[Samba] LDAP problem, with samba and groups

Bart Hendrix hendrix at worldpilot.nl
Fri Dec 24 10:50:52 GMT 2004 

Hi All

We have the following problem: 
We configured samba with LDAP and this works fine. As soon as they try to login wit a user who is member of 15 groups, it takes very long to login with Windows and then an mostly an errormessage appears. 

On win 2000 is the error: There has been made a change to the server. Contact you sysadmin

When a user logins (member of 15 groups) ldap shows the following logging: 

Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: <= test_filter 6 
Dec 24 10:43:45 localhost slapd[3322]: => test_filter 
Dec 24 10:43:45 localhost slapd[3322]:     EQUALITY 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: search access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "gidNumber" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: <= test_filter 6 
Dec 24 10:43:45 localhost slapd[3322]: <= test_filter_and 6 
Dec 24 10:43:45 localhost slapd[3322]: <= test_filter 6 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "entry" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "objectClass" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "objectClass" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "objectClass" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "cn" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "cn" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "gidNumber" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "gidNumber" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:45 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "description" requested 
Dec 24 10:43:45 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:46 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "description" requested 
Dec 24 10:43:46 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:46 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "sambaSID" requested 
Dec 24 10:43:46 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:46 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "sambaSID" requested 
Dec 24 10:43:46 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:46 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "sambaGroupType" requested 
Dec 24 10:43:46 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:46 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "sambaGroupType" requested 
Dec 24 10:43:46 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:46 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "displayName" requested 
Dec 24 10:43:46 localhost slapd[3322]: <= root access granted 
Dec 24 10:43:46 localhost slapd[3322]: => access_allowed: read access to "cn=engineering_w,ou=Groups,dc=sif-group,dc=nl" "displayName" requested 
Dec 24 10:43:46 localhost slapd[3322]: <= root access granted 

And then really realy much, very long. With continuesly an other cn = groupname

Now I see that the logging winbindd in /etc/samba/ shows:

[2004/12/24 10:58:36, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 11 try!
[2004/12/24 10:58:37, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:58:37, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 12 try!
[2004/12/24 10:58:38, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:58:38, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 13 try!
[2004/12/24 10:58:39, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:58:39, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 14 try!
[2004/12/24 10:58:40, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:58:40, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 15 try!
[2004/12/24 10:59:44, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:59:44, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 15 try!
[2004/12/24 10:59:46, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:59:46, 3] sam/idmap_ldap.c:ldap_get_sid_from_id(516)
  ldap_get_isd_from_id: Failure looking up entry (Timed out)
[2004/12/24 10:59:46, 1] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(426)
  Could not convert gid 10018 to sid
[2004/12/24 10:59:46, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374)
  [ 3876]: gid to sid 10001
[2004/12/24 10:59:46, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:59:46, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 1 try!
[2004/12/24 10:59:47, 0] lib/smbldap.c:smbldap_open_connection(545)
  ldap_initialize: Time limit exceeded
[2004/12/24 10:59:47, 1] lib/smbldap.c:another_ldap_try(936)
  Connection to LDAP server failed for the 2 try!


I think there is a problem that it takes to long for samba before they it get an answer back. 
Any idea how to solve this? 

Is there also an option to configure that ldap works faster? It seems that if users are member of 15 groups, ldap checks this groups and then give a OK sign to samba? 


Thanks and greetz Bart

More information about the samba mailing list