# [SOLVED] PAM/winbind weirdness

## boojummy

Hello everyone,

  Here's something strange that came up-- when winbindd is running, performing certain non-samba related tasks causes the entire system to hang.  For reference, this machine is an AMD64 Opteron 248HE, and I have a pure 64-bit system.  Winbind is connected to an AD.  Normally, it functions fine, although I have not yet made this a production machine (and exposed it to our 200 or so users).

  This is how I trigger the problem:

  1. Start up smbd, nmbd, and winbind.  All working.  Great.

  2. run "emerge -pv [anything]"  "world" is a good example here.  The whole machine hangs until either emerge is done (which takes a really long time-- like 20-30 minutes!), or I Ctrl-C and terminate the process.  While this is happening, samba is also hanging-- you cannot use those shares, and Windows clients eventually time out.  If I attempt to run other jobs in, say, another ssh session, nothing happens.  That's hanging too.

  Now, here's how I determined it was winbind-related:

  1. Start up smbd, nmbd, but do not start up winbind.

  2. run "emerge -pv [whatever]" (again, "world" is a good example).  This is super fast!  Just what I would expect from a modern machine.

  So I asked myself, "Why would winbind affect other running processes?"  My first thought was: PAM.  I followed an AD-Samba howto here in the forums, and I remember modifying some PAM settings.  I went back to look at my PAM configs.  Maybe other services are hooked into winbind?

  Unless I am misunderstanding how PAM works, this does not appear to be the case.  The only PAM stack that mentions "winbind" is the "/etc/pam.d/samba" stack.  And that samba stack is not referenced by "pam_stack" or otherwise included by any other stacks.  So I'm at a bit of a loss to explain this, although it is clear that winbind is somehow responsible for the slowdown.

  Here's my /etc/pam.d/samba:

```
#%PAM-1.0

# * pam_smbpass.so authenticates against the smbpasswd file

auth       required     pam_smbpass.so nodelay

auth       sufficient   /lib/security/pam_winbind.so try_first_pass

account    required     /lib/security/pam_winbind.so

account    required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
```

  Here's my /etc/pam.d/system-auth:

```
#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so
```

  Here's my /etc/pam.d/login:

```
#%PAM-1.0

auth       required     pam_securetty.so

auth       include      system-auth

auth       required     pam_tally.so file=/var/log/faillog onerr=succeed no_magic_root

auth       required     pam_shells.so

auth       required     pam_nologin.so

account    required     pam_access.so

account    include      system-auth

account    required     pam_tally.so deny=0 file=/var/log/faillog onerr=succeed no_magic_root

password   include      system-auth

session    include      system-auth

session    required     pam_env.so

session    optional     pam_lastlog.so

session    optional     pam_motd.so motd=/etc/motd

session    optional     pam_mail.so

# If you want to enable pam_console, uncomment the following line

# and read carefully README.pam_console in /usr/share/doc/pam*

#session    optional    pam_console.so
```

  I'm stumped.  What is emerge doing that would have anything to do with winbind?  Anyone have any suggestions as to where I could look next?

Thanks,

-bLast edited by boojummy on Wed Dec 05, 2007 10:05 pm; edited 1 time in total

----------

## boojummy

Ah... wait!  Maybe this has something to do with it?

```
# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:      compat winbind

shadow:      compat

group:       compat winbind

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

Now to understand nsswitch...

----------

## boojummy

OK, removing "winbind" from nsswitch.conf definitely makes 'emerge -pv world' fast again.  Of course, it breaks AD authentication for Samba.  I really hope that this isn't a design problem with winbind, like, that big AD domains are going to be slow.

Looks like I can 'short-circuit' nsswitch to some degree-- try files before trying winbind.  Now to see what 'compat' means...

----------

## boojummy

Problem solved.

A very helpful manpage for nsswitch.conf on Solaris led me to something that gave me a big clue.  Here's the relevant portion:

 *Quote:*   

> Enumeration -- getXXXent()
> 
>      Many of the databases have  enumeration  functions:   passwd
> 
>      has  getpwent(),  hosts  has gethostent(), and so on.  These
> ...

 

So the question was: which call does winbind use?  Well, it turns out, this is mentioned in Samba's enormouse smb.conf manpage:

 *Quote:*   

> winbind enum groups (G)
> 
>     On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data.
> 
>     Warning
> ...

 

  After inserting

```
winbind enum users = no

winbind enum groups = no
```

  into my /etc/samba/smb.conf, the slowness problem went away.  Yay!  I've yet to see what "odd" behavior will result from this, but I may just need to live with it.

----------

