Web lists-archives.com

Re: [Samba] Slow, Incorrect Group Resolution through Winbind




On Wed, 13 Sep 2017 10:48:18 -0400
Rich Otero via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello. I am observing some strange behavior on a Linux system that has
> joined a Windows Active Directory domain using the Samba suite. Our
> servers are based on Ubuntu v12.04 but have kernel v3.12.17 and Samba
> v4.3.6.
> 
> The problem that I'm trying to understand is that group name
> resolution through Winbind occasionally fails. Here's an example
> where one group name could not be resolved. This causes "groups" to
> hang, presumably because it is waiting for Winbind to provide the
> name and Winbind is waiting for the domain controller:
> 
> editshare@es-exp1:~$ time groups dwill627
> dwill627 : domain users _adsso_editors editors exp1-promos groups:
> cannot find name for group ID 16777230
> 16777230 KUTZTOWN\computeradministrativeaccessclassrooms allstudents
> KUTZTOWN\oitfs_software_r
> KUTZTOWN\computeradministrativeaccessconferencerooms
> KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> BUILTIN\users
> 
> real    1m21.472s
> user    0m0.064s
> sys     0m0.000s
> 
> However, the user dwill627 is apparently not a member of the group
> with ID 16777230:
> 
> editshare@es-exp1:~$ getent group 16777230
> KUTZTOWN\computeradministrativeaccesslabs:x:16777230:KUTZTOWN\techcreel,KUTZTOWN\techstamm,KUTZTOWN\techeben,KUTZTOWN\techjulian,KUTZTOWN\chemnmr,KUTZTOWN\librarypatron,KUTZTOWN\olympiad,KUTZTOWN\labprint
> 
> I don't understand why there is this discrepancy.
> 
> Here's the global configuration as reported by "testparm:"
> 
> [global]
>         workgroup = STUDENTS
>         realm = STUDENTS.KUTZTOWN.EDU
>         server string = es-exp1
>         security = ADS
>         password server = kustudc01.students.kutztown.edu,
> kustudc02.students.kutztown.edu
>         smb passwd file = /var/cache/samba/smbpasswd
>         passdb backend = smbpasswd
>         restrict anonymous = 2
>         log file = /var/log/samba/log.%I
>         server max protocol = SMB2_22
>         max protocol = SMB2_22
>         protocol = SMB2_22
>         max xmit = 65535
>         unix extensions = No
>         max open files = 32768
>         socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
>         load printers = No
>         printcap name = /dev/null
>         machine password timeout = 0
>         os level = 33
>         dns proxy = No
>         wins support = Yes
>         ldap debug level = 1
>         ldap debug threshold = 5
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         template homedir = /home/%U
>         template shell = /sbin/nologin
>         winbind use default domain = Yes
>         winbind expand groups = 1
>         idmap config * : range = 16777216-33554431
>         idmap config * : backend = tdb
>         aio read size = 1
>         aio write size = 1
>         use sendfile = Yes
>         include = /etc/samba/smb.0.0.0.0.conf
>         wide links = Yes
> 

Sorry but your smb.conf is borked, you seem to have a mixture of
deprecated settings combined with the new way of doing things, can I
suggest you go and read these wiki pages:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_rid

I feel I should also point that both Ubuntu 12.04 and Samba 4.3.6 are
EOL

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba