[Samba] ldap? Samba? Nss?

sgmayo at mail.bloomfield.k12.mo.us sgmayo at mail.bloomfield.k12.mo.us
Thu Aug 27 15:26:58 MDT 2009 

Ryan Suarez wrote:
> Michal Dobroczynski wrote:
>> Hello,
>> If you want to avoid using get**** try setting "ldapsam:trusted =
>> yes". This way Samba will fetch user info directly from LDAP instead
>> of going through the getpwent and others which reaaaaaally pull a lot
>> of data. That should reduce the time needed to login a bit (at least
>> that worked for me).
>>

The get**** as in my perl script actually.  I will have to do some reading
to figure out how to get the info I need without it.


> You're assuming that his samba is setup as a domain controller, not
> simply a domain member.  And that it has write access to ldap with the
> necessary attributes.
>
> Scott, you need to provide more info.
>

Rest of the info is at the bottom of this post.


>>> Just curious, Are you using samba with nss_ldap and pam_ldap for user
>>> lookups and authentication?
>>>

Yes.  I hope it is all setup correctly.  It is working it seems.  It seems
that it really got slow in the last couple of days.  I have added some
users to LDAP, but not that many.  There are proabably a total of 1000
users and not near all of them would log on at once.  Maybe a couple of
hundred at the very most and more like 75-100.


>>> sgmayo at mail.bloomfield.k12.mo.us wrote:
>>>
>>>> It seems my logins are taking a long time to get logged in.  I am
>>>> guessing
>>>> that it is worse when classes start and a lot of the kids try to login
>>>> at
>>>> once.  My old server did not seem to have this problem though and we
>>>> have
>>>> the same number of students.
>>>>
>>>> Where should I start looking at this?  I am guessing that it is ldap,
>>>> but
>>>> want to make sure.
>>>>
>>>> If I log in at a computer and go to start->run and type \\server, it
>>>> may
>>>> take 1-2 minutes until I can see my shares which is the same thing the
>>>> students are seeing when logging into the domain.  I just wanted to
>>>> leave
>>>> any profile copying out of the equation so I just did it this way.
>>>>
>>>> I noticed this first on my batch user add program for adding users to
>>>> ldap/samba.  The program reads in the users and groups with getpwent
>>>> and
>>>> getgrent and it really takes a long time.
>>>>
>>>> Any suggestions of what to start looking for would be appreciated.


I have a question about LDAP also and was wondering if this would affect it.
I know that on my old server I had the following in the slapd.conf:

core
cosine
inetorgperson
nis
samba

On my new one it has the above plus:

corba
duaconf
dyngroup
java
misc
openldap
ppolicy
collective

Those were just in there when I installed it so I left them.  Should I
take them out or would that not have any affect on logins at all?

Here is my smb.conf

[global]
workgroup = BES
server string =
netbios name = SCHOOL1
host msdfs = yes
interfaces = lo eth0
hosts allow = 127. 10.0. 192.168.0. localhost
log level = 3
ldap passwd sync = Yes
ldap admin dn = cn=Manager,dc=school1,dc=bloomfield.k12.mo.us
ldap suffix = dc=school1,dc=bloomfield.k12.mo.us
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users

add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

Dos charset = 850
Unix charset = ISO8859-1
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
log file = /var/log/samba/log.%m
security = user
passdb backend = ldapsam:ldap://127.0.0.1
domain master = yes
domain logons = yes

logon path =
/bin/false "%u"
local master = yes
os level = 65
preferred master = yes
wins support = yes
dns proxy = no
load printers = yes
cups options = raw

[teacher_dfs]
path = /district/dfs_shares/teachers
msdfs root = yes

[student_dfs]
path = /district/dfs_shares/students
msdfs root = yes

[userhome]
comment = Home Directories
path = /home/%u
read only = no

[student]
comment = School Wide Main for students
path = /district/school
read only = no
create mask = 660
force create mode = 2660
directory mask = 770
force directory mode = 3770

[teacher]
comment = School Wide Main for teachers
path = /district/school
read only = no
create mask = 666
force create mode = 2666
directory mask = 777
force directory mode = 3777
valid users = @teacher @admin @staff

[staff]
comment = drive for staff to share things on
path = /district/teachers
read only = no
create mask = 666
force create mode = 2666
directory mask = 777
force directory mode = 3777
valid users = @teacher @admin @staff

[sis]
path = /district/sis
read only = no
valid users = @sis @teacher @admin
create mask = 666
directory mask = 770
force directory mode = 2770
level2 oplocks = no
oplocks = no

[follett]
path = /district/follett
read only = no

[vexira]
path = /district/vexira
read only = yes

[software]
path = /district/_SOFTWARE
read only = no

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
root preexec = /var/lib/samba/netlogon/logonscript.pl %U %M %m %I
root postexec = /var/lib/samba/netlogon/logoutscript.pl %U %M %m %I

thanks again.

-- 
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669  FA: 573-568-4565

Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?

More information about the samba mailing list