enterprise-support team mailing list archive

Thread
Date

[Bug 1960821] [NEW] Winbind can no more connect to Windows domain after reload

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: "Norbert B." <1960821@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Feb 2022 13:17:53 -0000
Reply-to: Bug 1960821 <1960821@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Problem description:

After a reload winbind can no more connect to Windows domain and slows down other services on the system (maybe only authentication services).
It happened for the first time on January 13, 2022
Then it happend mostly once per week, so we found out, that it came up with log rotation and reload of winbind.
It is reproducable on our systems with:
/usr/bin/smbcontrol winbindd reload-config
(as it is done in logrotate).


Effect:

1. Winbind loses Windows domain connection, starts to log:
[2022/02/14 11:00:13.872687,  1] ../source3/winbindd/winbindd_cm.c:1258(cm_prepare_connection)
  Failed to prepare SMB connection to DC2-CHILD1.child1.parent.cloud: NT_STATUS_IO_TIMEOUT
[2022/02/14 11:00:33.147954,  1] ../source3/winbindd/winbindd_cm.c:1229(cm_prepare_connection)
  failed tcon_X with NT_STATUS_IO_TIMEOUT

2. Side effect:
- SSH authentication is very slow (SSH login needs minutes or fails)
- SFTP connections run in timeout
- Other services (like Apache) slow down or are not reachable (timeout)

3. The problem disappears after restart of winbind, but in this case the restart takes very long time:
time systemctl restart winbind
real    1m30.285s


Currently we have a workaround in /etc/logrotate.d/winbind:
#/usr/bin/smbcontrol winbindd reload-config
/bin/systemctl restart winbind


Operating System: Ubuntu 18.04.6 LTS
Kernel: Linux 5.4.0-1063-oracle
Samba: Version 4.7.6-Ubuntu 2:4.7.6+dfsg~ubuntu-0ubuntu2.28
(The problem happened in 4.7.6+dfsg~ubuntu-0ubuntu2.27 too)

Samba config (relevant parts):

[global]
   workgroup = PARENT
   security = ADS
   realm = PARENT.CLOUD

   idmap config * : backend = tdb
   idmap config * : range = 3000-99999

   idmap config PARENT : backend = rid
   idmap config PARENT : range = 100000-199999

   idmap config CHILD1 : backend = rid
   idmap config CHILD1 : range = 200000-299999

   idmap config CHILD2 : backend = rid
   idmap config CHILD2 : range = 300000-399999

   idmap config CHILD3 : backend = rid
   idmap config CHILD3 : range = 400000-499999

   min domain uid = 0
   username map = /etc/samba/user.map

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1960821

Title:
  Winbind can no more connect to Windows domain after reload

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1960821/+subscriptions