[Samba] Winbind queries take longer than 1m30s to complete
Rowland penny
rpenny at samba.org
Thu Oct 17 08:47:52 UTC 2019
On 16/10/2019 22:07, Marc Cornellà via samba wrote:
> When I say winbind query I mean from `wbinfo -u` to a simple `getent passwd SAMDOM\\user`.
>
> When the winbind cache is small, clients that use a program in a network share of this server get
> timeouts while using the program, due to the cache expiring and the query to the PDC taking too, long.
>
> I've worked around that by setting a winbind cache time longer than the span of work hours and a cron job that flushes the cache and then runs `wbinfo -u` and `wbinfo -g` to warm the cache right before work hours. It works for now but I admit I have no idea what I'm doing.
>
> I've also tried disabling winbind enumeration or setting winbind expand groups to 1.
>
> Setup:
> - AD member server, with a single WS2008R2 PDC.
No, you do not have a PDC, you have a single DC which holds the PDC
Emulator FSMO role, the two are entirely differently things.
> - Only Samba server in the network and domain.
> - Debian Jessie 8.11.
Upgrade, Jessie is the last stages of extended support.
> - Samba package, version 2:4.2.14+dfsg-0+deb8u13.
Upgrading would get you a supported version of Samba, 4.2.x went EOL in
2016
>
> Configuration: (edited domain name, host and user names)
> smb.conf:
> [global]
> workgroup = SAMDOM
> netbios name = DEBIAN
> realm = SAMDOM.LOCAL
> security = ads
>
> # Sincronització d'usuaris i mapeig
> winbind expand groups = 4
Try lowering the above to 2
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind normalize names = yes
> winbind enum users = yes
> winbind enum groups = yes
Remove the 'winbind enum' lines, they will slow things down and are not
required
> winbind cache time = 50400 # 14h
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-99999
> idmap config SAMDOM : unix_nss_info = yes
The 'unix_nss_info' line only makes sense with the 'ad' backend
>
> # Opcions /etc/passwd per usuaris sincronitzats (disable login)
> template shell = /bin/false
> template homedir = /nonexistent
>
> # Turn off printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # Opcions per intentar solucionar el problema de bloquejos
> veto oplock files = *.DBF *.NTX *.dbf *.ntx
> blocking locks = no
> oplocks = yes
>
> # Logging options
> log level = 1 winbind:5
> log file = /var/log/samba/log.%m
> max log size = 50
>
> #### Debugging/Accounting ####
>
> panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
> server role = member server
> obey pam restrictions = yes
> unix password sync = yes
As you cannot have users in /etc/passwd and AD, having 'unix password
sync' doesn't make sense
Rowland
More information about the samba
mailing list