[Pkg-samba-maint] Bug#496569: winbind: Winbind 3.2.1 delayed initiat authentication, init.d script issues

James F Zuelow Jr james_zuelow at ci.juneau.ak.us
Mon Aug 25 18:35:35 UTC 2008 

Package: winbind
Version: 2:3.2.1-1
Severity: normal

User authentication with Winbind takes a very long time (around five minutes) for the initial authentication.  While winbind is waiting, all other authentication (such as su) is also blocked.  Subsequent authentications are normal sub second.
Additionally, an /etc/init.d/winbind restart leaves the service in an unstable state.  It shows in ps output, but Swat says that it is NOT running.  Restarting it in swat is successful.  You can also manually `killall -9 winbindd` and then issue an `/etc/init.d/winbind start` to get the same effect.
This bug report is filed from a Lenny machine that has had Samba upgraded from 3.0.x to 3.2.0 to the current 3.2.1.  This morning I was able to duplicate the issue on a fresh Lenny install, with just the base system, Samba 3.2.1-1, Winbind 3.2.1-1.

proxy at DEBIAN:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication succeeded
challenge/response password authentication succeeded

real    4m40.069s
user    0m0.012s
sys     0m0.004s
proxy at DEBIAN:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication succeeded
challenge/response password authentication succeeded

real    0m0.033s
user    0m0.012s
sys     0m0.004s
proxy at DEBIAN:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] succeeded (requesting cctype: FI
LE)
credentials were put in: FILE:/tmp/krb5cc_0

real    0m0.042s
user    0m0.008s
sys     0m0.016s
proxy at DEBIAN:/home/jfzuelow$ sudo /etc/init.d/samba restart ; sudo /etc/init.d/winbind restart
Stopping Samba daemons: nmbd smbd.
Starting Samba daemons: nmbd smbd.
Stopping the Winbind daemon: winbind.
Starting the Winbind daemon: winbind.
proxy at DEBIAN:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] failed (requesting cctype: FILE)
Could not authenticate user [test_user] with Kerberos (ccache: FILE)

real    0m0.017s
user    0m0.008s
sys     0m0.008s
proxy at DEBIAN:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication failed
Could not authenticate user test_user with plaintext password
could not obtain winbind interface details!
could not obtain winbind separator!
could not obtain winbind interface details!
could not obtain winbind domain name!
challenge/response password authentication failed
Could not authenticate user test_user with challenge/response

real    0m0.020s
user    0m0.012s
sys     0m0.008s

##### At this point Swat shows winbind as not running.
##### Restarting Winbind with Swat results in the long initial delay:

proxy at DEBIAN:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

real    5m15.049s
user    0m0.004s
sys     0m0.016s
proxy at DEBIAN:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

real    0m0.040s
user    0m0.008s
sys     0m0.008s
proxy at DEBIAN:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication succeeded
challenge/response password authentication succeeded

real    0m0.029s
user    0m0.012s
sys     0m0.004s
proxy at DEBIAN:/home/jfzuelow$

Rebooting a machine results in fast authentications from the first time.  Restarting samba and winbind with the init.d script reverts to the old behavior, where ps output shows samba processes running but wbinfo -p fails and swat says winbind is not running.  Restarting from swat resolves it, although with the very long initial delay.

There are also delays (although not as long) the first time that wbinfo -u or -g is used.  Playing around, I can also trigger a long delay by restarting winbindd in Swat and then trying a `ls -l /var/run/samba/winbindd_privileged/` as root.

Note that as far as I can tell this behavior only occurs if winbind is restarted after a machine boots.  From boot it works fine.  However with production servers that use winbind (Squid, et. al.) this could be an issue.

Both sambas are member servers of a Server 2003 domain.  smb.conf is as follows:

# Samba config file created using SWAT
# from UNKNOWN ()
# Date: 2008/08/22 10:36:54

[global]
        workgroup = JUNEAU_NT
        realm = JUNEAU.LOCAL
        server string = James' Workstation
        security = ADS
        allow trusted domains = No
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
        client NTLMv2 auth = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        announce as = NT Workstation
        svcctl list = cups, postfix, squid
        addprinter command = /usr/local/bin/smbaddprinter.pl
        deleteprinter command = /usr/local/bin/smbdelprinter.pl
        os level = 3
        local master = No
        domain master = No
        dns proxy = No
        wins server = 192.168.55.161
        ldap ssl = no
        panic action = /usr/share/samba/panic-action %d
        idmap domains = JUNEAU_NT
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config JUNEAU_NT:range = 10000-20000
        idmap config JUNEAU_NT:backend = rid
        idmap config JUNEAU_NT:default = yes
        admin users = JUNEAU_NT+James_Zuelow

[printers]
        comment = All Printers
        path = /var/spool/samba
        admin users = @JUNEAU_NT+MIS-SYSOP
        create mask = 0700
        guest ok = Yes
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers
        admin users = @JUNEAU_NT+MIS-SYSOP
        read only = No


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages winbind depends on:
ii  adduser              3.110               add and remove users and groups
ii  libc6                2.7-13              GNU C Library: Shared libraries
ii  libcomerr2           1.41.0-3            common error description library
ii  libkrb53             1.6.dfsg.4~beta1-3  MIT Kerberos runtime libraries
ii  libldap-2.4-2        2.4.10-3            OpenLDAP libraries
ii  libpam0g             1.0.1-3             Pluggable Authentication Modules l
ii  libpopt0             1.14-4              lib for parsing cmdline parameters
ii  libtalloc1           1.2.0~git20080616-1 hierarchical pool based memory all
ii  libwbclient0         2:3.2.1-1           client library for interfacing wit
ii  lsb-base             3.2-19              Linux Standard Base 3.2 init scrip
ii  samba-common         2:3.2.1-1           Samba common files used by both th

winbind recommends no packages.

winbind suggests no packages.

-- no debconf information

More information about the Pkg-samba-maint mailing list