[Samba] domain member with winbind, slow smbcacls or smbclient listing

Zhuchenko Valery zvn at belkam.com
Mon Nov 28 05:27:39 UTC 2016 

I think, the reason is some files acls, which contain uid or gid, absent
in the domain.

How to make so that winbindd in this case every time didn't connect with
controller, but only periodically update data, using parameters winbind
cache time and idmap negative cache time?

I think so because in logs I see these strings:
...host has no idea of uid ...
...Connected to LDAP server...


[2016/11/27 15:02:01.120598,  4]
../source3/winbindd/winbindd_dual.c:1387(child_handler)
  child daemon request 59
[2016/11/27 15:02:01.120859,  4]
../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid)
  pdb_default_uid_to_sid: host has no idea of uid 3677
[2016/11/27 15:02:01.122042,  4]
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
  ads_dc_name: domain=DOMAIN
[2016/11/27 15:02:01.122161,  3]
../source3/libsmb/namequery.c:3133(get_dc_list)
  get_dc_list: preferred server list:....
..........
[2016/11/27 15:02:01.154279,  3] ../source3/libads/ldap.c:541(ads_connect)
  Successfully contacted LDAP server
[2016/11/27 15:02:01.154371,  3] ../source3/libads/ldap.c:584(ads_connect)
  Connected to LDAP server


24.11.2016 17:26, Zhuchenko Valery via samba:
> Hi, all!
> 
> When I launch (again and again)
> smbcacls "//myfileserver/share" "" -U user -W domain
> or
> smbclient "//myfileserver/share" -U user -W domain -c "ls",
> in tcpdump output at myfileserver I see multiple calls to controller via
> ldap, therefore these commands are executed slowly.
> 
> When I run getent groups at myfileserver, all worked fine, and tcpdump
> output is empty.
> Help me please, where I'm wrong?
> 
> Best regards, Valery.
> 
> smbd -V
> Version 4.2.10
> 
> My winbind settings:
> testparm -s |grep winbind
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     winbind use default domain = Yes
>     winbind expand groups = 10
>     winbind refresh tickets = Yes
> 
> security = ads
> idmap config * : range = 16777216-33554431
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 100-20000
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> /etc/nsswitch.conf
> passwd:     compat winbind
> group:      compat winbind
> 
> grep -r winbind /etc/pam.d
> /etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/system-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
> use_authtok
> /etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/password-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
> use_authtok
> 
> 
>

More information about the samba mailing list