[Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba

Rowland penny rpenny at samba.org
Fri Aug 30 17:52:30 UTC 2019 

On 30/08/2019 18:15, David Walling wrote:
> /etc/samba/user_and_group_map.txt contains Windows username/group to 
> linux username/group mappings.  In our setup, all users exist in ldap, 
> as do the directory groups, but the linux user and group information 
> (namely uid/gid) do not.  This has been setup such that the users 
> connect to samba as the windows username (ex. PRODUCTION+user1) for an 
> authroized group (PRODUCTION+group1), but the files and permissions on 
> the linux samba server are created and managed with the appropriate 
> uid/gids.
>
> Example:
>
> linuxuser=PRODUCTION+windowsuser
> G-234=PRODUCTION+directorygroup
>
> I do not believe we are using sssd, but are using winbind.  Its quite 
> possible we don't have this setup optimally, but this setup does work 
> as needed, outside of these occasional crash/unresponsive states.
>
> Thanks!
>
> David W.

Why are you doing this ?

Why not just have everything in AD ?

Using AD would allow Windows users & groups  to become Unix users and groups

e.g. 'getent passwd rowland' gives me:


rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash


'rowland' is only in AD and nowhere else


Try using this smb.conf:


[global]
         workgroup = PRODUCTION
         security = ADS
         realm = PRODUCTION.REDACTED.ORG
         netbios name = service-samba4

         idmap config *:backend = tdb
         idmap config *:range = 3000-7999
         idmap config PRODUCTION : backend = rid
         idmap config PRODUCTION : range = 100000-200000

         bind interfaces only = yes
         interfaces = eth0 ~ change to your network device
         preferred master = no
         winbind separator = +
         max log size = 20000
         log level = 1 smbd:10
         log file = /var/log/samba/log.%m
         dns proxy = no

         username map = /etc/samba/user.map

         # ACL Settings
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

         # Multichannel
         aio read size = 0
         aio write size = 0

         # Prevent zombie processes
         deadtime = 15
         csc policy = disable

[share1]
         path = /samba/share1
         read only = no
         inherit acls = yes
         inherit permissions = yes
         create mask = 700
         directory mask = 700
         valid users = @"G-817803"
         hosts allow =  redacted


and create /etc/samba/user.map with just this content:


!root = PRODUCTION\Administrator


Restart nmbd.smbd and winbind and run:


getent passwd PRODUCTION\'A_VALID_USERNAME'


Rowland

More information about the samba mailing list