[Pkg-samba-maint] Bug#574144: winbind: Winbind eventually locks "forever" if one of ActiveDirectory refuses all connections

Castan Eric eric.castan at elca.ch
Tue Mar 16 16:54:55 UTC 2010 

Package: winbind
Version: 2:3.4.7~dfsg-1~bpo50+1
Severity: important

Due to a misconfiguration, we resulted with the following situation:
- 3 active directory servers working perfectly
- 1 active directory server up, but all ports being blocked by the firewall
It appears that this makes winbind unstable. The daemon eventuall does not answer to incoming requests on /tmp/.winbindd/pipe

I report this bug as it may interest others and as it may also occur if the active directory service crashes badly.

The steps to reproduce are easy:
- refuse incoming connections on active directory (connection closed) as below

eca at xxxxxxxxc ~> nmap 172.16.uuu.vv

Starting Nmap 4.62 ( http://nmap.org ) at 2010-03-16 17:19 CET
All 1715 scanned ports on hostname.fqdn.com (172.16.uuu.vv) are closed

Nmap done: 1 IP address (1 host up) scanned in 0.392 seconds


After a while, it will eventually block

The symptoms are:
- if you strace libnss programs, you will see that winbindd refuses to process requests on the /tmp/.winbindd/pipe
- You will see such messages:

head /var/log/samba/log.winbindd-dc-connect
[2010/03/16 03:28:49,  1] libads/cldap.c:166(recv_cldap_netlogon)
  no reply received to cldap netlogon (ret = -1: Error = Connection refused)

/var/log/samba/log.winbindd (at the time it will not work anymore)
[2010/03/16 08:52:58,  1] winbindd/winbindd_ads.c:1137(lookup_groupmem)
  lsa_lookupsids call failed with NT_STATUS_IO_TIMEOUT - retrying...

- if you strace winbind processes you will see them sleeping in select() and nothing happens



-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (800, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-xen-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages winbind depends on:
ii  adduser         3.110                    add and remove users and groups
ii  libc6           2.7-18lenny2             GNU C Library: Shared libraries
ii  libcap2         2.11-2                   support for getting/setting POSIX.
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1+lenny1          OpenLDAP libraries
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libpopt0        1.14-4                   lib for parsing cmdline parameters
ii  libtalloc2      2.0.1-1~bpo50+1          hierarchical pool based memory all
hi  libwbclient0    2:3.4.7~dfsg-1~bpo50+1   Samba winbind client library
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  samba-common    2:3.4.7~dfsg-1~bpo50+1   common files used by both the Samb
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

winbind recommends no packages.

winbind suggests no packages.

-- no debconf information

More information about the Pkg-samba-maint mailing list