[Samba] Winbind queries take longer than 1m30s to complete

Marc Cornellà marc.cornella at live.com
Wed Oct 16 21:07:17 UTC 2019


When I say winbind query I mean from `wbinfo -u` to a simple `getent passwd SAMDOM\\user`.

When the winbind cache is small, clients that use a program in a network share of this server get
timeouts while using the program, due to the cache expiring and the query to the PDC taking too, long.

I've worked around that by setting a winbind cache time longer than the span of work hours and a cron job that flushes the cache and then runs `wbinfo -u` and `wbinfo -g` to warm the cache right before work hours. It works for now but I admit I have no idea what I'm doing.

I've also tried disabling winbind enumeration or setting winbind expand groups to 1.

Setup:
- AD member server, with a single WS2008R2 PDC.
- Only Samba server in the network and domain.
- Debian Jessie 8.11.
- Samba package, version 2:4.2.14+dfsg-0+deb8u13.

Configuration: (edited domain name, host and user names)
smb.conf:
[global]
    workgroup = SAMDOM
    netbios name = DEBIAN
    realm = SAMDOM.LOCAL
    security = ads

    # Sincronització d'usuaris i mapeig
    winbind expand groups = 4
    winbind refresh tickets = yes
    winbind offline logon = yes
    winbind normalize names = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 50400 # 14h

    idmap config * : backend = tdb
    idmap config * : range = 3000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-99999
    idmap config SAMDOM : unix_nss_info = yes

    # Opcions /etc/passwd per usuaris sincronitzats (disable login)
    template shell = /bin/false
    template homedir = /nonexistent

    # Turn off printing
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # Opcions per intentar solucionar el problema de bloquejos
    veto oplock files = *.DBF *.NTX *.dbf *.ntx
    blocking locks = no
    oplocks = yes

    # Logging options
    log level = 1 winbind:5
    log file = /var/log/samba/log.%m
    max log size = 50

#### Debugging/Accounting ####

    panic action = /usr/share/samba/panic-action %d

####### Authentication #######

    server role = member server
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    map to guest = bad user

#======================= Share Definitions =======================

[sys]
    comment = system folder
    path = /home/sys
    browseable = yes
    read only = no
    create mode = 777
    create mask = 766
    directory mask = 777

[utilitats]
    path = /home/utilitats
    browseable = yes
    writable = yes
    read only = no
    create mask = 766
    directory mask = 777

[home]
    path = /home/
    browseable = no
    writable = yes
    read only = no
    create mask = 766
    directory mask = 777
    valid users = user1,admin1
#   recyclebin options
    vfs object = recycle
    recycle:repository = .recycle
    recycle:keeptree = Yes
    recycle:versions = Yes

krb5.conf:
[libdefaults]
    default_realm = SAMDOM.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    SAMDOM.LOCAL = {
        admin_server = PDC.SAMDOM.LOCAL
        kdc = PDC.SAMDOM.LOCAL
    }

[domain_realm]
    .samdom.local = SAMDOM.LOCAL
    samdom.local = SAMDOM.LOCAL

[logging]
    default = SYSLOG

I can also provide winbind logs, just tell me at which log level you need them to be.

Thanks!



More information about the samba mailing list