Web lists-archives.com

Re: [Samba] winbind causing huge timeouts/delays since 4.8




On Fri, 22 Feb 2019 16:40:46 +0100
Alexander Spannagel via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Am 22.02.19 um 15:42 schrieb Rowland Penny via samba:
> > On Fri, 22 Feb 2019 15:35:53 +0100
> > Ralph Böhme via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> >> Hi,
> >>
> >> On Fri, Feb 22, 2019 at 01:59:15PM +0100, Alexander Spannagel via
> >> samba wrote:
> s.
> >>
> >> hm, can't reproduce:
> >>
> >> slow@titan:~/git/samba/scratch$ git describe
> >> samba-4.8.3
> >>
> >> slow@titan:~/git/samba/scratch$ sudo bin/net cache flush
> >>
> >> slow@titan:~/git/samba/scratch$ time bin/wbinfo -i foo
> >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >> Could not get info for user foo
> >>
> >> real    0m0.025s
> >> user    0m0.004s
> >> sys     0m0.004s
> >>
> >> Can you share your full smb.conf?
> 
> Here is the extraction of the global section from our smb.conf:
> [root@centos7dev64 ~]# testparm --section-name=global 2>/dev/null < 
> /dev/null
> # Global parameters
> [global]
>          dedicated keytab file = /etc/krb5.keytab
>          disable spoolss = Yes
>          domain master = No
>          kerberos method = secrets and keytab
>          ldap connection timeout = 10
>          ldap timeout = 30
>          load printers = No
>          local master = No
>          log file = /var/log/samba/log.%m
>          max log size = 0
>          os level = 0
>          printcap name = /dev/null
>          realm = OPS.GLOBAL.AD
>          security = ADS
>          server signing = required
>          server string = FTP Samba Server
>          show add printer wizard = No
>          template shell = /bin/bash
>          username map = /etc/samba/user.map
>          winbind refresh tickets = Yes
>          winbind separator = +
>          workgroup = OPS
>          idmap config * : rangesize = 1000000
>          idmap config * : range = 1000000-19999999
>          idmap config * : backend = autorid
>          map acl inherit = Yes
>          printing = bsd
>          store dos attributes = Yes
>          vfs objects = acl_xattr full_audit recycle extd_audit>>
> 
> > 
> > You might also want to explain why you are using sssd's cache with
> > winbind.
> 
> We are running a mixed environment and use sssd for authentication 
> against our unix ldap directory on all our unix servers. On a group
> of servers we need to provide smb shares to windows clients/servers
> and dedicated uid/gid mapping for windows users and groups.
> 
> Our default setup in nsswitch.conf regarding passwd/shadow/groups
> looks like:
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> 
> And on the servers running samba:
> passwd:     files sss winbind
> shadow:     files sss winbind
> group:      files sss winbind
> 
> As mentioned it worked till the update from samba 4.7 to 4.8. The
> sssd is used for ldap and not AD authentication.
> 
> Alex
> 

If you do have 'files sss winbind' in /etc/nsswitch.conf' and sssd
is running, then it is highly likely that even if winbind is running,
it will not be used. You also shouldn't use winbind on the shadow line
and you shouldn't run winbind and sssd together, sssd has its own
version of one of the winbind libs, and this will undoubtedly interfere
with the Samba one.

Finally, your smb.conf is borked for winbind.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba