[Samba] domain member with winbind, slow smbcacls or smbclient listing

Mon Nov 28 10:53:38 UTC 2016

Hi, all

Replacement of the owner (when no user corresponds to file's numeric
user ID) or group replacement (when no group corresponds to file's
numeric group ID) solves a problem (partially).

Check files before changes, and, may be save results:
find "/samba/dir1" \( -nouser -or -nogroup \) -printf "%u:%g:%p\n">saved

Replacements (in my case, perhaps, it is better to select others the
owner and group)
find "/samba/dir1" -nouser -exec chown root "{}" \;
find "/samba/dir1" -nogroup -exec chgrp root "{}" \;

Or, if there is no opportunity to make changes, how to tell winbindd to
read periodically updated caches only? I don't know how to do it.

Best regards,
Valery

28.11.2016 09:27, Zhuchenko Valery via samba:
> I think, the reason is some files acls, which contain uid or gid, absent
> in the domain.
>
> How to make so that winbindd in this case every time didn't connect with
> controller, but only periodically update data, using parameters winbind
> cache time and idmap negative cache time?
>
> I think so because in logs I see these strings:
> ...host has no idea of uid ...
> ...Connected to LDAP server...
>
>
> [2016/11/27 15:02:01.120598,  4]
> ../source3/winbindd/winbindd_dual.c:1387(child_handler)
>   child daemon request 59
> [2016/11/27 15:02:01.120859,  4]
> ../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid)
>   pdb_default_uid_to_sid: host has no idea of uid 3677
> [2016/11/27 15:02:01.122042,  4]
> ../source3/libsmb/namequery_dc.c:77(ads_dc_name)
>   ads_dc_name: domain=DOMAIN
> [2016/11/27 15:02:01.122161,  3]
> ../source3/libsmb/namequery.c:3133(get_dc_list)
>   get_dc_list: preferred server list:....
> ..........
> [2016/11/27 15:02:01.154279,  3] ../source3/libads/ldap.c:541(ads_connect)
>   Successfully contacted LDAP server
> [2016/11/27 15:02:01.154371,  3] ../source3/libads/ldap.c:584(ads_connect)
>   Connected to LDAP server
>
>
> 24.11.2016 17:26, Zhuchenko Valery via samba:
>> Hi, all!
>>
>> When I launch (again and again)
>> smbcacls "//myfileserver/share" "" -U user -W domain
>> or
>> smbclient "//myfileserver/share" -U user -W domain -c "ls",
>> in tcpdump output at myfileserver I see multiple calls to controller via
>> ldap, therefore these commands are executed slowly.
>>
>> When I run getent groups at myfileserver, all worked fine, and tcpdump
>> output is empty.
>> Help me please, where I'm wrong?
>>
>> Best regards, Valery.
>>
>> smbd -V
>> Version 4.2.10
>>
>> My winbind settings:
>> testparm -s |grep winbind
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     winbind use default domain = Yes
>>     winbind expand groups = 10
>>     winbind refresh tickets = Yes
>>
>> security = ads
>> idmap config * : range = 16777216-33554431
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 100-20000
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> /etc/nsswitch.conf
>> passwd:     compat winbind
>> group:      compat winbind
>>
>> grep -r winbind /etc/pam.d
>> /etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
>> use_first_pass
>> /etc/pam.d/system-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
>> use_authtok
>> /etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
>> use_first_pass
>> /etc/pam.d/password-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
>> use_authtok
>>
>>
>>
>
>