCs), Squid and 
winbind will spend more and more resources tracking outstanding 
authentication requests. e.g. a single Web page may contain 10+ images 
- that's 11 auth attempts - and with NTLM that means 33 HTTP 
transactions - for one Web page! If you have just a handful of users 
from remote domains, they will swallow a disproportionate amount of 
your authentication resources. There's a bit of HTTP/1.1  Keepalive 
reuse that speeds things up - but effectively it's a cow.


If you can stomach the lack of encryption, go back to Basic proxy 
authentication - squid can cache the hell out of that! I bet you'll 
find all your problems disappear.





I meant to respond to this a long time ago and I'm sorry for the delay. 
Yes, I'm using NTLM to authenticate the users to Active Directory 
requiring specific group membership. If the users don't belong to group 
"Internet Access" they are denied out. I can stomach the lack of 
encryption, but with basic proxy auth can they still authenticate to AD?



Kind regards,
Elvar



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] winbindd hangs up while retreiving usernames.

[Humrick, Matt]

This sounds similar to a problem I was having. Have a look at the
following thread to see if it fixes your problem:
http://lists.samba.org/archive/samba/2008-April/140109.html

Matt
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd hangs up while retreiving usernames.

[Dmitry]

Hello.

I'm installing new FreeBSD 6.2-RELEASE, based on intel machine. Firewall
type is OPEN.
I have Windows Server 2000 with Active Directory on it, working in Native
mode.

I've installed samba-3.0.23c_2,1 from /usr/ports/net/samba3
prefix=/usr/local
without krb-1.5.1 being installed.

Added:
nmbd_enable="NO"
smbd_enable="NO"
winbindd_enable="YES"
to /etc/rc.conf

filled /etc/nsswitch.conf with:
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files

filled /usr/local/etc/smb.conf with:
#
#=== Global Settings =
[global]
workgroup = DEP2
realm = DEP2.CITY-XXI.INT 
netbios name = SZRouter
server string = Secondary Router
security = ADS
hosts allow = 10.1.9., 127.
log file = /var/log/samba/log.%m
max log size = 5000
password server = City2.dep2.city-xxi.int 
dns proxy = no

preferred master = no
local master = no
domain master = no
os level = 0

# My Properties
auth methods = winbind
winbind use default domain = yes
allow trusted domains = no
client NTLMv2 auth = yes
winbind separator = +
winbind cache time = 10
idmap uid = 1-2
idmap gid = 1-2

and checked syntax with:
testparm -s

I've modified /etc/krb5.conf
[logging]
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
 ticket_lifetime = 2400
 default_realm = DEP2.CITY-XXI.INT 
 clockskew = 300
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_etypes = des-cbc-crc des-cbc-md5 rc4-hmac
 default_etypes_des = des-cbc-crc des-cbc-md5 rc4-hmac

[realms]
DEP2.CITY-XXI.INT  = {
kdc = 10.1.9.200:88
admin_server = 10.1.9.200:749
}
[domain_realm]
.dep2.city-xxi.int = DEP2.CITY-XXI.INT 

and checked it with verify_krb5_conf

I've created new computer account in AD with "Allow pre-Windows 2000
computers to use this account" checked box.
Then I've successfuly authenticated with login mitroko (member of Domain
Admins) and entered joined domain with
net ads join -U mitroko
Computer account in AD achieved proper DNS-name field, but didn't achieve
any of OS type fileds.

I've restarted winbindd (with /usr/local/etc/rc.d/samba restart) - OK
I've pinged winbindd with
wbinfo -p - Success
wbinfo -t returns "checking the trust secret via RPC calls succeeded"
wbinfo -a testme%testme returns
plaintext password authentication succeeded
challenge/response password authentication succeeded
wbinfo -s successfuly converts SIDs to object-names.

however, wbinfo -u and wbinfo -g returns lists only after 20-30 seconds.
wbinfo -r testme doesn't work, hanging up, so squid's wbinfo_group.pl script
doesn't work also.

I have in my /var/log/samba/log.winbindd error's:

nsswitch/winbindd_ads.c:query_user_list(218)
Not a user account? atype=0x3000

and

rpc_api_pipe: Remote machine CITY2 pipe \NETLOGON fnum 0x8returned critical
error. Error was Call timed out: server did not respond after 1
milliseconds
libads/dns.c:ads_dns_lookup_srv(260)

I've read samba mail-list
In advice http://lists.samba.org/archive/samba/2006-July/122912.html, I've
installed krb-1.5.1 from /usr/ports/security/krb5
with prefix /usr/local, moved old vesions to *.old filenames and added
simlinks to /usr/local/* kerberos files

but it doesn't help me.

Unfortunately I can´t send verbose output of
winbindd -i -d 50 >output.txt command
because of 64K limit.
Therefore, I´ve placed it here - http://mitroko.com/output.txt

Any suggestions will be appreciated.
Thank you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] winbindd not included with 2.2.5 on SCO OpenServer 5.0.5

[Brantley Allen]

That's the thing.  It's supposed to start with nmbd, it doesn't.  I
searched the system for winbind and winbindd and didn't find it.

I've since removed it and loaded 3.0.4 and I'm starting over again.  

I used Samba many years ago on some SGI IRIX systems with an NT4 domain
and don't seem to remember having this many problems.

Brantley

-Original Message-
From: Scott Lovenberg [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 16, 2008 1:45 PM
To: Brantley Allen
Cc: samba@lists.samba.org
Subject: Re: [Samba] winbindd not included with 2.2.5 on SCO OpenServer
5.0.5

Brantley Allen wrote:
> Samba appears to be running ok, but I cannon authenticate from
Windows.
> Winbindd doesn't appear to be anywhere on my system.  
>
>  
>
> Should I load a 2.2.6 or an older version that works with SCO
> OpenServer?
>
>  
>
> Brantley
>
>   
What happens when you try to start the winbindd service?  Any log file 
output?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd not included with 2.2.5 on SCO OpenServer 5.0.5

[Scott Lovenberg]

Brantley Allen wrote:

Samba appears to be running ok, but I cannon authenticate from Windows.
Winbindd doesn't appear to be anywhere on my system.  

 


Should I load a 2.2.6 or an older version that works with SCO
OpenServer?

 


Brantley

  
What happens when you try to start the winbindd service?  Any log file 
output?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd not included with 2.2.5 on SCO OpenServer 5.0.5

[Brantley Allen]

Samba appears to be running ok, but I cannon authenticate from Windows.
Winbindd doesn't appear to be anywhere on my system.  

 

Should I load a 2.2.6 or an older version that works with SCO
OpenServer?

 

Brantley

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Jason Haar]

Elvar wrote:


Yes, Squid comes with it's own NTLM AUTH mechanism but it does not 
support the --require-membership option which allows me to force users 
to be a part of a specific "internet access" group. That's why I'm 
using winbindd.


This isn't the trusted domain issue that showed up about a month ago is 
it? i.e do you have trusted domains where their domain controllers are 
some distance away over a WAN link?


You don't mention it explicitly, but I'm guessing you're using NTLM 
proxy authentication? As such it means Squid (and winbind for that 
matter) cannot cache any of the authentication requests - they all must 
go through to the backend domain controllers. And if they are remote (ie 
high latency compared with LAN-connected DCs), Squid and winbind will 
spend more and more resources tracking outstanding authentication 
requests. e.g. a single Web page may contain 10+ images - that's 11 auth 
attempts - and with NTLM that means 33 HTTP transactions - for one Web 
page! If you have just a handful of users from remote domains, they will 
swallow a disproportionate amount of your authentication resources. 
There's a bit of HTTP/1.1  Keepalive reuse that speeds things up - but 
effectively it's a cow.


If you can stomach the lack of encryption, go back to Basic proxy 
authentication - squid can cache the hell out of that! I bet you'll find 
all your problems disappear.



--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elvar]

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Elvar wrote:

| |
| | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
| |  winbindd: Exceeding 600 client connections, no idle connection found
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
| |  PANIC: assert failed at nsswitch/winbindd.c(383)
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
| |  winbindd: Exceeding 600 client connections, no idle connection found
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
|
| which log file are these showing up in?  And what version
| of Samba is this?
|
|> These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1.

That would make the most sense but doesn't really indicate
which pipe it is talking about.  If you can get lsof up and
running or use the equivalent or /proc//fd from Linux
on FreeBSD to look at open file descriptors, that will help.



Using sockstat I found many entries which look similar to below. I'm 
obviously not pasting them all but I tried to copy / paste some of each. 
The 4th column over is the FD number of the socket.


squidntlm_auth  49260 4  stream -> 
/var/db/samba/winbindd_privileged/pipe
squidntlm_auth  49259 4  stream -> 
/var/db/samba/winbindd_privileged/pipe
root smbd   1137  19 stream -> 
/var/db/samba/winbindd_privileged/pipe

root winbindd   1134  11 stream /tmp/.winbindd/pipe
root winbindd   1134  12 stream /var/db/samba/winbindd_privileged/pipe
root winbindd   1134  14 stream -> ??
root winbindd   1134  18 stream /var/db/samba/winbindd_privileged/pipe
root winbindd   1134  19 stream /var/db/samba/winbindd_privileged/pipe


Thanks,
Elvar

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Elvar wrote:

| |
| | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
| |  winbindd: Exceeding 600 client connections, no idle connection found
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
| |  PANIC: assert failed at nsswitch/winbindd.c(383)
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
| |  winbindd: Exceeding 600 client connections, no idle connection found
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
|
| which log file are these showing up in?  And what version
| of Samba is this?
|
|> These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1.

That would make the most sense but doesn't really indicate
which pipe it is talking about.  If you can get lsof up and
running or use the equivalent or /proc//fd from Linux
on FreeBSD to look at open file descriptors, that will help.



cheers, jerry

- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH/3DbIR7qMdg1EfYRAvZQAKDvvmCYbLTEB5gKF4WP2LKren3+fgCguuV7
lEE0M4C23nxcuIja+F68R0U=
=vh8R
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elvar]

Scott Lovenberg wrote:

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Elvar wrote:
|
| Just an update on this. I recompiled and installed putting in 600 
as the

| max simultaneous clients since they have 550 computers. After having
| done that, internet connectivity was working great for about a month
| whereas before daily max connections would be reached and users 
would be

| stuck at the proxy auth prompt. Unfortunately the same thing occurred
| yesterday. What I don't understand is how it could be reached when the
| total number of computers is only 550.

Sounds like a web proxy server right ?  so the question is
whether or not the proxy server is spawning multiple
auth requests to handle multiple connection attempts from
a single client or not.

| Any hints or feedback on this would be greatly appreciated. Output 
from
| the log.winbindd file is below. I only pasted a few of them, but 
the log
| had many listed in a row until the local IT person three finger 
saluted

| the box.
|
| Also, is there any way to view the current number of winbindd 
processes

| in use? I'd love to monitor that using Zabbix or something and have it
| auto respond when the total reaches 590 or something similar.

It's more about the number of open fds which includes the
ones between parent and child processes.  Use lsof to monitor
and match the pid with right winbindd process.  Also look at
what other files winbindd process have opened.


|
| [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
|  PANIC: assert failed at nsswitch/winbindd.c(383)
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)

which log file are these showing up in?  And what version
of Samba is this?

|
|
|
| Kind regards,
| Elvar
|


Not sure if it means anything, but aren't there a number of addons 
that use squid (ntlm_auth?) as an interface between samba and apache 
or PAM?  I've never been brave enough to go down that road, but 
perhaps they've got something like that going on?  'lsof' should tell 
the tale if that's the case, I suppose.


Yes, Squid comes with it's own NTLM AUTH mechanism but it does not 
support the --require-membership option which allows me to force users 
to be a part of a specific "internet access" group. That's why I'm using 
winbindd.



Elvar

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Elvar]

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Elvar wrote:
|
| Just an update on this. I recompiled and installed putting in 600 as 
the

| max simultaneous clients since they have 550 computers. After having
| done that, internet connectivity was working great for about a month
| whereas before daily max connections would be reached and users 
would be

| stuck at the proxy auth prompt. Unfortunately the same thing occurred
| yesterday. What I don't understand is how it could be reached when the
| total number of computers is only 550.

Sounds like a web proxy server right ?  so the question is
whether or not the proxy server is spawning multiple
auth requests to handle multiple connection attempts from
a single client or not.


Yes, definitely a web proxy server. I'm running Squid 2.6.18 on FreeBSD 
6-stable.


| Any hints or feedback on this would be greatly appreciated. Output from
| the log.winbindd file is below. I only pasted a few of them, but the 
log

| had many listed in a row until the local IT person three finger saluted
| the box.
|
| Also, is there any way to view the current number of winbindd processes
| in use? I'd love to monitor that using Zabbix or something and have it
| auto respond when the total reaches 590 or something similar.

It's more about the number of open fds which includes the
ones between parent and child processes.  Use lsof to monitor
and match the pid with right winbindd process.  Also look at
what other files winbindd process have opened.

I don't believe FreeBSD has lsof but I think sockstat will do the job?



|
| [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
|  PANIC: assert failed at nsswitch/winbindd.c(383)
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)

which log file are these showing up in?  And what version
of Samba is this?


These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1.



|
|
|
| Kind regards,
| Elvar
|


- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH/2vLIR7qMdg1EfYRAv0NAJ98OJaQ55dXIzFt00kSlMgTJnvJ0ACgyw5X
xroiCmlfyo8Z/U0jc1EqUKI=
=OQ18
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Scott Lovenberg]

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Elvar wrote:
|
| Just an update on this. I recompiled and installed putting in 600 as 
the

| max simultaneous clients since they have 550 computers. After having
| done that, internet connectivity was working great for about a month
| whereas before daily max connections would be reached and users 
would be

| stuck at the proxy auth prompt. Unfortunately the same thing occurred
| yesterday. What I don't understand is how it could be reached when the
| total number of computers is only 550.

Sounds like a web proxy server right ?  so the question is
whether or not the proxy server is spawning multiple
auth requests to handle multiple connection attempts from
a single client or not.

| Any hints or feedback on this would be greatly appreciated. Output from
| the log.winbindd file is below. I only pasted a few of them, but the 
log

| had many listed in a row until the local IT person three finger saluted
| the box.
|
| Also, is there any way to view the current number of winbindd processes
| in use? I'd love to monitor that using Zabbix or something and have it
| auto respond when the total reaches 590 or something similar.

It's more about the number of open fds which includes the
ones between parent and child processes.  Use lsof to monitor
and match the pid with right winbindd process.  Also look at
what other files winbindd process have opened.


|
| [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
|  PANIC: assert failed at nsswitch/winbindd.c(383)
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)

which log file are these showing up in?  And what version
of Samba is this?

|
|
|
| Kind regards,
| Elvar
|


- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH/2vLIR7qMdg1EfYRAv0NAJ98OJaQ55dXIzFt00kSlMgTJnvJ0ACgyw5X
xroiCmlfyo8Z/U0jc1EqUKI=
=OQ18
-END PGP SIGNATURE-
Not sure if it means anything, but aren't there a number of addons that 
use squid (ntlm_auth?) as an interface between samba and apache or PAM?  
I've never been brave enough to go down that road, but perhaps they've 
got something like that going on?  'lsof' should tell the tale if that's 
the case, I suppose.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Elvar wrote:
|
| Just an update on this. I recompiled and installed putting in 600 as the
| max simultaneous clients since they have 550 computers. After having
| done that, internet connectivity was working great for about a month
| whereas before daily max connections would be reached and users would be
| stuck at the proxy auth prompt. Unfortunately the same thing occurred
| yesterday. What I don't understand is how it could be reached when the
| total number of computers is only 550.

Sounds like a web proxy server right ?  so the question is
whether or not the proxy server is spawning multiple
auth requests to handle multiple connection attempts from
a single client or not.

| Any hints or feedback on this would be greatly appreciated. Output from
| the log.winbindd file is below. I only pasted a few of them, but the log
| had many listed in a row until the local IT person three finger saluted
| the box.
|
| Also, is there any way to view the current number of winbindd processes
| in use? I'd love to monitor that using Zabbix or something and have it
| auto respond when the total reaches 590 or something similar.

It's more about the number of open fds which includes the
ones between parent and child processes.  Use lsof to monitor
and match the pid with right winbindd process.  Also look at
what other files winbindd process have opened.


|
| [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
|  PANIC: assert failed at nsswitch/winbindd.c(383)
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
|  winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)

which log file are these showing up in?  And what version
of Samba is this?

|
|
|
| Kind regards,
| Elvar
|


- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH/2vLIR7qMdg1EfYRAv0NAJ98OJaQ55dXIzFt00kSlMgTJnvJ0ACgyw5X
xroiCmlfyo8Z/U0jc1EqUKI=
=OQ18
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba