[Samba] winbind causing huge timeouts/delays since 4.8

Remy Zandwijk remy+samba at luckyhands.nl
Sat Feb 23 12:47:54 UTC 2019

> On 23 Feb 2019, at 09:33, Rowland Penny via samba <samba at lists.samba.org> wrote:
> If you have, as you have, 'files sss winbind' in the the passwd & group
> line in nsswitch.conf, means this:
> First /etc/passwd or /etc/group is searched and if the user or group is
> found, this info is returned.
> Next sssd will be asked, 'do you know this user or group ?' if found,
> the info is returned.
> Finally winbind will be asked, 'do you know this user or group ?' if
> found, the info is returned.
> Lets take a user called 'fred', this user is in AD. The first search
> will return nothing, so sssd is asked, this 'asks' AD and returns the
> users info. Finally, wait that's it, we have the info, there is no need
> to ask winbind for anything.

That is incorrect. Alexander stated:

> No. we use max. 3 auth providers: (1. and 2. on all unix servers)
> 1. unix (local passwd)
>   for static OS/service accounts across all our env
> 2. sssd (with unix ldap servers as provider)
>   unix experienced user and application related service accounts
> 3. samba/winbind
>   for windows users/services needing access to a group of unix servers


> They don't - as stated above we use sssd for query/caching entries from our ldap directory server and not Windows DomainConmtrollers - also this is possible, but makes more trouble and don't provide what samba's smb/windbind does.

He clearly writes (in multiple emails) that sssd is configured to use his unix ldap servers and not AD.

Maybe three sources of user databases is not regular, but I fail to see why this should be a problem (provided that usernames, uidNumbers and such are unique across the databases).


More information about the samba mailing list