[Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba

David Walling walling at tacc.utexas.edu
Tue Sep 3 13:52:57 UTC 2019 

Unfortunately I do not have the ability to add the user/group information to AD directly at this time.

Does anyone know exactly what the following error message "means"?  It shows up every time these symptoms occur, and if I could understand why the lookup fails, I might be able to prevent the issue.

"lookup_name_smbconf for CLIENTHOSTNAME$ failed"


________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Friday, August 30, 2019 12:52 PM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba

On 30/08/2019 18:15, David Walling wrote:
> /etc/samba/user_and_group_map.txt contains Windows username/group to
> linux username/group mappings.  In our setup, all users exist in ldap,
> as do the directory groups, but the linux user and group information
> (namely uid/gid) do not.  This has been setup such that the users
> connect to samba as the windows username (ex. PRODUCTION+user1) for an
> authroized group (PRODUCTION+group1), but the files and permissions on
> the linux samba server are created and managed with the appropriate
> uid/gids.
>
> Example:
>
> linuxuser=PRODUCTION+windowsuser
> G-234=PRODUCTION+directorygroup
>
> I do not believe we are using sssd, but are using winbind.  Its quite
> possible we don't have this setup optimally, but this setup does work
> as needed, outside of these occasional crash/unresponsive states.
>
> Thanks!
>
> David W.

Why are you doing this ?

Why not just have everything in AD ?

Using AD would allow Windows users & groups  to become Unix users and groups

e.g. 'getent passwd rowland' gives me:


rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash


'rowland' is only in AD and nowhere else


Try using this smb.conf:


[global]
         workgroup = PRODUCTION
         security = ADS
         realm = PRODUCTION.REDACTED.ORG
         netbios name = service-samba4

         idmap config *:backend = tdb
         idmap config *:range = 3000-7999
         idmap config PRODUCTION : backend = rid
         idmap config PRODUCTION : range = 100000-200000

         bind interfaces only = yes
         interfaces = eth0 ~ change to your network device
         preferred master = no
         winbind separator = +
         max log size = 20000
         log level = 1 smbd:10
         log file = /var/log/samba/log.%m
         dns proxy = no

         username map = /etc/samba/user.map

         # ACL Settings
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

         # Multichannel
         aio read size = 0
         aio write size = 0

         # Prevent zombie processes
         deadtime = 15
         csc policy = disable

[share1]
         path = /samba/share1
         read only = no
         inherit acls = yes
         inherit permissions = yes
         create mask = 700
         directory mask = 700
         valid users = @"G-817803"
         hosts allow =  redacted


and create /etc/samba/user.map with just this content:


!root = PRODUCTION\Administrator


Restart nmbd.smbd and winbind and run:


getent passwd PRODUCTION\'A_VALID_USERNAME'


Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
>> This message is from an external sender. Learn more about why this <<
>> matters at https://links.utexas.edu/rtyclf.                        <<

More information about the samba mailing list