[Samba] winbind - timeouts in domain with >100000 domain users
Adam Nielsen
adam.nielsen at uq.edu.au
Tue Jan 30 00:13:34 GMT 2007
> No difference here with ADS instead of Domain. winbind is nearly
> unusable.
>
> $ wbinfo -g
> [nothing/timeout or Error looking up domain groups]
Yes, I think the problem is that when you retrieve the full list of
groups winbind has to assign GIDs to them - if you avoid doing that it
seems to work properly.
The problem I found was that in Domain mode some things (like getting a
directory list) would try to retrieve the full list of groups, whereas
under ADS mode this doesn't seem to happen. Sometimes it takes a few
seconds to show the folder list (it seems that winbind is trying to
reconnect to the AD server) but after that it's usually pretty quick.
You may also have found that doing 'wbinfo -g' has "polluted" the GID
mapping table with thousands of irrelevant IDs, so if possible you can
try deleting that before switching to ADS mode (and then don't pull in
the full list of groups again.)
> An other thing I do not quite understand: until now I used 'force
> group = +ve' to force the group ownership of a file. This is not
> working for the test share I created. In the samba logfile I see '
> Forced group ve', but the file belongs to the domain group.
>
> -rw-rw---- 1 ralfgro domain users 0 2007-01-25 10:50 bar.txt
This is probably because it is forcing the group to be that user's
primary AD group - if you look in AD you'll see there's a mention of
the primary group for POSIX implementations - normally this is set to
Domain Users.
I'm not aware of a way around this (other than changing everyone's
primary group in AD) - I used the GUID bit (chmod g+s) on our folders
so that all the files would inherit the group from the folder itself.
It works well for shared folders, giving access to a single AD group.
> Can you gibe me a hint where I can find this in the manual/howto.
> Maybe I'm just using the wrong search terms.
I'm not sure off the top of my head, but if you look through the
contents page in the manual there's a whole section about joining a
domain and it lists all the various methods of setting up mapping -
this is one of them.
Cheers,
Adam.
More information about the samba
mailing list