[Samba] Slow, Incorrect Group Resolution through Winbind

Wed Sep 13 18:47:07 UTC 2017

On Wed, 13 Sep 2017 14:10:48 -0400
Rich Otero <rotero at editshare.com> wrote:

> Perhaps this is another place where the description in the manual
> could be clearer. My reading of it is that the configuration for the
> * domain applies to all domains that have not been explicitly
> configured (which is the way I thought I was using it).

Yes, but how do you know which domain is which ?

> 
> Remove the next three lines
> > >         smb passwd file = /var/cache/samba/smbpasswd
> > >         passdb backend = smbpasswd
> 
> 
> I don't understand this suggestion. What if I have non-domain users
> who are stored in passdb? (I do.)

Because smbpasswd is deprecated by the now now default tdbsam and if
you remove those lines, you will start to use the default.

> 
> >         restrict anonymous = 2
> 
> 
> This doesn't make sense to me either. What does it have to do with
> Winbind's interaction with AD? We set this option because automated
> network security audits such as Qualys consider allowing anonymous
> connections to be a vulnerability and nothing that we do relies on
> anonymous connections to Samba anyway.

I would remove it because it can break some applications

> 
> remove the next two lines, you do not need them.
> > >         machine password timeout = 0
> 
> 
> We set "machine password timeout" to 0 because we have some systems
> where Samba must run with the same configuration on two highly
> available nodes. Therefore, we disable periodically changing the
> machine password and we ensure that both nodes have the same stored
> password by periodically synchronizing the secrets file from the
> primary node to the secondary node.

I cannot recommend doing this, you should have different passwords for
each machine.

> 
> >         os level = 33
> 
> Our product can consist of multiple independent Samba servers in a
> group. Within the group, there can be one "master" server and many
> "auxiliary" servers. On masters, we raise "os level" to 65 and on
> auxiliaries, we lower it to 33 so that only the master is capable of
> becoming the local master browser. I don't understand how this is
> related to AD integration.

Because even if this line was 254 it wouldn't win an election with an
AD DC, so why bother.

> 
> remove the next two lines, you do not need them.
> > >         ldap debug level = 1
> > >         ldap debug threshold = 5
> 
> 
> I had set these so that I could see more detailed messages about the
> LDAP calls. How does this contribute to the problem I am trying to
> solve?

They probably don't, but they shouldn't be there on an Unix domain
member.

All I can say is, I do not and never will set up a Unix domain member
in the way you have. I also do not have any of the problems you are
having, but it is your computer, so set it up how you like.

Rowland