Web lists-archives.com

Re: [Samba] Samba 4.9.3 and the "10 hour problem"




On Mon, 3 Dec 2018 17:53:34 +0100
Peter Eriksson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> We have a setup with a bunch of Dell servers acting as fileserver for
> the university here, running FreeBSD with Samba (and NFS & SFTP) to
> provide service for staff & students. 
> 
> This works in general really (very) well. We have around 4000-5000
> SMB connections spread over 6 servers during “rush hours” (8am-5pm). 
> 
> However, due to some strange (I bet it’s due to the service ticket
> timeout) reason exactly 10 hours after we restart the Samba daemons
> (and every 10:th hour after that) we are seeing problems with clients
> connecting to the Samba servers (connections with valid passwords
> and/or valid Kerberos ticket are getting a “timeout” - users with
> invalid passwords/invalid Kerberos ticket gets (correctly) denied
> service though!
> 
> smb.conf:
> 
> > [global]
> > private directory = /liu/etc/samba/private
> > lock directory    = /liu/var/samba/locks
> > cache directory   = /liu/var/samba/cache
> > state directory   = /liu/var/samba/state
> > ncalrpc dir       = /liu/var/samba/ncalrpc
> > 
> > ;; Network interfaces
> > bind interfaces only = true
> > interfaces = lagg0
> > 
> > ;; Server names
> > server string = Filur05 File Server
> > netbios name = FILUR05
> > 
> > ;; Security type
> > security = ADS
> > realm = AD.LIU.SE
> > workgroup = AD
> > 
> > ;; ID Mappings
> > idmap config * : backend = tdb
> > idmap config * : range = 2000000001-2100000000
> > idmap config AD : backend = ad
> > idmap config AD : range = 1-2000000000
> > idmap config AD : schema_mode = rfc2307
> > idmap config AD : unix_primary_group = yes

> > winbind nested groups = false
> > winbind enum users = false
> > winbind enum groups = false
> > winbind use default domain = yes
> > winbind normalize names = yes
> > winbind max clients = 1000
> > winbind max domain connections = 10
> > winbind nss info = template

You have a lot of default 'winbind' lines that you don't need, but there
is one missing:

  winbind refresh tickets = yes

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba