Public bug reported:
Problem description:
After a reload winbind can no more connect to Windows domain and slows down
other services on the system (maybe only authentication services).
It happened for the first time on January 13, 2022
Then it happend mostly once per week, so we found out, that it came up with log
rotation and reload of winbind.
It is reproducable on our systems with:
/usr/bin/smbcontrol winbindd reload-config
(as it is done in logrotate).
Effect:
1. Winbind loses Windows domain connection, starts to log:
[2022/02/14 11:00:13.872687, 1]
../source3/winbindd/winbindd_cm.c:1258(cm_prepare_connection)
Failed to prepare SMB connection to DC2-CHILD1.child1.parent.cloud:
NT_STATUS_IO_TIMEOUT
[2022/02/14 11:00:33.147954, 1]
../source3/winbindd/winbindd_cm.c:1229(cm_prepare_connection)
failed tcon_X with NT_STATUS_IO_TIMEOUT
2. Side effect:
- SSH authentication is very slow (SSH login needs minutes or fails)
- SFTP connections run in timeout
- Other services (like Apache) slow down or are not reachable (timeout)
3. The problem disappears after restart of winbind, but in this case the
restart takes very long time:
time systemctl restart winbind
real 1m30.285s
Currently we have a workaround in /etc/logrotate.d/winbind:
#/usr/bin/smbcontrol winbindd reload-config
/bin/systemctl restart winbind
Operating System: Ubuntu 18.04.6 LTS
Kernel: Linux 5.4.0-1063-oracle
Samba: Version 4.7.6-Ubuntu 2:4.7.6+dfsg~ubuntu-0ubuntu2.28
(The problem happened in 4.7.6+dfsg~ubuntu-0ubuntu2.27 too)
Samba config (relevant parts):
[global]
workgroup = PARENT
security = ADS
realm = PARENT.CLOUD
idmap config * : backend = tdb
idmap config * : range = 3000-99999
idmap config PARENT : backend = rid
idmap config PARENT : range = 100000-199999
idmap config CHILD1 : backend = rid
idmap config CHILD1 : range = 200000-299999
idmap config CHILD2 : backend = rid
idmap config CHILD2 : range = 300000-399999
idmap config CHILD3 : backend = rid
idmap config CHILD3 : range = 400000-499999
min domain uid = 0
username map = /etc/samba/user.map
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1960821
Title:
Winbind can no more connect to Windows domain after reload
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1960821/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
