Hi Jeremy, I think i could be DNS resolution like you say, since this problem only happens with accounts from other domains. I have had troubles in the past in order to get DNS resolution to work, because this server also has a public postfix server, so If I configured the internal DNS the external resolution didn't work and viceversa, in order to cope with this issue I configured and internal DNS server with both internal and external resolution and that seemed to work.
If I ping the domain controllers from any another domain it responds very fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my nsswitch.conf I have configured this: hosts: files wins dns winbind and in /etc/samba/smb.conf I have name resolve order=lmhosts wins bcast. Would it help if I configured the Ip address in my krb5.conf for all domains instead of their name? Why in /var/lib/samba/smb_krb5 is only created krb5.conf.MYDOMAIN and not the file for the others domains? May be this has somethng to do... Regards, Jose Santiago Oyervides. On Fri, Aug 1, 2008 at 12:19 PM, Jeremy Allison <[EMAIL PROTECTED]> wrote: > On Fri, Aug 01, 2008 at 10:46:54AM -0500, Jose Santiago Oyervides wrote: > > Hi, > > I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the > > winbind issue previously reported (Bug# 5551) but the issue is still > > happening in my servers. > > > > I have an ftp server (vsftpd), configured to use pam_winbind with > krb5_auth > > and I see some random disconnects and my users cant login. My samba > servers > > are member of a Windows 2003 domain. > > > > The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to > the > > socket failed because the connection was reset by peer, this happened > also > > on 3.0.28, i was hoping that 3.0.31 fix this issue. > > > > Im including my configuration and my log files. This happens only when > > pam_winbind authenticates users of other domains, sometimes it gets fixed > > itself because in my krb5.conf i have configured several domain > controllers > > for the other domains and it changes the connections to the next server, > but > > sometimes it gets stuck with one failed server and all my users cant > login > > for a while. > > This is your problem : > > config [/var/lib/samba/smb_krb5/krb5.conf.MYDOMAIN] > [2008/07/31 10:03:55, 10] > nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(580) > got TGT for [EMAIL PROTECTED] in > MEMORY:winbindd_pam_ccache (valid until: Thu, 31 Jul 2008 20:03:57 CDT > (1217552637), renewable till: Thu, 31 Jul 2008 20:03:57 CDT > (1217552617)) > [2008/07/31 10:04:05, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) > ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew > > Note the 30 second gap in timestamps. > > Looks like the call : > > krb5_ret = cli_krb5_get_ticket(local_service, > time_offset, > &tkt, > &session_key_krb5, > 0, > cc, > NULL); > > at line 604: in nsswitch/winbindd_pam.c is taking ages > to contact a KDC. Do you have DNS resolution issues ? > > Jeremy. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
