[Samba] Problem with number of groups of AD User (token size ?)

Joe Ammann joe at pyx.ch
Wed Feb 10 07:08:12 MST 2010 

Hi all

On Fri, February 5, 2010 00:02, Jeremy Allison wrote:
>> I just wanted to ask if that (users being member of a huge number of AD
>> groups
>> and thus there Kerberos ticket getting really big) can be at all a
>> problem
>> with Samba/Winbind and that I should investigate more thouroughly along
>> this
>> line?
>
> It could be. We depend on the underlying krb5 libraries to
> do this right (fallback to TCP to get the ticket if it's too
> large for UDP). What error messages do you get in the logs ?

Sorry for the delay. I tried to reproduce this in a lab setup, but was
unable to. Even with a user that is a member of 1000 groups, accessing and
permission check works. So it's probably not an issue with the sheer
number of groups.

So I investigated a bit more in the production environment (the problem
only happens there, of course :-/ I was able to identify 2 users, where 1
would work while the other one doesn't. The problem happens already in
winbind, so anything else is clearly due to this failing. Here's what
happens:

# wbinfo -n xxxxxx
S-1-5-21-1204043072-522325977-1734762113-122312 User (1)

# wbinfo -n xxxxxxa
S-1-5-21-1204043072-522325977-1734762113-124446 User (1)

# wbinfo -i xxxxxx
xxxxxx:*:1122312:1000513:X X:/home/GLOBAL/xxxxxx:/bin/false

# wbinfo -i xxxxxxa
Could not get info for user xxxxxxa

When I pump up the winbind log level to 10, here's what's logged in the
wb-GLOBAL.log

[2010/02/10 15:05:59, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080)
  child daemon request 21
[2010/02/10 15:05:59, 10] nsswitch/winbindd_dual.c:child_process_request(478)
  process_request: request fn LOOKUPNAME
[2010/02/10 15:05:59, 3]
nsswitch/winbindd_async.c:winbindd_dual_lookupname(950)
  [28748]: lookupname GLOBAL\oizlama
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(470)
  refresh_sequence_number: GLOBAL time ok
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(504)
  refresh_sequence_number: GLOBAL seq number is now 390673974
[2010/02/10 15:05:59, 10] nsswitch/winbindd_cache.c:centry_expired(544)
  centry_expired: Key NS/GLOBAL/OIZLAMA for domain GLOBAL is good.
[2010/02/10 15:05:59, 10] nsswitch/winbindd_cache.c:wcache_fetch(629)
  wcache_fetch: returning entry NS/GLOBAL/OIZLAMA for domain GLOBAL
[2010/02/10 15:05:59, 10] nsswitch/winbindd_cache.c:name_to_sid(1373)
  name_to_sid: [Cached] - cached name for domain GLOBAL status: NT_STATUS_OK
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:cache_store_response(2267)
  Storing response for pid 28750, len 3240
[2010/02/10 15:05:59, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080)
  child daemon request 60
[2010/02/10 15:05:59, 10] nsswitch/winbindd_dual.c:child_process_request(478)
  process_request: request fn DUAL_USERINFO
[2010/02/10 15:05:59, 3] nsswitch/winbindd_user.c:winbindd_dual_userinfo(141)
  [28748]: lookupsid S-1-5-21-1204043072-522325977-1734762113-124446
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(470)
  refresh_sequence_number: GLOBAL time ok
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(504)
  refresh_sequence_number: GLOBAL seq number is now 390673974
[2010/02/10 15:05:59, 10] nsswitch/winbindd_cache.c:query_user(1652)
  query_user: [Cached] - doing backend query for info for domain GLOBAL
[2010/02/10 15:05:59, 3] nsswitch/winbindd_ads.c:query_user(453)
  ads: query_user
[2010/02/10 15:05:59, 10] nsswitch/winbindd_ads.c:ads_cached_connection(46)
  ads_cached_connection
[2010/02/10 15:05:59, 7] nsswitch/winbindd_ads.c:ads_cached_connection(59)
  Current tickets expire in 35909 seconds (at 1265846668, time is now
1265810759)
[2010/02/10 15:05:59, 1] nsswitch/winbindd_ads.c:query_user(474)
  query_user(sid=S-1-5-21-1204043072-522325977-1734762113-124446): Not found
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(470)
  refresh_sequence_number: GLOBAL time ok
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(504)
  refresh_sequence_number: GLOBAL seq number is now 390673974
[2010/02/10 15:05:59, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
  error getting user info for sid
S-1-5-21-1204043072-522325977-1734762113-124446
[2010/02/10 15:05:59, 10]
nsswitch/winbindd_cache.c:cache_store_response(2267)
  Storing response for pid 28750, len 3240

I can't really see anything that's going wrong besides the "query user:
... Not found"

Here's the smb.conf

[global]
        realm = GLOBAL.SZH.LOC
        workgroup = GLOBAL

        security = ads

        local master = no
        preferred master = no

        template shell = /bin/false
        template homedir = /home/%D/%U

        idmap domains = GLOBAL
        idmap config GLOBAL:backend      = rid
        idmap config GLOBAL:base_rid     = 0
        idmap config GLOBAL:range        = 1000000 - 1999999

        winbind use default domain = Yes
        winbind enum users = No
        winbind enum groups = No
        winbind nested groups = Yes

        log level = 1 winbind:10

Any hints?

CU, Joe

More information about the samba mailing list