Web lists-archives.com

Re: [Samba] IDMAP Cache




On Mon, 25 Jun 2018 10:34:03 +0200
Meike Stone via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello dear list,
> 
> can someone help me?
> 
> The manual page clearly states:
> "The idmap backend provides a plugin interface for *Winbind* to use
> varying backends to store SID/uid/gid mapping tables." and
> "ID mapping in Samba is the mapping between Windows SIDs and Unix user
> and group IDs. This is performed by *Winbindd* with a configurable
> plugin interface."
> 
> So, that's the reason, why I said "No winbind is running." (on my
> server)
> 
> So that can explain, why samba 3 is asking the LDAP-Server often, but
> why is using samba 4 the cache without winbind?
> 
> my configuration (testparm -v -s | grep idmap):
>         ldap idmap suffix =
>         idmap backend = tdb
>         idmap cache time = 604800
>         idmap negative cache time = 120
>         idmap uid =
>         idmap gid =
>         idmap config * : backend = tdb
> 
> Thanks in advance
> Meike
> 
> 2018-06-22 13:40 GMT+02:00 Meike Stone <meike.stone@xxxxxxxxxxxxxx>:
> > Hello dear list,
> >
> > I have running a Samba 3 server (under SLES11) connected to an
> > LDAP-Server and it is running well.
> > But now, I like to migrate to Samba 4 and I've made a few tests
> > before.
> >
> > The whole time I with Samba 3, I was surprised about the many ldap
> > requests so that I thought about an additional local OpenLDAP proxy
> > cache.
> >
> > But now with Samba 4 (with the same configuration like Samba 3,
> > SLES12) the IDMAP
> > requests are cached in a local tdb (gencache.tdb).
> >
> > I can check the local cache "net cache list". While the list on
> > Samba 3 is empty, with Samba 4 there are a lot of IDMAP entires.
> >
> > No winbind is running.
> >
> > My questions:
> >     - Is this cache configurable (TTL, ...) - I've nothing found?
> >     - Does the cache configuration and functional principle
> >       differ between Samba 3 and 4?
> >     - How to debug this?
> >     - Why only the cache under Samba 4 is working?
> >
> >
> > Thanks Meike
> > ===============================================
> > my configuration (same for Samba 3 and 4):
> >
> > [global]
> >           workgroup = Samba
> >           map to guest = Bad User
> >           security = user
> >           server string = Server1
> >           max protocol = SMB2
> >           deadtime = 600
> >
> >           load printers = no
> >           printcap name = /dev/null
> >           disable spoolss = yes
> >
> >           ldap admin dn = uid=sambauser,o=some,c=domain
> >           passdb backend = ldapsam:"ldap://ldap01.some.domain";
> >
> >           ldap suffix = cn=samba,o=some,c=domain
> >           ldap user suffix = cn=accounts
> >           ldap group suffix = cn=groups
> >           ldap passwd sync = No
> >
> >           log level = 255
> >           syslog = 0
> >
> > [share1]
> >         path = /daten/share1
> >         comment = share1
> >         writeable = yes
> >         browseable = no
> >         nt acl support = no
> >         inherit permissions = yes
> >         store dos attributes = yes
> >         csc policy = disable
> 

I think the bigger question is, why are you trying to run a 
standalone server as some form of domain member ?

A standalone server is just that, it stands alone, all authentication
should be done on the standalone server.

Samba has changed significantly since version 3.6.x and if you have
Windows clients (especially Win 10) you should seriously consider
upgrading to AD.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba