[Samba] Slow, Incorrect Group Resolution through Winbind
Rich Otero
rotero at editshare.com
Wed Sep 13 18:10:48 UTC 2017
>
> > Is it required to set "idmap config" for both the STUDENTS domain and
> > all other domains like so?
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config STUDENTS : backend = tdb
> > idmap config STUDENTS : range = 16777216-33554431
> Yes
> Or can I simply set only the catch-all configuration without setting
> > it for individual domains? This is how we have historically done it.
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 16777216-33554431
> This puts everything into the '*' domain and is wrong.
Perhaps this is another place where the description in the manual could be
clearer. My reading of it is that the configuration for the * domain
applies to all domains that have not been explicitly configured (which is
the way I thought I was using it).
Remove the next three lines
> > smb passwd file = /var/cache/samba/smbpasswd
> > passdb backend = smbpasswd
I don't understand this suggestion. What if I have non-domain users who are
stored in passdb? (I do.)
> restrict anonymous = 2
This doesn't make sense to me either. What does it have to do with
Winbind's interaction with AD? We set this option because automated network
security audits such as Qualys consider allowing anonymous connections to
be a vulnerability and nothing that we do relies on anonymous connections
to Samba anyway.
remove the next two lines, you do not need them.
> > machine password timeout = 0
We set "machine password timeout" to 0 because we have some systems where
Samba must run with the same configuration on two highly available nodes.
Therefore, we disable periodically changing the machine password and we
ensure that both nodes have the same stored password by periodically
synchronizing the secrets file from the primary node to the secondary node.
> os level = 33
Our product can consist of multiple independent Samba servers in a group.
Within the group, there can be one "master" server and many "auxiliary"
servers. On masters, we raise "os level" to 65 and on auxiliaries, we lower
it to 33 so that only the master is capable of becoming the local master
browser. I don't understand how this is related to AD integration.
remove the next two lines, you do not need them.
> > ldap debug level = 1
> > ldap debug threshold = 5
I had set these so that I could see more detailed messages about the LDAP
calls. How does this contribute to the problem I am trying to solve?
Regards,
Rich Otero
Technical Support and Professional Services
EditShare
rotero at editshare.com
617-782-0479
On Wed, Sep 13, 2017 at 1:01 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 13 Sep 2017 12:42:06 -0400
> Rich Otero <rotero at editshare.com> wrote:
>
> > Thanks for the help and suggestions.
> >
> > I've removed the deprecated options "idmap uid" and "idmap gid" and
> > explicitly set "idmap config * : range" and "idmap config * :
> > backend." New output from testparm is at the end of this message.
> > (But note that previously I was only setting "idmap uid" and "idmap
> > gid" in the configuration files, not using specifying the old and new
> > options simultaneously. The "idmap config" options were apparently
> > implied since they're favored over the deprecated options.)
> >
> > Despite that, I still have the same problem:
> >
> > editshare at es-exp1:~$ time groups dwill627
> > dwill627 : groups: cannot find name for group ID 131073
> > 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
> > computeradministrativeaccesslabs
> > KUTZTOWN\computeradministrativeaccessclassrooms
> > allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
> > computeradministrativeaccessconferencerooms
> > KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> > BUILTIN\users
> >
> > real 3m56.156s
> > user 0m0.072s
> > sys 0m0.000s
> >
> > editshare at es-exp1:~$ getent group 131073
> > editshare at es-exp1:~$ echo $?
> > 2
> >
> > Is it required to set "idmap config" for both the STUDENTS domain and
> > all other domains like so?
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config STUDENTS : backend = tdb
> > idmap config STUDENTS : range = 16777216-33554431
>
> Yes
>
> >
> > Or can I simply set only the catch-all configuration without setting
> > it for individual domains? This is how we have historically done it.
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 16777216-33554431
>
> This puts everything into the '*' domain and is wrong.
>
> >
> > -----
> >
> > amended config:
> >
> > [global]
> > workgroup = STUDENTS
> > realm = STUDENTS.KUTZTOWN.EDU
> > server string = es-exp1
> > security = ADS
> > password server = kustudc01.students.kutztown.edu
> > kustudc02.students.kutztown.edu
>
> Remove the next three lines
>
> > smb passwd file = /var/cache/samba/smbpasswd
> > passdb backend = smbpasswd
> > restrict anonymous = 2
> > log file = /var/log/samba/log.%I
> > server max protocol = SMB2_22
> > max protocol = SMB2_22
> > protocol = SMB2_22
> > max xmit = 65535
> > unix extensions = No
> > max open files = 32768
> > socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
> > load printers = No
> > printcap name = /dev/null
>
> remove the next two lines, you do not need them.
>
> > machine password timeout = 0
> > os level = 33
> > dns proxy = No
> > wins support = Yes
>
> remove the next two lines, you do not need them.
>
> > ldap debug level = 1
> > ldap debug threshold = 5
> > template homedir = /home/%U
> > template shell = /sbin/nologin
> > winbind request timeout = 10
> > winbind use default domain = Yes
> > winbind expand groups = 1
>
> You also need the 'DOMAIN' lines, set these to the range below,
> Then change the line below to a different range that does not overlap
>
> > idmap config * : range = 16777216-33554431
> > idmap config * : backend = tdb
> > aio read size = 1
> > aio write size = 1
> > use sendfile = Yes
> > include = /etc/samba/smb.0.0.0.0.conf
> > wide links = Yes
> >
>
> Rowland
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list