[Samba] winbind - timeouts in domain with >100000 domain users

Ralf Gross Ralf-Lists at ralfgross.de
Thu Jan 25 10:13:42 GMT 2007


Adam Nielsen schrieb:
> > Sometimes I get back the list of domain users, but this happens only
> > rarely. During the these commands I can't connect to my shares with my
> > domain account. Even the top and ps commands seem to hang.
> 
> > security = domain
> 
> I had this same issue with security=domain.  Changing to security=ads
> fixed the problem.  It seems that domain mode requires a complete list
> of users, whereas ads mode is quite happy to look up single users as
> and when required.

No difference here with ADS instead of Domain. winbind is nearly
unusable.

$ wbinfo -t
checking the trust secret via RPC calls succeeded
$ wbinfo -g
[nothing/timeout or Error looking up domain groups]

other terminal:
 
$ wbinfo -p
Ping to winbindd failed on fd -1
could not ping winbindd!

And that's it. I have to kill the winbindd proccess to get it running
again.

If I avoid to request the whole user/group list, winbind is doing ok,
but getting the directory listing of a dir with 4 files which belong
to domain user sometimes take 30-60 seconds.

At the moment I'm feeling not very confident with winbind in our
environment. Maybe I should stick with 'security = server' and live
with the downside to add local user/groups...

An other thing I do not quite understand: until now I used 'force
group = +ve' to force the group ownership of a file. This is not
working for the test share I created. In the samba logfile I see '
Forced group ve', but the file belongs to the domain group.

-rw-rw---- 1 ralfgro domain users     0 2007-01-25 10:50 bar.txt

> I also found that security=domain would not reliably detect changes to
> group membership.  Sometimes reloading winbind would bring the changes
> through, sometimes it wouldn't.  Again, changing to security=ads fixed
> this.
> 
> 
> > I have a local unix account ralfgro that has uid 50789 and a domain
> > account that is mapped to uid 70000.
> 
> So ralfgro == 50789 and domain == 70000
> 
> > If I now copy files to the server using smbclient they are created
> > with my domain uid.
> 
> Correct, as smbclient is connecting with uid 70000.
> 
> > If I create files with an editor on the local fs (vim) they have the
> > uid  of my unix account.
> 
> Correct, assuming you're logged on as ralfgro at the time.
> 
> > Is this the way it should be? I ask this, because an old server
> > should be migrate to this new hardware and there are many unix
> > accounts and much data that already belong to users. The old server
> > has never been member of this domain, only 'security = server' was
> > used for authentication.
> 
> The only way you can "fix" this is to make sure that each domain
> account is mapped to the same UID as the local user.  There are a
> number of ways of doing this, check the Samba manual for details.

Can you gibe me a hint where I can find this in the manual/howto.
Maybe I'm just using the wrong search terms.
 
> It may be easier to use SMB for authentication as well, so that the
> UNIX users no longer log in with their local username, but the SMB
> username (which in your case would mean you'd be logging on with UID
> 70000.)  This way you wouldn't need to manually map any domain accounts
> to UIDs.

I've to look a bit deeper in the authentication documentation. I want
to avoid that all domain members are able to log in this box. This
server is a multi purpose server (cvs, svn, apache, samba). For samba
I want to be able to authenticate against ADS and use existing AD
users/groups. Certain users should also get an local home directory on
that server. For cvs, ssh... it would be nice to use AD too, but I
could not find out how I can restrict the login to certain domain
users. I think this is a pam issue.

Ralf


More information about the samba mailing list