Discussion:
[Samba] winbind-client: irregular "Connection reset by peer" errors when using Win 2003 server
Alexander Menk
2007-02-27 04:30:45 UTC
Permalink
Hello!

I've integrated samba into an existing NT Domain managed by a windows
2003 server. Recently I'm have trouble to use the "groups" command get
the group of domain users. It worked well for weeks (but perhaps after
setting up an ldap-connection to the same server via the apache2 module
auth_ldap), there are irregular connection-losses, so winbind seems not
to be able to retrieve the groupnames. Sure, there are some possible
workarounds, but it would be nice to have a stable connection to the DC.
Perhaps there is any nice way to auto-resume that winbind-lookup-connection?

## I try to get the group-membership of username:

$ groups DOMAIN-NAME\\username
id: cannot find name for group ID 16777235

## sometimes a second try work's .. but now it doesn't seem to help...

$ groups DOMAIN-NAME\\username
id: cannot find name for group ID 16777235

## log:

$ tail /var/log/samba/log.wb-DOMAIN-NAME

[2007/02/26 22:21:14, 0] lib/util_sock.c:write_data(559)
write_data: write failure. Error = Connection reset by peer
[2007/02/26 22:21:14, 0] libsmb/clientgen.c:write_socket(138)
write_socket: Error writing 190 bytes to socket 3: ERRNO = Connection
reset by peer
[2007/02/26 22:21:14, 0] libsmb/clientgen.c:cli_send_smb(168)
Error writing 190 bytes to client. -1 (Connection reset by peer)
[2007/02/26 22:21:14, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine SERVER01 pipe \NETLOGON fnum
0xc00creturned critical error. Error was Write error: Connection reset
by peer


## only after restarting winbind it works:

***@server03:/var/log/samba$ sudo /etc/init.d/winbind restart
* Restarting the Winbind daemon winbind

[ ok ]

$ groups DOMAIN-NAME\\username
DOMAIN-NAME\\username : DOMAIN-NAME\dom?nen-benutzer ntadmin
DOMAIN-NAME\technik


## log for the case it worked

$ tail /var/log/samba/log.wb-DOMAIN-NAME
[2007/02/26 22:26:14, 0] libsmb/clientgen.c:cli_rpc_pipe_close(375)
cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0xc00c to
machine SERVER01. Error was Write error: Connection reset by peer
[2007/02/26 22:26:14, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup
[2007/02/26 22:29:55, 0] nsswitch/winbindd_dual.c:child_read_request(49)
Got invalid request length: 0
[2007/02/26 22:29:57, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup

Any Ideas?

TIA!
--
Alexander Menk
Gerald (Jerry) Carter
2007-03-01 21:19:59 UTC
Permalink
Post by Alexander Menk
Hello!
I've integrated samba into an existing NT Domain managed
by a windows 2003 server. Recently I'm have trouble
to use the "groups" command get the group of domain
users. It worked well for weeks (but perhaps after
setting up an ldap-connection to the same server via
the apache2 module auth_ldap), there are irregular
Winbindd and apache don't share ldap sessions.
Post by Alexander Menk
connection-losses, so winbind seems not to be able
to retrieve the groupnames. Sure, there are some possible
workarounds, but it would be nice to have a stable
connection to the DC. Perhaps there is any nice
way to auto-resume that winbind-lookup-connection?
Seems like the DC dropping what it thinks are
idle connections. We should reconnect. Could you test
3.0.25pre1 and let me know if that behaves any better?



cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
Alexander Menk
2007-03-02 03:45:02 UTC
Permalink
Hi!
Post by Gerald (Jerry) Carter
Post by Alexander Menk
I've integrated samba into an existing NT Domain managed
by a windows 2003 server. Recently I'm have trouble
to use the "groups" command get the group of domain
users. It worked well for weeks (but perhaps after
setting up an ldap-connection to the same server via
the apache2 module auth_ldap), there are irregular
Winbindd and apache don't share ldap sessions.
yes .. but I thought there could be a conflict or s.th. like that.
Post by Gerald (Jerry) Carter
Post by Alexander Menk
connection-losses, so winbind seems not to be able
to retrieve the groupnames. Sure, there are some possible
workarounds, but it would be nice to have a stable
connection to the DC. Perhaps there is any nice
way to auto-resume that winbind-lookup-connection?
Seems like the DC dropping what it thinks are
idle connections. We should reconnect. Could you test
3.0.25pre1 and let me know if that behaves any better?
It's complicated for me to test this version on the same server. Perhaps
I should set up a test-box to use that. Is that reconnect-feature new to
3.0.25pre1 ? Do you refer to any known bug in versions before 3.0.25pre1
concerning this problem?

Thanks,
Alex
Gerald (Jerry) Carter
2007-03-02 20:00:44 UTC
Permalink
Post by Alexander Menk
Post by Gerald (Jerry) Carter
Seems like the DC dropping what it thinks are
idle connections. We should reconnect. Could you test
3.0.25pre1 and let me know if that behaves any better?
It's complicated for me to test this version on the same
server. Perhaps I should set up a test-box to use that.
Is that reconnect-feature new to 3.0.25pre1 ? Do you refer to
any known bug in versions before 3.0.25pre1 concerning
this problem?
A lot of the connection manager has been cleaned up. Although
I cannot point you to a specific change.




cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
Loading...