LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Lockups logging on to Active Directory on Debian Lenny using PAM and Winbind (https://www.linuxquestions.org/questions/linux-server-73/lockups-logging-on-to-active-directory-on-debian-lenny-using-pam-and-winbind-758703/)

z-man5 09-30-2009 10:57 AM
Lockups logging on to Active Directory on Debian Lenny using PAM and Winbind
 
I have set up my system to allow the use of AD accounts to log on to this box (using SSH or on the local console) - I loosely followed instructions from:
http://www.ccs.neu.edu/home/battista...ind/index.html

In short - configure Kerberos, Samba/Winbind, nsswitch, join the AD domain, configure PAM.

It works most of the time - but at times it will just lock up with anything that has to do with AD communication - for about 5 minutes or so. Particularly, the command "wbinfo -g" or "wbinfo -u" after a reboot will trigger the lockup. But it will happen "on its own" once in awhile - and then I cannot use an AD account to log on.

Our company is a subsidiary of a global company based in Europe, and Active Directory resembles that organization. We in the US are only a subsidiary with an AD domain that links to the corporate root domain (they gave us quite a bit of autonomy). Corp have many other domains in AD.

Now when looking at Wireshark capture of what is happening while that 5 minute lockup is happening, I could see that the Linux box somehow gets the names of all domains and domain controllers in the global organization, and tries to open a TCP connection (port 445, maybe others) to virtually every domain controller in the world of my parent company - not only the headquarters but every subsidiary. This is not possible, because for many of those there are firewalls in place or routing is not set up, as it doesn't need to be - we only need to communicate with the corp office. Each of these attempts takes a bit to time out, and hence the lockup.

Trying to work around this, I tried many options in smb.conf, but no luck. In the end, I installed firehol, and set it up accept in/out to our local networks, and reject anything else both in and out, so that whatever service is doing that will not have to time out.

My firehol.conf:

Code:
interface any world
        policy reject
        server all accept src AA.AA.0.0/16
        server all accept src BB.BB.0.0/16
        client all accept dst AA.AA.0.0/16
        client all accept dst BB.BB.0.0/16
- where AA.AA.0.0/16 and BB.BB.0.0/16 are the 2 internal networks in my company.

Additionally I removed broadcast from "name resolve order = lmhosts host wins bcast" - this did help a little bit.

Now it pretty much works well - the only lockup is if I run "wbinfo -g" or "wbinfo -u" within a few minutes after a reboot. Otherwise I can log on using AD accounts at any time with no delays, and even list the domain users or groups using "wbinfo -g" or "wbinfo -u" - just as long as it's not the first 5 or so minutes after startup.

So my question is: are there any options on Samba and/or Kerberos to say "look, I only care about our AD domain and nothing else, not even the root domain"? This firewall thing is a work around, not a solution...

Samba is version 3.2.5; libkrb53 is ver. 1.6.

Thanks in advance.

madmadmod 10-02-2009 03:47 AM
Hi

Did you try the "allow trusted domains = no" option? If it does not help you can try the "winbind:ignore domains = DOMAINA DOMAINB DOMAINC" option. Not sure if that really helps...

regards

z-man5 10-02-2009 01:53 PM
I tried "allow trusted domains = no" earlier, but no luck with that.

The second suggestion looked to me like it's exactly what I need, I was even surprised how could I have missed it on the samba ma page at http://www.samba.org/samba/docs/man/...mb.conf.5.html (but it just wasn't there - this might be an older man page I found).

But I tried this option and it doesn't work for me with either netbios/WINS domain names nor dns domain names... it even seems to make it worse.

I use the command:
Code:
testparm -s /etc/samba/smb.conf.master >/etc/samba/smb.conf
and it doesn't complain about the syntax, and the line does make it into smb.conf.

I google this option and I found that someone had exact same problem and the command as in your suggestion did work for them:
http://www.pubbs.net/samba/200907/71972/

Maybe it's samba version (mine 3.2.5, theirs 3.4.0)? But I would hate to compile from source...

Thanks for your reply and a great suggestion.

madmadmod 10-05-2009 02:58 AM
You are right, it came in with 3.2.6 (http://us3.samba.org/samba/history/samba-3.2.6.html)

cheers

z-man5 10-05-2009 05:14 PM
I guess that just missed being included in lenny.

As far as compiling Samba from source - am I correct in thinking that it's just asking for trouble?

okcomputer44 10-06-2009 06:49 PM
Hi,

It is about CentOS but it might help: http://www.linuxmail.info/active-dir...amba-centos-5/

Laz.

z-man5 10-07-2009 01:11 PM
I will stick with what I have for now - it works pretty well, although I would rather not have that big "band-aid" of firehol. I will upgrade to Squeeze when it becomes stable or if I notice performance problems.

Thanks.


All times are GMT -5. The time now is 06:28 AM.