[Samba] Slow, Incorrect Group Resolution through Winbind
Rowland Penny
rpenny at samba.org
Wed Sep 13 15:10:22 UTC 2017
On Wed, 13 Sep 2017 10:48:18 -0400
Rich Otero via samba <samba at lists.samba.org> wrote:
> Hello. I am observing some strange behavior on a Linux system that has
> joined a Windows Active Directory domain using the Samba suite. Our
> servers are based on Ubuntu v12.04 but have kernel v3.12.17 and Samba
> v4.3.6.
>
> The problem that I'm trying to understand is that group name
> resolution through Winbind occasionally fails. Here's an example
> where one group name could not be resolved. This causes "groups" to
> hang, presumably because it is waiting for Winbind to provide the
> name and Winbind is waiting for the domain controller:
>
> editshare at es-exp1:~$ time groups dwill627
> dwill627 : domain users _adsso_editors editors exp1-promos groups:
> cannot find name for group ID 16777230
> 16777230 KUTZTOWN\computeradministrativeaccessclassrooms allstudents
> KUTZTOWN\oitfs_software_r
> KUTZTOWN\computeradministrativeaccessconferencerooms
> KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> BUILTIN\users
>
> real 1m21.472s
> user 0m0.064s
> sys 0m0.000s
>
> However, the user dwill627 is apparently not a member of the group
> with ID 16777230:
>
> editshare at es-exp1:~$ getent group 16777230
> KUTZTOWN\computeradministrativeaccesslabs:x:16777230:KUTZTOWN\techcreel,KUTZTOWN\techstamm,KUTZTOWN\techeben,KUTZTOWN\techjulian,KUTZTOWN\chemnmr,KUTZTOWN\librarypatron,KUTZTOWN\olympiad,KUTZTOWN\labprint
>
> I don't understand why there is this discrepancy.
>
> Here's the global configuration as reported by "testparm:"
>
> [global]
> workgroup = STUDENTS
> realm = STUDENTS.KUTZTOWN.EDU
> server string = es-exp1
> security = ADS
> password server = kustudc01.students.kutztown.edu,
> kustudc02.students.kutztown.edu
> smb passwd file = /var/cache/samba/smbpasswd
> passdb backend = smbpasswd
> restrict anonymous = 2
> log file = /var/log/samba/log.%I
> server max protocol = SMB2_22
> max protocol = SMB2_22
> protocol = SMB2_22
> max xmit = 65535
> unix extensions = No
> max open files = 32768
> socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
> load printers = No
> printcap name = /dev/null
> machine password timeout = 0
> os level = 33
> dns proxy = No
> wins support = Yes
> ldap debug level = 1
> ldap debug threshold = 5
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template homedir = /home/%U
> template shell = /sbin/nologin
> winbind use default domain = Yes
> winbind expand groups = 1
> idmap config * : range = 16777216-33554431
> idmap config * : backend = tdb
> aio read size = 1
> aio write size = 1
> use sendfile = Yes
> include = /etc/samba/smb.0.0.0.0.conf
> wide links = Yes
>
Sorry but your smb.conf is borked, you seem to have a mixture of
deprecated settings combined with the new way of doing things, can I
suggest you go and read these wiki pages:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_rid
I feel I should also point that both Ubuntu 12.04 and Samba 4.3.6 are
EOL
Rowland
More information about the samba
mailing list