[Samba] winbind causing huge timeouts/delays since 4.8

Alexander Spannagel aspannagel at gmx.de
Fri Feb 22 15:40:46 UTC 2019 

Am 22.02.19 um 15:42 schrieb Rowland Penny via samba:
> On Fri, 22 Feb 2019 15:35:53 +0100
> Ralph Böhme via samba <samba at lists.samba.org> wrote:
> 
>> Hi,
>>
>> On Fri, Feb 22, 2019 at 01:59:15PM +0100, Alexander Spannagel via
>> samba wrote:
s.
>>
>> hm, can't reproduce:
>>
>> slow at titan:~/git/samba/scratch$ git describe
>> samba-4.8.3
>>
>> slow at titan:~/git/samba/scratch$ sudo bin/net cache flush
>>
>> slow at titan:~/git/samba/scratch$ time bin/wbinfo -i foo
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user foo
>>
>> real    0m0.025s
>> user    0m0.004s
>> sys     0m0.004s
>>
>> Can you share your full smb.conf?

Here is the extraction of the global section from our smb.conf:
[root at centos7dev64 ~]# testparm --section-name=global 2>/dev/null < 
/dev/null
# Global parameters
[global]
         dedicated keytab file = /etc/krb5.keytab
         disable spoolss = Yes
         domain master = No
         kerberos method = secrets and keytab
         ldap connection timeout = 10
         ldap timeout = 30
         load printers = No
         local master = No
         log file = /var/log/samba/log.%m
         max log size = 0
         os level = 0
         printcap name = /dev/null
         realm = OPS.GLOBAL.AD
         security = ADS
         server signing = required
         server string = FTP Samba Server
         show add printer wizard = No
         template shell = /bin/bash
         username map = /etc/samba/user.map
         winbind refresh tickets = Yes
         winbind separator = +
         workgroup = OPS
         idmap config * : rangesize = 1000000
         idmap config * : range = 1000000-19999999
         idmap config * : backend = autorid
         map acl inherit = Yes
         printing = bsd
         store dos attributes = Yes
         vfs objects = acl_xattr full_audit recycle extd_audit>>

> 
> You might also want to explain why you are using sssd's cache with
> winbind.

We are running a mixed environment and use sssd for authentication 
against our unix ldap directory on all our unix servers. On a group of 
servers we need to provide smb shares to windows clients/servers and 
dedicated uid/gid mapping for windows users and groups.

Our default setup in nsswitch.conf regarding passwd/shadow/groups looks 
like:
passwd:     files sss
shadow:     files sss
group:      files sss

And on the servers running samba:
passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

As mentioned it worked till the update from samba 4.7 to 4.8. The sssd 
is used for ldap and not AD authentication.

Alex

More information about the samba mailing list