Web lists-archives.com

Re: [Samba] Slow, Incorrect Group Resolution through Winbind

On Wed, 13 Sep 2017 14:10:48 -0400
Rich Otero <rotero@xxxxxxxxxxxxx> wrote:

> Perhaps this is another place where the description in the manual
> could be clearer. My reading of it is that the configuration for the
> * domain applies to all domains that have not been explicitly
> configured (which is the way I thought I was using it).

Yes, but how do you know which domain is which ?

> Remove the next three lines
> > >         smb passwd file = /var/cache/samba/smbpasswd
> > >         passdb backend = smbpasswd
> I don't understand this suggestion. What if I have non-domain users
> who are stored in passdb? (I do.)

Because smbpasswd is deprecated by the now now default tdbsam and if
you remove those lines, you will start to use the default.

> >         restrict anonymous = 2
> This doesn't make sense to me either. What does it have to do with
> Winbind's interaction with AD? We set this option because automated
> network security audits such as Qualys consider allowing anonymous
> connections to be a vulnerability and nothing that we do relies on
> anonymous connections to Samba anyway.

I would remove it because it can break some applications

> remove the next two lines, you do not need them.
> > >         machine password timeout = 0
> We set "machine password timeout" to 0 because we have some systems
> where Samba must run with the same configuration on two highly
> available nodes. Therefore, we disable periodically changing the
> machine password and we ensure that both nodes have the same stored
> password by periodically synchronizing the secrets file from the
> primary node to the secondary node.

I cannot recommend doing this, you should have different passwords for
each machine.
> >         os level = 33
> Our product can consist of multiple independent Samba servers in a
> group. Within the group, there can be one "master" server and many
> "auxiliary" servers. On masters, we raise "os level" to 65 and on
> auxiliaries, we lower it to 33 so that only the master is capable of
> becoming the local master browser. I don't understand how this is
> related to AD integration.

Because even if this line was 254 it wouldn't win an election with an
AD DC, so why bother.

> remove the next two lines, you do not need them.
> > >         ldap debug level = 1
> > >         ldap debug threshold = 5
> I had set these so that I could see more detailed messages about the
> LDAP calls. How does this contribute to the problem I am trying to
> solve?

They probably don't, but they shouldn't be there on an Unix domain

All I can say is, I do not and never will set up a Unix domain member
in the way you have. I also do not have any of the problems you are
having, but it is your computer, so set it up how you like.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba