[Samba] Slow, Incorrect Group Resolution through Winbind
Rowland Penny
rpenny at samba.org
Wed Sep 13 17:01:14 UTC 2017
On Wed, 13 Sep 2017 12:42:06 -0400
Rich Otero <rotero at editshare.com> wrote:
> Thanks for the help and suggestions.
>
> I've removed the deprecated options "idmap uid" and "idmap gid" and
> explicitly set "idmap config * : range" and "idmap config * :
> backend." New output from testparm is at the end of this message.
> (But note that previously I was only setting "idmap uid" and "idmap
> gid" in the configuration files, not using specifying the old and new
> options simultaneously. The "idmap config" options were apparently
> implied since they're favored over the deprecated options.)
>
> Despite that, I still have the same problem:
>
> editshare at es-exp1:~$ time groups dwill627
> dwill627 : groups: cannot find name for group ID 131073
> 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
> computeradministrativeaccesslabs
> KUTZTOWN\computeradministrativeaccessclassrooms
> allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
> computeradministrativeaccessconferencerooms
> KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> BUILTIN\users
>
> real 3m56.156s
> user 0m0.072s
> sys 0m0.000s
>
> editshare at es-exp1:~$ getent group 131073
> editshare at es-exp1:~$ echo $?
> 2
>
> Is it required to set "idmap config" for both the STUDENTS domain and
> all other domains like so?
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config STUDENTS : backend = tdb
> idmap config STUDENTS : range = 16777216-33554431
Yes
>
> Or can I simply set only the catch-all configuration without setting
> it for individual domains? This is how we have historically done it.
>
> idmap config * : backend = tdb
> idmap config * : range = 16777216-33554431
This puts everything into the '*' domain and is wrong.
>
> -----
>
> amended config:
>
> [global]
> workgroup = STUDENTS
> realm = STUDENTS.KUTZTOWN.EDU
> server string = es-exp1
> security = ADS
> password server = kustudc01.students.kutztown.edu
> kustudc02.students.kutztown.edu
Remove the next three lines
> smb passwd file = /var/cache/samba/smbpasswd
> passdb backend = smbpasswd
> restrict anonymous = 2
> log file = /var/log/samba/log.%I
> server max protocol = SMB2_22
> max protocol = SMB2_22
> protocol = SMB2_22
> max xmit = 65535
> unix extensions = No
> max open files = 32768
> socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
> load printers = No
> printcap name = /dev/null
remove the next two lines, you do not need them.
> machine password timeout = 0
> os level = 33
> dns proxy = No
> wins support = Yes
remove the next two lines, you do not need them.
> ldap debug level = 1
> ldap debug threshold = 5
> template homedir = /home/%U
> template shell = /sbin/nologin
> winbind request timeout = 10
> winbind use default domain = Yes
> winbind expand groups = 1
You also need the 'DOMAIN' lines, set these to the range below,
Then change the line below to a different range that does not overlap
> idmap config * : range = 16777216-33554431
> idmap config * : backend = tdb
> aio read size = 1
> aio write size = 1
> use sendfile = Yes
> include = /etc/samba/smb.0.0.0.0.conf
> wide links = Yes
>
Rowland
Rowland
More information about the samba
mailing list