[Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba
Rowland penny
rpenny at samba.org
Fri Aug 30 17:52:30 UTC 2019
On 30/08/2019 18:15, David Walling wrote:
> /etc/samba/user_and_group_map.txt contains Windows username/group to
> linux username/group mappings. In our setup, all users exist in ldap,
> as do the directory groups, but the linux user and group information
> (namely uid/gid) do not. This has been setup such that the users
> connect to samba as the windows username (ex. PRODUCTION+user1) for an
> authroized group (PRODUCTION+group1), but the files and permissions on
> the linux samba server are created and managed with the appropriate
> uid/gids.
>
> Example:
>
> linuxuser=PRODUCTION+windowsuser
> G-234=PRODUCTION+directorygroup
>
> I do not believe we are using sssd, but are using winbind. Its quite
> possible we don't have this setup optimally, but this setup does work
> as needed, outside of these occasional crash/unresponsive states.
>
> Thanks!
>
> David W.
Why are you doing this ?
Why not just have everything in AD ?
Using AD would allow Windows users & groups to become Unix users and groups
e.g. 'getent passwd rowland' gives me:
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
'rowland' is only in AD and nowhere else
Try using this smb.conf:
[global]
workgroup = PRODUCTION
security = ADS
realm = PRODUCTION.REDACTED.ORG
netbios name = service-samba4
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config PRODUCTION : backend = rid
idmap config PRODUCTION : range = 100000-200000
bind interfaces only = yes
interfaces = eth0 ~ change to your network device
preferred master = no
winbind separator = +
max log size = 20000
log level = 1 smbd:10
log file = /var/log/samba/log.%m
dns proxy = no
username map = /etc/samba/user.map
# ACL Settings
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Multichannel
aio read size = 0
aio write size = 0
# Prevent zombie processes
deadtime = 15
csc policy = disable
[share1]
path = /samba/share1
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"G-817803"
hosts allow = redacted
and create /etc/samba/user.map with just this content:
!root = PRODUCTION\Administrator
Restart nmbd.smbd and winbind and run:
getent passwd PRODUCTION\'A_VALID_USERNAME'
Rowland
More information about the samba
mailing list