[Samba] Slow, Incorrect Group Resolution through Winbind

Rowland Penny rpenny at samba.org
Wed Sep 13 17:01:14 UTC 2017


On Wed, 13 Sep 2017 12:42:06 -0400
Rich Otero <rotero at editshare.com> wrote:

> Thanks for the help and suggestions.
> 
> I've removed the deprecated options "idmap uid" and "idmap gid" and
> explicitly set "idmap config * : range" and "idmap config * :
> backend." New output from testparm is at the end of this message.
> (But note that previously I was only setting "idmap uid" and "idmap
> gid" in the configuration files, not using specifying the old and new
> options simultaneously. The "idmap config" options were apparently
> implied since they're favored over the deprecated options.)
> 
> Despite that, I still have the same problem:
> 
> editshare at es-exp1:~$ time groups dwill627
> dwill627 : groups: cannot find name for group ID 131073
> 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
> computeradministrativeaccesslabs
> KUTZTOWN\computeradministrativeaccessclassrooms
> allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
> computeradministrativeaccessconferencerooms
> KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> BUILTIN\users
> 
> real    3m56.156s
> user    0m0.072s
> sys     0m0.000s
> 
> editshare at es-exp1:~$ getent group 131073
> editshare at es-exp1:~$ echo $?
> 2
> 
> Is it required to set "idmap config" for both the STUDENTS domain and
> all other domains like so?
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config STUDENTS : backend = tdb
> idmap config STUDENTS : range = 16777216-33554431

Yes

> 
> Or can I simply set only the catch-all configuration without setting
> it for individual domains? This is how we have historically done it.
> 
> idmap config * : backend = tdb
> idmap config * : range = 16777216-33554431

This puts everything into the '*' domain and is wrong. 

> 
> -----
> 
> amended config:
> 
> [global]
>         workgroup = STUDENTS
>         realm = STUDENTS.KUTZTOWN.EDU
>         server string = es-exp1
>         security = ADS
>         password server = kustudc01.students.kutztown.edu
> kustudc02.students.kutztown.edu

Remove the next three lines

>         smb passwd file = /var/cache/samba/smbpasswd
>         passdb backend = smbpasswd
>         restrict anonymous = 2
>         log file = /var/log/samba/log.%I
>         server max protocol = SMB2_22
>         max protocol = SMB2_22
>         protocol = SMB2_22
>         max xmit = 65535
>         unix extensions = No
>         max open files = 32768
>         socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
>         load printers = No
>         printcap name = /dev/null

remove the next two lines, you do not need them.

>         machine password timeout = 0
>         os level = 33
>         dns proxy = No
>         wins support = Yes

remove the next two lines, you do not need them.

>         ldap debug level = 1
>         ldap debug threshold = 5
>         template homedir = /home/%U
>         template shell = /sbin/nologin
>         winbind request timeout = 10
>         winbind use default domain = Yes
>         winbind expand groups = 1

You also need the 'DOMAIN' lines, set these to the range below,
Then change the line below to a different range that does not overlap

>         idmap config * : range = 16777216-33554431
>         idmap config * : backend = tdb
>         aio read size = 1
>         aio write size = 1
>         use sendfile = Yes
>         include = /etc/samba/smb.0.0.0.0.conf
>         wide links = Yes
> 

Rowland
Rowland



More information about the samba mailing list