[Samba] winbind - timeouts in domain with >100000 domain users

Adam Nielsen adam.nielsen at uq.edu.au
Tue Jan 23 03:59:12 GMT 2007


> Sometimes I get back the list of domain users, but this happens only
> rarely. During the these commands I can't connect to my shares with my
> domain account. Even the top and ps commands seem to hang.

> security = domain

I had this same issue with security=domain.  Changing to security=ads
fixed the problem.  It seems that domain mode requires a complete list
of users, whereas ads mode is quite happy to look up single users as
and when required.

I also found that security=domain would not reliably detect changes to
group membership.  Sometimes reloading winbind would bring the changes
through, sometimes it wouldn't.  Again, changing to security=ads fixed
this.


> I have a local unix account ralfgro that has uid 50789 and a domain
> account that is mapped to uid 70000.

So ralfgro == 50789 and domain == 70000

> If I now copy files to the server using smbclient they are created
> with my domain uid.

Correct, as smbclient is connecting with uid 70000.

> If I create files with an editor on the local fs (vim) they have the
> uid  of my unix account.

Correct, assuming you're logged on as ralfgro at the time.

> Is this the way it should be? I ask this, because an old server
> should be migrate to this new hardware and there are many unix
> accounts and much data that already belong to users. The old server
> has never been member of this domain, only 'security = server' was
> used for authentication.

The only way you can "fix" this is to make sure that each domain
account is mapped to the same UID as the local user.  There are a
number of ways of doing this, check the Samba manual for details.

It may be easier to use SMB for authentication as well, so that the
UNIX users no longer log in with their local username, but the SMB
username (which in your case would mean you'd be logging on with UID
70000.)  This way you wouldn't need to manually map any domain accounts
to UIDs.

Cheers,
Adam.


More information about the samba mailing list