[Samba] Winbind queries take longer than 1m30s to complete
Marc Cornellà
marc.cornella at live.com
Wed Oct 16 21:07:17 UTC 2019
When I say winbind query I mean from `wbinfo -u` to a simple `getent passwd SAMDOM\\user`.
When the winbind cache is small, clients that use a program in a network share of this server get
timeouts while using the program, due to the cache expiring and the query to the PDC taking too, long.
I've worked around that by setting a winbind cache time longer than the span of work hours and a cron job that flushes the cache and then runs `wbinfo -u` and `wbinfo -g` to warm the cache right before work hours. It works for now but I admit I have no idea what I'm doing.
I've also tried disabling winbind enumeration or setting winbind expand groups to 1.
Setup:
- AD member server, with a single WS2008R2 PDC.
- Only Samba server in the network and domain.
- Debian Jessie 8.11.
- Samba package, version 2:4.2.14+dfsg-0+deb8u13.
Configuration: (edited domain name, host and user names)
smb.conf:
[global]
workgroup = SAMDOM
netbios name = DEBIAN
realm = SAMDOM.LOCAL
security = ads
# Sincronització d'usuaris i mapeig
winbind expand groups = 4
winbind refresh tickets = yes
winbind offline logon = yes
winbind normalize names = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 50400 # 14h
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-99999
idmap config SAMDOM : unix_nss_info = yes
# Opcions /etc/passwd per usuaris sincronitzats (disable login)
template shell = /bin/false
template homedir = /nonexistent
# Turn off printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Opcions per intentar solucionar el problema de bloquejos
veto oplock files = *.DBF *.NTX *.dbf *.ntx
blocking locks = no
oplocks = yes
# Logging options
log level = 1 winbind:5
log file = /var/log/samba/log.%m
max log size = 50
#### Debugging/Accounting ####
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
server role = member server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
#======================= Share Definitions =======================
[sys]
comment = system folder
path = /home/sys
browseable = yes
read only = no
create mode = 777
create mask = 766
directory mask = 777
[utilitats]
path = /home/utilitats
browseable = yes
writable = yes
read only = no
create mask = 766
directory mask = 777
[home]
path = /home/
browseable = no
writable = yes
read only = no
create mask = 766
directory mask = 777
valid users = user1,admin1
# recyclebin options
vfs object = recycle
recycle:repository = .recycle
recycle:keeptree = Yes
recycle:versions = Yes
krb5.conf:
[libdefaults]
default_realm = SAMDOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
SAMDOM.LOCAL = {
admin_server = PDC.SAMDOM.LOCAL
kdc = PDC.SAMDOM.LOCAL
}
[domain_realm]
.samdom.local = SAMDOM.LOCAL
samdom.local = SAMDOM.LOCAL
[logging]
default = SYSLOG
I can also provide winbind logs, just tell me at which log level you need them to be.
Thanks!
More information about the samba
mailing list