Twice this week I had a Domain Member Server "crash" A week ago I saw errors like this in log.winbindd-idmap: [2017/11/27 11:25:02.768090, 1] ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) Error allocating a new GID [2017/11/27 11:25:02.768213, 1] ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action) Fatal Error: GID range full!! (max: 2999) I increased this from 2999 to 9999: idmap config arbeitsgruppe:schema_mode = rfc2307 idmap config arbeitsgruppe:range = 10000-9999999 idmap config arbeitsgruppe:backend = ad idmap config * : range = 2000-9999 idmap config * : backend = tdb and restarted smbd/nmbd/winbindd Today it crashed again, but without those lines: [2017/11/27 11:25:02.768228, 1] ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) Error allocating a new GID [2017/11/27 11:26:43.632040, 1] ../source3/winbindd/winbindd.c:396(winbindd_sig_hup_handler) Reloading services after SIGHUP [2017/12/04 11:50:31.642817, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2017/12/04 11:51:50.973272, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) Samba-4.6.11 btw Hmm. What does samba need >3000 IDs for, when we have around 40 users and maybe 15 groups in ADS there? Can someone explain? How to maybe clean that up, get rid of wrong ids or whatever is needed here? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 4 Dec 2017 12:13:39 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote: > > Twice this week I had a Domain Member Server "crash" > > A week ago I saw errors like this in log.winbindd-idmap: > > [2017/11/27 11:25:02.768090, 1] > ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) > Error allocating a new GID > [2017/11/27 11:25:02.768213, 1] > ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action) > Fatal Error: GID range full!! (max: 2999) > > I increased this from 2999 to 9999: > > idmap config arbeitsgruppe:schema_mode = rfc2307 > idmap config arbeitsgruppe:range = 10000-9999999 > idmap config arbeitsgruppe:backend = ad > idmap config * : range = 2000-9999 > idmap config * : backend = tdb > > and restarted smbd/nmbd/winbindd > > Today it crashed again, but without those lines: > > [2017/11/27 11:25:02.768228, 1] > ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) > Error allocating a new GID > [2017/11/27 11:26:43.632040, 1] > ../source3/winbindd/winbindd.c:396(winbindd_sig_hup_handler) > Reloading services after SIGHUP > [2017/12/04 11:50:31.642817, 0] > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > Got sig[15] terminate (is_parent=0) > [2017/12/04 11:51:50.973272, 0] > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > Got sig[15] terminate (is_parent=0) > > Samba-4.6.11 btw > > Hmm. > > What does samba need >3000 IDs for, when we have around 40 users and > maybe 15 groups in ADS there? > > Can someone explain? > > How to maybe clean that up, get rid of wrong ids or whatever is > needed here? > II take it that 'arbeitsgruppe' is the workgroup name, it should be 'ARBEITSGRUPPE' in the 'idmap config' lines. The '*' range is used to store the Well Known SIDs and anything outside the 'arbeitsgruppe' domain, 7999 IDs is more than enough for this, in fact 999 IDs should have been enough, there are less than 200 Well Known SIDs. Your 'arbeitsgruppe' domain members should fit into 9989999 IDs I suspect that either your domain computers are not in fact domain computers, or something is badly mis-configured. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Am 2017-12-04 um 12:42 schrieb Rowland Penny:
> II take it that 'arbeitsgruppe' is the workgroup name, it should be > 'ARBEITSGRUPPE' in the 'idmap config' lines. The output of testparm shows them lowercase, smb.conf has it in uppercase: [global] security = ADS workgroup = ARBEITSGRUPPE realm = arbeitsgruppe.hidden.tld log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config ARBEITSGRUPPE:backend = ad idmap config ARBEITSGRUPPE:range = 10000-9999999 idmap config ARBEITSGRUPPE:schema_mode = rfc2307 username map = /etc/samba/user.map winbind use default domain = Yes winbind refresh tickets = Yes winbind nss info = rfc2307 load printers = No printcap name = /dev/null vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes > The '*' range is used to store the Well Known SIDs and anything outside > the 'arbeitsgruppe' domain, 7999 IDs is more than enough for this, in > fact 999 IDs should have been enough, there are less than 200 Well > Known SIDs. > Your 'arbeitsgruppe' domain members should fit into 9989999 IDs > > I suspect that either your domain computers are not in fact domain > computers, or something is badly mis-configured. Well, I come back here to ask how to do things and configure DC and DM for over a year now. We discussed the config in various threads and I always follow your suggestions and the docs as good as I can and understand. Same this time. *I* don't know what is wrong or might be wrong. You suggest the domain computers might not be what they should be: domain computers. You mean, the windows PCs might be not joined correctly? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 4 Dec 2017 12:56:37 +0100
"Stefan G. Weichinger" <[hidden email]> wrote: > Am 2017-12-04 um 12:42 schrieb Rowland Penny: > > > II take it that 'arbeitsgruppe' is the workgroup name, it should be > > 'ARBEITSGRUPPE' in the 'idmap config' lines. > > The output of testparm shows them lowercase, smb.conf has it in > uppercase: > > [global] > security = ADS > workgroup = ARBEITSGRUPPE > realm = arbeitsgruppe.hidden.tld > log file = /var/log/samba/%m.log > log level = 1 > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > > idmap config ARBEITSGRUPPE:backend = ad > idmap config ARBEITSGRUPPE:range = 10000-9999999 > idmap config ARBEITSGRUPPE:schema_mode = rfc2307 > > username map = /etc/samba/user.map > > winbind use default domain = Yes > winbind refresh tickets = Yes > winbind nss info = rfc2307 > > load printers = No > printcap name = /dev/null > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > > The '*' range is used to store the Well Known SIDs and anything > > outside the 'arbeitsgruppe' domain, 7999 IDs is more than enough > > for this, in fact 999 IDs should have been enough, there are less > > than 200 Well Known SIDs. > > Your 'arbeitsgruppe' domain members should fit into 9989999 IDs > > > > I suspect that either your domain computers are not in fact domain > > computers, or something is badly mis-configured. > > Well, I come back here to ask how to do things and configure DC and DM > for over a year now. We discussed the config in various threads and I > always follow your suggestions and the docs as good as I can and > understand. > > Same this time. *I* don't know what is wrong or might be wrong. > > You suggest the domain computers might not be what they should be: > domain computers. You mean, the windows PCs might be not joined > correctly? There doesn't seem to anything really wrong with the smb.conf, unless you are running a version of Samba from 4.6.0, see here for how to set up idmap now: https://wiki.samba.org/index.php/Idmap_config_ad You can also find a list of Well Known SIDs here: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems It may be, for some reason, your windows clients are not joined, this is unlikely, but worth checking. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
> There doesn't seem to anything really wrong with the smb.conf, unless > you are running a version of Samba from 4.6.0, see here for how to set > up idmap now: > > https://wiki.samba.org/index.php/Idmap_config_ad So that seems to hit it, we run 4.6.11 and still winbind nss info = rfc2307 That has to be edited if I interpret correctly. Is that a "dangerous" change? Should it be done with no users connected or with all daemons restarted after the change? thanks, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 4 Dec 2017 13:41:32 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote: > Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba: > > > There doesn't seem to anything really wrong with the smb.conf, > > unless you are running a version of Samba from 4.6.0, see here for > > how to set up idmap now: > > > > https://wiki.samba.org/index.php/Idmap_config_ad > > So that seems to hit it, we run 4.6.11 and still > > winbind nss info = rfc2307 > > That has to be edited if I interpret correctly. > > Is that a "dangerous" change? Should it be done with no users > connected or with all daemons restarted after the change? > > thanks, Stefan > I wouldn't call it dangerous, but you will have to either reload or restart the samba daemons, so probably best done when no one is connected. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Am 2017-12-04 um 13:55 schrieb Rowland Penny via samba:
> On Mon, 4 Dec 2017 13:41:32 +0100 > "Stefan G. Weichinger via samba" <[hidden email]> wrote: > >> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba: >> >>> There doesn't seem to anything really wrong with the smb.conf, >>> unless you are running a version of Samba from 4.6.0, see here for >>> how to set up idmap now: >>> >>> https://wiki.samba.org/index.php/Idmap_config_ad >> >> So that seems to hit it, we run 4.6.11 and still >> >> winbind nss info = rfc2307 >> >> That has to be edited if I interpret correctly. >> >> Is that a "dangerous" change? Should it be done with no users >> connected or with all daemons restarted after the change? >> >> thanks, Stefan >> > > I wouldn't call it dangerous, but you will have to either reload or > restart the samba daemons, so probably best done when no one is > connected. ok, will do so, thanks. Do you think that my current mis-config leads to the GID-full-issue as described? Is there a valid explanation for this? Just curious. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 4 Dec 2017 13:58:55 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote: > Am 2017-12-04 um 13:55 schrieb Rowland Penny via samba: > > On Mon, 4 Dec 2017 13:41:32 +0100 > > "Stefan G. Weichinger via samba" <[hidden email]> wrote: > > > >> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba: > >> > >>> There doesn't seem to anything really wrong with the smb.conf, > >>> unless you are running a version of Samba from 4.6.0, see here for > >>> how to set up idmap now: > >>> > >>> https://wiki.samba.org/index.php/Idmap_config_ad > >> > >> So that seems to hit it, we run 4.6.11 and still > >> > >> winbind nss info = rfc2307 > >> > >> That has to be edited if I interpret correctly. > >> > >> Is that a "dangerous" change? Should it be done with no users > >> connected or with all daemons restarted after the change? > >> > >> thanks, Stefan > >> > > > > I wouldn't call it dangerous, but you will have to either reload or > > restart the samba daemons, so probably best done when no one is > > connected. > > ok, will do so, thanks. > > Do you think that my current mis-config leads to the GID-full-issue > as described? Is there a valid explanation for this? Just curious. > Possibly, if, by using the old config, Samba is ignoring the 'idmap config DOMAIN' lines and putting everything into the '*' domain, then you may (probably would) have more than your original set up allowed. If this fixes it, you have found another bug ;-) It should work with the old lines. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On 12/04/2017 02:15 PM, Rowland Penny via samba wrote:
> Possibly, if, by using the old config, Samba is ignoring the 'idmap > config DOMAIN' lines and putting everything into the '*' domain, then > you may (probably would) have more than your original set up allowed. > If this fixes it, you have found another bug ;-) > It should work with the old lines. I now changed that parameter, edited the range down to 2000-2999 again and restarted services. We can connect OK, fine. We test some things now. Can I somehow check how many of those IDs are used right now? Somehow monitor if this change fixed it? Last time it took a week to crash again, I would prefer to be able to know things earlier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Am 2017-12-04 um 18:07 schrieb Stefan G. Weichinger via samba:
> On 12/04/2017 02:15 PM, Rowland Penny via samba wrote: > >> Possibly, if, by using the old config, Samba is ignoring the 'idmap >> config DOMAIN' lines and putting everything into the '*' domain, then >> you may (probably would) have more than your original set up allowed. >> If this fixes it, you have found another bug ;-) >> It should work with the old lines. > > I now changed that parameter, edited the range down to 2000-2999 again > and restarted services. We can connect OK, fine. We test some things now. > > Can I somehow check how many of those IDs are used right now? > Somehow monitor if this change fixed it? > > Last time it took a week to crash again, I would prefer to be able to > know things earlier. The DM gave up again today. No more gid-related stuff inside the logs, had to kill the daemons to get the shares up again. I increased loglevel to 2 and see in # tail winbindd.log [2017/12/06 13:12:50.216478, 2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) [2017/12/06 13:12:50.216523, 2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) [2017/12/06 13:12:50.216566, 2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) This is a gentoo linux DM, and their samba-ebuild pulls in mit-krb5 for samba per default. Unfortunately that mit-krb5 package is still at 1.14.2 while 1.15.2 is available. I assume I should upgrade that and reinstall samba-4.6.11 after? Could it somehow be the case that the kerberos-ticket between DM and DC runs out after X hours or so? Just guessing ... I also consider downgrading samba to 4.5.15. At another site with about the same setup we don't face any problems. Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Am 2017-12-06 um 13:20 schrieb Stefan G. Weichinger via samba:
> Could it somehow be the case that the kerberos-ticket between DM and DC > runs out after X hours or so? > > Just guessing ... found this thread https://lists.samba.org/archive/samba/2017-October/211476.html sounds quite similar - klist showed no Kerberos ticket, did a kinit ... dunno? I also see this: # tail log.wb-ARBEITSGRUPPE [2017/12/06 13:49:22.905348, 1] ../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal) Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT hmm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Did dbcheck on DC. 257 errors for 372 objects. Jeez. Why? Where does that come from? From some updating? I am quite sure that I ran those checks back when I converted the domain and wouldn't have skipped these errors IMO. example: CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at: 0x00000000 ERROR: unsorted attributeID values in replPropertyMetaData on CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at Not fixing replPropertyMetaData on CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at I see that there is a "--fix" option. Any backups I should run before? Do it without clients connected? pls advise -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Am 2017-12-06 um 15:03 schrieb Stefan G. Weichinger via samba:
> > Did dbcheck on DC. 257 errors for 372 objects. > Jeez. Why? Where does that come from? > > From some updating? I am quite sure that I ran those checks back when I > converted the domain and wouldn't have skipped these errors IMO. > > example: > > CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at: 0x00000000 > ERROR: unsorted attributeID values in replPropertyMetaData on > CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at > > Not fixing replPropertyMetaData on > CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at > > I see that there is a "--fix" option. > Any backups I should run before? Do it without clients connected? fixed those last week already : done today again these lines on the DM server: # tail log.winbindd-idmap [2017/12/12 15:40:40.200201, 1] ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) Error allocating a new GID [2017/12/12 15:55:55.186605, 1] ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action) Fatal Error: GID range full!! (max: 2999) [2017/12/12 15:55:55.186630, 1] ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) Error allocating a new GID [2017/12/12 15:55:55.186723, 1] ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action) Fatal Error: GID range full!! (max: 2999) [2017/12/12 15:55:55.186736, 1] ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) Error allocating a new GID for reference: Samba 4.6.11, gentoo linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Am 2017-12-12 um 15:59 schrieb Stefan G. Weichinger via samba:
> [2017/12/12 15:55:55.186723, 1] > ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action) > Fatal Error: GID range full!! (max: 2999) > [2017/12/12 15:55:55.186736, 1] > ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) > Error allocating a new GID > > for reference: Samba 4.6.11, gentoo linux Additional info, maybe relevant: on the DC I saw yesterday: Dez 11 20:00:16 backup winbindd[1390]: [2017/12/11 20:00:16.560037, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent) Dez 11 20:00:16 backup winbindd[1390]: Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains! This line repeated within seconds after reboot (reconnect with DM?), after that no more. DC, samba 4.6.11, debian 9.3 (LPH packages): # smb.conf (again): [global] workgroup = ARBEITSGRUPPE realm = arbeitsgruppe.hidden.tld netbios name = BACKUP server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 10.0.0.254 [netlogon] path = /var/lib/samba/sysvol/hidden.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
DM crashed again. I will downgrade to 4.5.15 later this day, as this release works without problems at another customer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
In reply to this post by Samba - General mailing list
DM crashed again. I will downgrade to 4.5.15 later this day, as this release works without problems at another customer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
In reply to this post by Samba - General mailing list
Am 2017-12-12 um 16:42 schrieb Stefan G. Weichinger via samba:
> Additional info, maybe relevant: > > on the DC I saw yesterday: > > Dez 11 20:00:16 backup winbindd[1390]: [2017/12/11 20:00:16.560037, 0] > ../source3/winbindd/winbindd_group.c:45(fill_grent) > Dez 11 20:00:16 backup winbindd[1390]: Failed to find domain 'NT > AUTHORITY'. Check connection to trusted domains! As I found on google this is related to the fact that we run (small shares ... ) file services on the DC as well. I assume I can ignore these lines on the DC? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Free forum by Nabble | Edit this page |