[Samba] Excessive ldap queries for root and non-existing accounts
Michal Zacek
zacekm at img.cas.cz
Fri May 27 09:12:34 UTC 2022
Hello,
my setup: GPFS cluster --> CTDB cluster --> Samba (ldap(freeipa)
password backend), OS Rocky 8.5
Everything works perfectly except one thing, Samba is generating
millions (really) ldap queries for root or non-existing user accounts
like that:
conn=11550522 op=4 SRCH base="dc=xyz,dc=local" scope=2 filter="(&(uid=root)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber home..."
or
conn=11551585 op=23 SRCH base="dc=xyz,dc=local" scope=2 filter="(&(uid=mmg)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber home..."
Some files shared by Samba are owned by root, but user "mmg" doesn't
exist at all. Anyway is there something like negative cache for
non-existing ldap users or it is possible to "map" these users to
existing ldap users?
Thanks,
Michal
Samba config:
[global]
netbios name = DATA
server string = GPFS NAS
preferred master = Yes
local master = yes
os level = 65
ldap admin dn = uid=l_cudbnd,cn=users,cn=accounts,dc=xyz,dc=local
ldap group suffix = cn=groups,cn=accounts
ldap ssl = no
ldap suffix = dc=xyz,dc=local
ldap user suffix = cn=users,cn=accounts
log level = 1 auth:2
logging = syslog
log writeable files on exit = Yes
unix extensions = No
ntlm auth = Yes
passdb backend = ldapsam:"ldap://fido1.xyz.local ldap://fido.xyz.local ldap://fido2.xyz.local
ldap://fido3.xyz.local"
security = USER
fileid:fstype allow = gpfs
fileid:algorithm = fsname
force unknown acl user = yes
gpfs:leases = yes
gpfs:dfreequota = yes
gpfs:winattr = yes
gpfs:sharemodes = yes
shadow:snapdir = .snapshots
shadow:snapdirseverywhere = yes
shadow:sort = desc
idmap config * : read only = no
idmap config * : range = 10000000-299999999
idmap config * : rangesize = 1000000
idmap config * : backend = autorid
read only = No
vfs objects = shadow_copy2 gpfs fileid
store dos attributes = no
clustering = yes
min receivefile size = 16384
use sendfile = true
max smbd processes = 1000
posix locking = yes
winbind nested groups = no
winbind use default domain = no
case sensitive = Yes
guest account = nfsnobody
map to guest = Bad Password
client min protocol = NT1
server min protocol = NT1
[transfer]
path = /gpfs/gpfs01/transfer
smb encrypt = if_required
force create mode = 0777
force directory mode = 0777
create mask = 0777
directory mask = 0777
vfs objects = shadow_copy2 gpfs fileid aio_pthread full_audit
full_audit:prefix = |%u|%I
full_audit:success = renameat write pwrite mkdirat unlinkat pwrite_send
full_audit:facility = LOCAL6
full_audit:priority = INFO
oplocks = False
level2 oplocks = False
More information about the samba
mailing list