[Samba] Winbind problem with more details.
Trimble, Ronald D
Ronald.Trimble at unisys.com
Mon Feb 18 17:50:31 GMT 2008
Thanks for all of the helpful advice Ross. I will certainly make some of these changes in the future in a controlled manner. As it turns out, one of our in-house developers has found the problem and submitted a bug against winbind for it. https://bugzilla.samba.org/show_bug.cgi?id=5264
His current patch is against the mod_auth_pam module, which is fine for us.
It took the better part of an entire week and many difference debugging builds to figure out exactly what was going on.
From: Ross S. W. Walker [mailto:rwalker at medallion.com]
Sent: Friday, February 15, 2008 2:26 PM
To: Trimble, Ronald D; Herb Lewis
Cc: samba at lists.samba.org
Subject: RE: [Samba] Winbind problem with more details.
Trimble, Ronald D wrote:
> Ross, do you have any links to document what you are saying
> about the "password server" being set to a domain? I have
> found several examples of it listing multiple DCs, but not a
> domain name.
Well you could read this mind numbing white paper,
or just look at your DNS zone,
You will notice for each forward zone for each domain that the DCs in those domains acting as DNS servers register their IP addresses under the zone name, like such:
IN A X.X.X.X
IN A X.X.X.X
IN A X.X.X.X
This by nature will force a round-robin lookup for all A queries of the domain name.
Windows 2000/2003 goes a step further by ordering the results based on the originating IP and the site networks you configured in sites and services, making sure it delivers IP addresses in your subnet first, filtering out any DC that is reported as down.
Try it out with nslookup.
Now if you have Unix DNS servers this will of course not happen, you will get round-robin without the filtering or ordering.
> -----Original Message-----
> From: Ross S. W. Walker [mailto:rwalker at medallion.com]
> Sent: Friday, February 15, 2008 12:06 PM
> To: Trimble, Ronald D; Herb Lewis
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Winbind problem with more details.
> Trimble, Ronald D wrote:
> > Here you go...
> I forgot to ask which version of samba your now running, but
> assuming it is something around '3.0.25', then here is my
> suggestion config. If it is an earlier version let me know.
> > [global]
> > workgroup = NA
> > realm = NA.UIS.UNISYS.COM
> > netbios name = ustr-linux-1
> > server string = USTR-LINUX-1 Samba Server
> > encrypt passwords = yes
> > security = ADS
> > password server = 192.xx.xxx.xxx
> I believe for an AD domain, if you set the password server
> equal to the local domain name it will round-robin query
> the closest domain controller. Test it out, it will eliminate
> the single point of failure if it works in your environment.
> > passdb backend = smbpasswd
> I tend to use tdb for my passwd backend, especially if the number
> of users is large, tdb can speed lookups tremendously.
> > log level = 2 winbind:10 ads:10 auth:10
> > syslog = 0
> > log file = /var/log/samba/%m.log
> > # debug level = 10
> > max log size = 5000
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> I see no idmap entries here, and don't understand how winbind
> is working at all without them, maybe some old compatibility
> I suggest, and of course I don't know your full topology, so it
> will most definitely need adjusting:
> idmap domains = default NA
> idmap config default:default = yes
> idmap config NA:backend = rid
> idmap config NA:range = 16777216 - 33554431
> Is that id range valid? I have never used anything over 999999, it
> seems very oddly arbitrary, but I suppose you have a reason...
> Normally I allocate a 100000 id range per domain, so NA would have
> range 100000 - 199999, domain NA2 would have 200000 - 299999 and
> so on, makes it easier to determine the RID if the base of the
> range is on a power of ten and if you have multiple domains.
> idmap alloc backend = tdb
> idmap uid = 90000 - 99999
> idmap gid = 90000 - 99999
> This section here is for local mappings, BUILTINs and such, I
> set it as the default, but I'm sure other people will have
> their preferences or recommendations.
> > winbind use default domain = no
> > winbind enum users = no
> > winbind enum groups = no
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
> > nt acl support = yes
> > map acl inherit = yes
> Notice I removed these lines:
> > winbind uid = 16777216-33554431
> > winbind gid = 16777216-33554431
> This is old depreciated syntax, the syntax is now 'idmap uid',
> and it applies to id domains not explicitly configured with
> the 'id config' directive.
> Let me know if that helps.
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
More information about the samba