[Samba] domain member with winbind, slow smbcacls or smbclient listing
Zhuchenko Valery
zvn at belkam.com
Mon Nov 28 10:53:38 UTC 2016
Hi, all
Replacement of the owner (when no user corresponds to file's numeric
user ID) or group replacement (when no group corresponds to file's
numeric group ID) solves a problem (partially).
Check files before changes, and, may be save results:
find "/samba/dir1" \( -nouser -or -nogroup \) -printf "%u:%g:%p\n">saved
Replacements (in my case, perhaps, it is better to select others the
owner and group)
find "/samba/dir1" -nouser -exec chown root "{}" \;
find "/samba/dir1" -nogroup -exec chgrp root "{}" \;
Or, if there is no opportunity to make changes, how to tell winbindd to
read periodically updated caches only? I don't know how to do it.
Best regards,
Valery
28.11.2016 09:27, Zhuchenko Valery via samba:
> I think, the reason is some files acls, which contain uid or gid, absent
> in the domain.
>
> How to make so that winbindd in this case every time didn't connect with
> controller, but only periodically update data, using parameters winbind
> cache time and idmap negative cache time?
>
> I think so because in logs I see these strings:
> ...host has no idea of uid ...
> ...Connected to LDAP server...
>
>
> [2016/11/27 15:02:01.120598, 4]
> ../source3/winbindd/winbindd_dual.c:1387(child_handler)
> child daemon request 59
> [2016/11/27 15:02:01.120859, 4]
> ../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid)
> pdb_default_uid_to_sid: host has no idea of uid 3677
> [2016/11/27 15:02:01.122042, 4]
> ../source3/libsmb/namequery_dc.c:77(ads_dc_name)
> ads_dc_name: domain=DOMAIN
> [2016/11/27 15:02:01.122161, 3]
> ../source3/libsmb/namequery.c:3133(get_dc_list)
> get_dc_list: preferred server list:....
> ..........
> [2016/11/27 15:02:01.154279, 3] ../source3/libads/ldap.c:541(ads_connect)
> Successfully contacted LDAP server
> [2016/11/27 15:02:01.154371, 3] ../source3/libads/ldap.c:584(ads_connect)
> Connected to LDAP server
>
>
> 24.11.2016 17:26, Zhuchenko Valery via samba:
>> Hi, all!
>>
>> When I launch (again and again)
>> smbcacls "//myfileserver/share" "" -U user -W domain
>> or
>> smbclient "//myfileserver/share" -U user -W domain -c "ls",
>> in tcpdump output at myfileserver I see multiple calls to controller via
>> ldap, therefore these commands are executed slowly.
>>
>> When I run getent groups at myfileserver, all worked fine, and tcpdump
>> output is empty.
>> Help me please, where I'm wrong?
>>
>> Best regards, Valery.
>>
>> smbd -V
>> Version 4.2.10
>>
>> My winbind settings:
>> testparm -s |grep winbind
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind expand groups = 10
>> winbind refresh tickets = Yes
>>
>> security = ads
>> idmap config * : range = 16777216-33554431
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 100-20000
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> /etc/nsswitch.conf
>> passwd: compat winbind
>> group: compat winbind
>>
>> grep -r winbind /etc/pam.d
>> /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so
>> use_first_pass
>> /etc/pam.d/system-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so
>> use_authtok
>> /etc/pam.d/smartcard-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so
>> use_first_pass
>> /etc/pam.d/password-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/password-auth-ac:password sufficient pam_winbind.so
>> use_authtok
>>
>>
>>
>
>
More information about the samba
mailing list