Package: winbind
Version: 2:3.2.1-1
Severity: normal
User authentication with Winbind takes a very long time (around five minutes)
for the initial authentication. While winbind is waiting, all other
authentication (such as su) is also blocked. Subsequent authentications are
normal sub second.
Additionally, an /etc/init.d/winbind restart leaves the service in an unstable
state. It shows in ps output, but Swat says that it is NOT running.
Restarting it in swat is successful. You can also manually `killall -9
winbindd` and then issue an `/etc/init.d/winbind start` to get the same effect.
This bug report is filed from a Lenny machine that has had Samba upgraded from
3.0.x to 3.2.0 to the current 3.2.1. This morning I was able to duplicate the
issue on a fresh Lenny install, with just the base system, Samba 3.2.1-1,
Winbind 3.2.1-1.
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication succeeded
challenge/response password authentication succeeded
real 4m40.069s
user 0m0.012s
sys 0m0.004s
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication succeeded
challenge/response password authentication succeeded
real 0m0.033s
user 0m0.012s
sys 0m0.004s
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] succeeded
(requesting cctype: FI
LE)
credentials were put in: FILE:/tmp/krb5cc_0
real 0m0.042s
user 0m0.008s
sys 0m0.016s
[EMAIL PROTECTED]:/home/jfzuelow$ sudo /etc/init.d/samba restart ; sudo
/etc/init.d/winbind restart
Stopping Samba daemons: nmbd smbd.
Starting Samba daemons: nmbd smbd.
Stopping the Winbind daemon: winbind.
Starting the Winbind daemon: winbind.
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] failed (requesting
cctype: FILE)
Could not authenticate user [test_user] with Kerberos (ccache: FILE)
real 0m0.017s
user 0m0.008s
sys 0m0.008s
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication failed
Could not authenticate user test_user with plaintext password
could not obtain winbind interface details!
could not obtain winbind separator!
could not obtain winbind interface details!
could not obtain winbind domain name!
challenge/response password authentication failed
Could not authenticate user test_user with challenge/response
real 0m0.020s
user 0m0.012s
sys 0m0.008s
##### At this point Swat shows winbind as not running.
##### Restarting Winbind with Swat results in the long initial delay:
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] succeeded
(requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
real 5m15.049s
user 0m0.004s
sys 0m0.016s
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -K test_user%Password9
plaintext kerberos password authentication for [test_user] succeeded
(requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
real 0m0.040s
user 0m0.008s
sys 0m0.008s
[EMAIL PROTECTED]:/home/jfzuelow$ time wbinfo -a test_user%Password9
plaintext password authentication succeeded
challenge/response password authentication succeeded
real 0m0.029s
user 0m0.012s
sys 0m0.004s
[EMAIL PROTECTED]:/home/jfzuelow$
Rebooting a machine results in fast authentications from the first time.
Restarting samba and winbind with the init.d script reverts to the old
behavior, where ps output shows samba processes running but wbinfo -p fails and
swat says winbind is not running. Restarting from swat resolves it, although
with the very long initial delay.
There are also delays (although not as long) the first time that wbinfo -u or
-g is used. Playing around, I can also trigger a long delay by restarting
winbindd in Swat and then trying a `ls -l /var/run/samba/winbindd_privileged/`
as root.
Note that as far as I can tell this behavior only occurs if winbind is
restarted after a machine boots. From boot it works fine. However with
production servers that use winbind (Squid, et. al.) this could be an issue.
Both sambas are member servers of a Server 2003 domain. smb.conf is as follows:
# Samba config file created using SWAT
# from UNKNOWN ()
# Date: 2008/08/22 10:36:54
[global]
workgroup = JUNEAU_NT
realm = JUNEAU.LOCAL
server string = James' Workstation
security = ADS
allow trusted domains = No
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
announce as = NT Workstation
svcctl list = cups, postfix, squid
addprinter command = /usr/local/bin/smbaddprinter.pl
deleteprinter command = /usr/local/bin/smbdelprinter.pl
os level = 3
local master = No
domain master = No
dns proxy = No
wins server = 192.168.55.161
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
idmap domains = JUNEAU_NT
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config JUNEAU_NT:range = 10000-20000
idmap config JUNEAU_NT:backend = rid
idmap config JUNEAU_NT:default = yes
admin users = JUNEAU_NT+James_Zuelow
[printers]
comment = All Printers
path = /var/spool/samba
admin users = @JUNEAU_NT+MIS-SYSOP
create mask = 0700
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
admin users = @JUNEAU_NT+MIS-SYSOP
read only = No
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages winbind depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libcomerr2 1.41.0-3 common error description library
ii libkrb53 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.10-3 OpenLDAP libraries
ii libpam0g 1.0.1-3 Pluggable Authentication Modules l
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libtalloc1 1.2.0~git20080616-1 hierarchical pool based memory all
ii libwbclient0 2:3.2.1-1 client library for interfacing wit
ii lsb-base 3.2-19 Linux Standard Base 3.2 init scrip
ii samba-common 2:3.2.1-1 Samba common files used by both th
winbind recommends no packages.
winbind suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
