[Samba] Winbind timeouts/hangs(?)
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 22 14:44:57 UTC 2019
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Heiko Wundram via samba
> Verzonden: donderdag 22 augustus 2019 16:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind timeouts/hangs(?)
>
> Am 22.08.2019 15:31, schrieb Rowland penny via samba:
> > Sorry, but you cannot rely on the output of 'id' to identify your
> > users group memberships. Having said that, I wouldn't have
> thought it
> > would take 60 secs to do nothing ;-)
>
> That's clear and I know, but I can rely on login sessions to have the
> correct groups when Kerberos has completed. That's what this
> (and also
> recursive group membership) is about; it's a shared directory
> which is
> used by several users to store files which are then hosted by
> an Apache
> webserver (with the directory in question having g+s, and
> default ACLs
> for a shared group). So, yeah, I do know the limitations of
> winbind. ;-)
>
> > Please post your smb.conf.
>
> Anyway, here goes:
>
> [global]
> security = ADS
> workgroup = <wg>
wg = <WG>
> realm = <domain>
!!!!
realm = <REALM>
realm is not <domain>
!!!!
>
> idmap config * : backend = tdb
> idmap config * : range = 60001-65000
>
> idmap config <wg> : backend = rid
> idmap config <wg> : range = 65001-100000
>
> winbind nss info = template
> template shell = /bin/bash
> template homedir = /home/%U
>
> winbind nested groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum users = yes
> winbind enum groups = yes
Set the 2 enum to no.
> allow trusted domains = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> client signing = auto
> server signing = auto
Remove these 2
>
> bind interfaces only = yes
> interfaces = lo eth0
>
> So, nothing out of the ordinary; I've replaced workgroup and
> domain by
> placeholders.
>
> krb5.conf is set up as follows:
>
> [libdefaults]
> default_realm = <domain>
!!!!
realm = <REALM>
realm is not <domain>
!!!!
> ticket_lifetime = 1d
> clockskew = 300
> forwardable = true
> proxiable = true
> dns_lookup_realm = true
dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> <domain> = {
> auth_to_local = RULE:[1:<wg>\$1]
> }
>
> with the same placeholders.
>
> Thanks for any hints!
>
> --
> --- Heiko.
>
I really advice to keep some parts CAPS not caps, correct.
So in smb.conf
Netbios = IN-CAPS
Workgroup = IN-CAPS
REALM = IN-CAPS
dns-domain = no-caps
dns-search = no-caps
Small things but these small things help a lot!
Greetz,
Louis
More information about the samba
mailing list