[Samba] winbind causing huge timeouts/delays since 4.8
Alexander Spannagel
aspannagel at gmx.de
Fri Feb 22 15:40:46 UTC 2019
Am 22.02.19 um 15:42 schrieb Rowland Penny via samba:
> On Fri, 22 Feb 2019 15:35:53 +0100
> Ralph Böhme via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> On Fri, Feb 22, 2019 at 01:59:15PM +0100, Alexander Spannagel via
>> samba wrote:
s.
>>
>> hm, can't reproduce:
>>
>> slow at titan:~/git/samba/scratch$ git describe
>> samba-4.8.3
>>
>> slow at titan:~/git/samba/scratch$ sudo bin/net cache flush
>>
>> slow at titan:~/git/samba/scratch$ time bin/wbinfo -i foo
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user foo
>>
>> real 0m0.025s
>> user 0m0.004s
>> sys 0m0.004s
>>
>> Can you share your full smb.conf?
Here is the extraction of the global section from our smb.conf:
[root at centos7dev64 ~]# testparm --section-name=global 2>/dev/null <
/dev/null
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
domain master = No
kerberos method = secrets and keytab
ldap connection timeout = 10
ldap timeout = 30
load printers = No
local master = No
log file = /var/log/samba/log.%m
max log size = 0
os level = 0
printcap name = /dev/null
realm = OPS.GLOBAL.AD
security = ADS
server signing = required
server string = FTP Samba Server
show add printer wizard = No
template shell = /bin/bash
username map = /etc/samba/user.map
winbind refresh tickets = Yes
winbind separator = +
workgroup = OPS
idmap config * : rangesize = 1000000
idmap config * : range = 1000000-19999999
idmap config * : backend = autorid
map acl inherit = Yes
printing = bsd
store dos attributes = Yes
vfs objects = acl_xattr full_audit recycle extd_audit>>
>
> You might also want to explain why you are using sssd's cache with
> winbind.
We are running a mixed environment and use sssd for authentication
against our unix ldap directory on all our unix servers. On a group of
servers we need to provide smb shares to windows clients/servers and
dedicated uid/gid mapping for windows users and groups.
Our default setup in nsswitch.conf regarding passwd/shadow/groups looks
like:
passwd: files sss
shadow: files sss
group: files sss
And on the servers running samba:
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
As mentioned it worked till the update from samba 4.7 to 4.8. The sssd
is used for ldap and not AD authentication.
Alex
More information about the samba
mailing list