[Samba] Fwd: smb.conf for around 2500 users

Wed Jul 4 10:12:38 MDT 2012

---------- Forwarded message ----------
From: Nico Kadel-Garcia <nkadel at gmail.com>
Date: Wed, Jul 4, 2012 at 12:12 PM
Subject: Re: [Samba] smb.conf for around 2500 users
To: steve <steve at steve-ss.com>

On Wed, Jul 4, 2012 at 11:11 AM, steve <steve at steve-ss.com> wrote:
> On 03/07/12 10:18, Jonathan Buzzard wrote:
>>
>>
>> On Mon, 2012-07-02 at 18:20 +0200, steve wrote:
>>
>> [SNIP]
>>
>>>
>>> I think I must be missing something here because as far as I can see,
>>> winbindd puts all users into the directory specified in template
>>> homedir. [homes] then picks out the user from there.
>>>
>>
>> Yes you are stop using template homedir and configure winbind correctly.
>
>
> OK. template homedir is now removed. Although we are using winbind we are
> not running winbindd. All our mapping is done using nss-pam-ldapd.
>
>>
>>
>> # deal with NSS and the whole UID/SID id mapping stuff
>>         idmap backend = tdb
>>         idmap uid = 2000000 - 2999999
>>         idmap gid = 2000000 - 2999999
>>         idmap config MYDOMAIN : backend = nss
>>         idmap config MYDOMAIN : readonly = yes
>>         idmap config MYDOMAIN : range = 500 - 1999999
>>         idmap cache time = 604800
>>         idmap negative cache time = 20
>>         winbind cache time = 600
>>         winbind nss info = rfc2307
>>         winbind expand groups = 2
>>         winbind nested groups = yes
>>         winbind use default domain = yes
>>         winbind enum users = yes
>>         winbind enum groups = yes
>>         winbind refresh tickets = yes
>>         winbind offline logon = false
>>
> No, we have none of that. Our global is simply:
> [global]
>         server role = domain controller
>         workgroup = MARINA
>         realm = hh3.site
>         netbios name = HH1
>         passdb backend = samba4
>         wide links = Yes
>         unix extensions = No
>
>
>
>> You need to edit /etc/nsswitch of course. This is the "samba" way of
>> doing things.
>
>
> We have
> passwd: compat ldap
> group:  compat ldap
> hosts:  files mdns4_minimal [NOTFOUND=return] dns
>
>>
>>
>> As to suggestions to use autofs on 2500 users, my advice is don't. Works
>> well at ~50 users but gets flacky at couple hundred users with random
>> things not working 100% of the time that will take you for ever to track
>> down to autofs if you do.
>>
> That's interesting/worrying. Although we have 2500 users, we only have
> around 150 computers in the domain, spread over 4 teaching labs. Those are
> split about 50:50 Linux:windows so I'd put the maximum number of NFS autofs
> mounts to be 80 at most. What do you recon?

NFS and autofs buys you some very, very useful things. One is that it
can support multiple upstream NFS servers, which might help distribute
the load for 2500 users. Another is that by automounting a set of
subdirectories, instead of one large master share, you can tune the
settings of those mounted directories for security. Another is that
you can mix NFSv3 and NFSv4 for environments that need TCP based
access or Kerberized authentication for fileshares. Another is that
unused material is not mounted and can be deleted or re-arranged on
the fileserver, which is priceless when managing 2500 accounts with
2500 home directories.

But with 2500 users, and hundreds at a time connected, it's maybe time
to think about running the CIFS fileshares directly on the NFS
*servers* and get the Samba clients out of the way Why introduce a
layer of complexity with a Samba client on top of NFS if the
fileserver can do it directly? And if it's too much for one
fileserver, maybe it's time to think about splitting up fileservices
anyway.

> Cheers and thanks for your comments,
> Steve
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba