[Samba] Windows 10 Office 2016 slow accessing samba network shares
Rowland Penny
rpenny at samba.org
Fri Jun 22 07:44:58 UTC 2018
On Thu, 21 Jun 2018 19:52:34 +0000
Daulton Theodore <DaultonTheodore at Cunet.Carleton.Ca> wrote:
> Hi Rowland,
>
> You responded to my post quite a while ago. I am still chasing a
> resolution to this issue. You mentioned that I had all but the idmap
> config lines in the smb.conf file. I am not familiar with idmap and a
> bit hesitant to experiment on my production server. Before I proceed
> I hope you will not mind if I asked a couple of questions. Would the
> following settings be sufficient:
>
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # idmap config for the SAMDOM domain
> idmap config MY_DOMAIN:backend = ad
> idmap config MY_DOMAIN:schema_mode = rfc2307
> idmap config MY_DOMAIN:range = 10000-999999
>
> Do I need the following?
> idmap config MY_DOMAIN:unix_nss_info = yes
>
> I am using the username map option to map the unix names to AD names.
First STOP doing this, you should only map the Windows 'Administrator'
to the Unix user 'root' in the username map.
You do not need Unix users on a Unix domain member, you just make your
Windows users into Unix users.
> Home directories reside on the Unix server, not in Active Directory.
> Do I need: idmap config MY_DOMAIN:unix_primary_group = yes
>
> Thanks in advance for your help.
>
You need to answer some questions first ;-)
Have you added any uidNumber & gidNumber attributes to your users &
groups in AD ?
If you have, are they inside the '10000-999999' range.
NOTE: Domain Users MUST have a gidNumber
If all the above is true, you can use the winbind 'ad' backend
If it isn't and/or you don't want to add anything to AD, you can use
the winbind 'rid' backend.
If you are using the 'ad' backend, there is a further sub-question,
what version of Samba are you using ?
Up to Samba version 4.6.0, you would use these lines:
winbind nss info = rfc2307
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
From 4.6.0, it changes to this:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : unix_nss_info = yes
With these lines, all the available users info will be extracted from
AD and the users Unix primary group would be Domain Users
From 4.6.0, you can also add this line:
idmap config SAMDOM : unix_primary_group = yes
With this line, the users Unix primary group will be to set to the
group set in the users gidNumber attribute, if this is not present or
is incorrect, it will fall back to Domain Users.
The 'rid' backend is very similar, you just don't add anything to AD:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
This will obtain the user or group IDs from AD, these IDs are
calculated from the Windows RID using the lower DOMAIN range.
It will not obtain the users homedir and shell from AD, so you need to
set them with template lines similar to these:
template shell = /bin/bash
template homedir = /home/%U
You can also use these lines with the 'ad' backend, where they will
override what is stored in AD.
Rowland
More information about the samba
mailing list