[Samba] Excessive ldap queries for root and non-existing accounts

Michal Zacek zacekm at img.cas.cz
Fri May 27 09:12:34 UTC 2022 

Hello,

my setup: GPFS cluster --> CTDB cluster --> Samba (ldap(freeipa) 
password backend), OS Rocky 8.5

Everything works perfectly except one thing, Samba is generating 
millions (really) ldap queries for root or non-existing user accounts 
like that:

conn=11550522 op=4 SRCH base="dc=xyz,dc=local" scope=2 filter="(&(uid=root)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber home..."

or

conn=11551585 op=23 SRCH base="dc=xyz,dc=local" scope=2 filter="(&(uid=mmg)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber home..."

Some files shared by Samba are owned by root, but user "mmg" doesn't 
exist at all. Anyway is there something like negative cache for 
non-existing ldap users or it is possible to "map" these users to 
existing ldap users?

Thanks,

Michal

Samba config:

[global]
	netbios name = DATA
	server string = GPFS NAS
	preferred master = Yes
	local master = yes
	os level = 65
	ldap admin dn = uid=l_cudbnd,cn=users,cn=accounts,dc=xyz,dc=local
	ldap group suffix = cn=groups,cn=accounts
	ldap ssl = no
	ldap suffix = dc=xyz,dc=local
	ldap user suffix = cn=users,cn=accounts
	log level = 1 auth:2
	logging = syslog
	log writeable files on exit = Yes
	unix extensions = No
	ntlm auth = Yes
	passdb backend = ldapsam:"ldap://fido1.xyz.local ldap://fido.xyz.local ldap://fido2.xyz.local 
ldap://fido3.xyz.local"
	security = USER
	fileid:fstype allow = gpfs
	fileid:algorithm = fsname
    	force unknown acl user = yes
	gpfs:leases = yes
	gpfs:dfreequota = yes
	gpfs:winattr = yes
	gpfs:sharemodes = yes
	shadow:snapdir = .snapshots
	shadow:snapdirseverywhere = yes
	shadow:sort = desc
	idmap config * : read only = no
	idmap config * : range = 10000000-299999999
	idmap config * : rangesize = 1000000
	idmap config * : backend = autorid
	read only = No
	vfs objects = shadow_copy2 gpfs fileid
	store dos attributes = no
	clustering = yes
	min receivefile size = 16384
	use sendfile = true
	max smbd processes = 1000
	posix locking = yes
	winbind nested groups = no
	winbind use default domain = no
	case sensitive = Yes
	guest account = nfsnobody
	map to guest = Bad Password
	client min protocol = NT1
	server min protocol = NT1

[transfer]
	path = /gpfs/gpfs01/transfer
	smb encrypt = if_required
         force create mode = 0777
         force directory mode = 0777
         create mask = 0777
         directory mask = 0777
         vfs objects = shadow_copy2 gpfs fileid aio_pthread full_audit
         full_audit:prefix = |%u|%I
         full_audit:success = renameat write pwrite mkdirat unlinkat pwrite_send
         full_audit:facility = LOCAL6
         full_audit:priority = INFO
         oplocks = False
         level2 oplocks = False

More information about the samba mailing list