[Samba] Slow, Incorrect Group Resolution through Winbind

Rich Otero rotero at editshare.com
Wed Sep 13 16:42:06 UTC 2017 

Thanks for the help and suggestions.

I've removed the deprecated options "idmap uid" and "idmap gid" and
explicitly set "idmap config * : range" and "idmap config * : backend." New
output from testparm is at the end of this message. (But note that
previously I was only setting "idmap uid" and "idmap gid" in the
configuration files, not using specifying the old and new options
simultaneously. The "idmap config" options were apparently implied since
they're favored over the deprecated options.)

Despite that, I still have the same problem:

editshare at es-exp1:~$ time groups dwill627
dwill627 : groups: cannot find name for group ID 131073
131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
computeradministrativeaccesslabs
KUTZTOWN\computeradministrativeaccessclassrooms
allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
computeradministrativeaccessconferencerooms KUTZTOWN\mediasiteviewonly pcns
kup-passpol-stu-temp editshareusers BUILTIN\users

real    3m56.156s
user    0m0.072s
sys     0m0.000s

editshare at es-exp1:~$ getent group 131073
editshare at es-exp1:~$ echo $?
2

Is it required to set "idmap config" for both the STUDENTS domain and all
other domains like so?

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config STUDENTS : backend = tdb
idmap config STUDENTS : range = 16777216-33554431

Or can I simply set only the catch-all configuration without setting it for
individual domains? This is how we have historically done it.

idmap config * : backend = tdb
idmap config * : range = 16777216-33554431

-----

amended config:

[global]
        workgroup = STUDENTS
        realm = STUDENTS.KUTZTOWN.EDU
        server string = es-exp1
        security = ADS
        password server = kustudc01.students.kutztown.edu
kustudc02.students.kutztown.edu
        smb passwd file = /var/cache/samba/smbpasswd
        passdb backend = smbpasswd
        restrict anonymous = 2
        log file = /var/log/samba/log.%I
        server max protocol = SMB2_22
        max protocol = SMB2_22
        protocol = SMB2_22
        max xmit = 65535
        unix extensions = No
        max open files = 32768
        socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
        load printers = No
        printcap name = /dev/null
        machine password timeout = 0
        os level = 33
        dns proxy = No
        wins support = Yes
        ldap debug level = 1
        ldap debug threshold = 5
        template homedir = /home/%U
        template shell = /sbin/nologin
        winbind request timeout = 10
        winbind use default domain = Yes
        winbind expand groups = 1
        idmap config * : range = 16777216-33554431
        idmap config * : backend = tdb
        aio read size = 1
        aio write size = 1
        use sendfile = Yes
        include = /etc/samba/smb.0.0.0.0.conf
        wide links = Yes

Regards,
Rich Otero
Technical Support and Professional Services
EditShare
rotero at editshare.com
617-782-0479 <(617)%20782-0479>

On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 13 Sep 2017 11:58:27 -0400
> Sonic <sonicsmith at gmail.com> wrote:
>
> > On Wed, Sep 13, 2017 at 11:32 AM, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > > On Wed, 13 Sep 2017 11:18:59 -0400
> > > Sonic via samba <samba at lists.samba.org> wrote:
> > >
> > >> Should be more like:
> > >>          idmap config STUDENTS : range = 16777216-33554431
> > >>          idmap config STUDENTS : backend = tdb
> > >>
> > >> ...plus something like:
> > >>          idmap config * : range = 10000-20000
> > >>          idmap config * : backend = tdb
> > >> ... using a different range than configured for STUDENTS.
> > >>
> > >> Again "man smb.conf" is your friend.
> > >
> > > Obviously not, from the above ;-)
> > >
> > > I would expect something like:
> > >
> > >         idmap config * : backend = tdb
> > >         idmap config * : range = 3000-7999
> > >         idmap config STUDENTS : backend = rid
> > >         idmap config STUDENTS : range = 16777216-33554431
> > >
> >
> > Are you stating that only one assignment of tdb can be defined? I use
> > the rid backend for the domains that are hosted on another server but
> > wasn't sure whether or not multiple tdb backend assignments were
> > allowed. Although I've never tried it, the man page does not appear to
> > state that tdb cannot be used for multiple backends. But I'm reading
> > the man page for 4.7.0rc5 which may be different.
> >
> > Chris
>
> For the '*' domain you should only the tdb backend (note, you cannot
> use the rid backend).
>
> For the 'DOMAIN' domain you can use several different backends (rid, ad
> etc) but I wouldn't use the tdb backend, how are you going to be sure
> you will get the same IDs on all Unix machines ?
> If you use the 'rid' backend and the same range on all Unix machines,
> you will get the same IDs without having to add anything to AD.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list