[Samba] Winbind queries take longer than 1m30s to complete

Rowland penny rpenny at samba.org
Thu Oct 17 08:47:52 UTC 2019 

On 16/10/2019 22:07, Marc Cornellà via samba wrote:
> When I say winbind query I mean from `wbinfo -u` to a simple `getent passwd SAMDOM\\user`.
>
> When the winbind cache is small, clients that use a program in a network share of this server get
> timeouts while using the program, due to the cache expiring and the query to the PDC taking too, long.
>
> I've worked around that by setting a winbind cache time longer than the span of work hours and a cron job that flushes the cache and then runs `wbinfo -u` and `wbinfo -g` to warm the cache right before work hours. It works for now but I admit I have no idea what I'm doing.
>
> I've also tried disabling winbind enumeration or setting winbind expand groups to 1.
>
> Setup:
> - AD member server, with a single WS2008R2 PDC.
No, you do not have a PDC, you have a single DC which holds the PDC 
Emulator FSMO role, the two are entirely differently things.
> - Only Samba server in the network and domain.
> - Debian Jessie 8.11.
Upgrade, Jessie is the last stages of extended support.
> - Samba package, version 2:4.2.14+dfsg-0+deb8u13.
Upgrading would get you a supported version of Samba, 4.2.x went EOL in 
2016
>
> Configuration: (edited domain name, host and user names)
> smb.conf:
> [global]
>      workgroup = SAMDOM
>      netbios name = DEBIAN
>      realm = SAMDOM.LOCAL
>      security = ads
>
>      # Sincronització d'usuaris i mapeig
>      winbind expand groups = 4
Try lowering the above to 2
>      winbind refresh tickets = yes
>      winbind offline logon = yes
>      winbind normalize names = yes
>      winbind enum users = yes
>      winbind enum groups = yes
Remove the 'winbind enum' lines, they will slow things down and are not 
required
>      winbind cache time = 50400 # 14h
>
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-9999
>      idmap config SAMDOM : backend = rid
>      idmap config SAMDOM : range = 10000-99999
>      idmap config SAMDOM : unix_nss_info = yes
The 'unix_nss_info' line only makes sense with the 'ad' backend
>
>      # Opcions /etc/passwd per usuaris sincronitzats (disable login)
>      template shell = /bin/false
>      template homedir = /nonexistent
>
>      # Turn off printing
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>
>      # Opcions per intentar solucionar el problema de bloquejos
>      veto oplock files = *.DBF *.NTX *.dbf *.ntx
>      blocking locks = no
>      oplocks = yes
>
>      # Logging options
>      log level = 1 winbind:5
>      log file = /var/log/samba/log.%m
>      max log size = 50
>
> #### Debugging/Accounting ####
>
>      panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
>      server role = member server
>      obey pam restrictions = yes
>      unix password sync = yes
As you cannot have users in /etc/passwd and AD, having 'unix password 
sync' doesn't make sense

Rowland

More information about the samba mailing list