[Samba] winbind causing huge timeouts/delays since 4.8

[Rowland Penny]

On Tue, 26 Feb 2019 15:18:35 +0100
Ralph Böhme <slow at samba.org> wrote:

> On Tue, Feb 26, 2019 at 01:32:51PM +0000, Rowland Penny wrote:
> >On Tue, 26 Feb 2019 12:49:42 +0100 Ralph Böhme  wrote:
> >> On Tue, Feb 26, 2019 at 12:45:45PM +0100, Björn JACKE via samba
> >> wrote:
> >> >To reflect the fact that the owner can be a group also, winbind
> >> >can assign both a mapped uid number and a gid number for Windows
> >> >users and groups, both uid and gid have the same value and are the
> >> >xid. That way Samba can also assign the ownership of files to a
> >> >group. The idmap backend has to be able to support XID though, not
> >> >all idmap backends do so.
> >>
> >> in particular idmap_autorid, idmap_rid and idmap_script support
> >> this so called mode, idmap_ad doesn't.
> >
> >I take it that xid is used internally by Samba to identify calculated
> >ID's, because the only place a normal user will come across them is
> >in idmap.ldb. If this is correct, then it doesn't really matter that
> >idmap_ad doesn't support them, because uidNumber & gidNumber replaces
> >them.
> 
> Iirc it matters: I guess SID history will not work with idmap_ad.

If it doesn't and should, then it needs fixing.

> 
> >From a users point of view, the only way to get an experience similar
> >to Windows is to use idmap_ad.
> 
> From a certain perspective: maybe. But that's a generalisation, I
> wouldn't go over that bridge.

Where I live, you cannot get out of town without going over a bridge ;-)

> 
> Again: for many fileserver scenarios you're better using
> idmap_autorid.

I do wish people would stop talking about 'fileservers', to me this
means a standalone server. In AD you have domain members, either Unix
or Windows and they should work in a similar way.

Your approach seems to be based on nobody using a Samba Unix domain
member as a workstation and only using them as somewhere to store files
etc i.e. a glorified NAS 

Rowland