Web lists-archives.com

Re: [Samba] winbind causing huge timeouts/delays since 4.8




On Fri, 22 Feb 2019 22:40:38 +0100
Alexander Spannagel via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Am 22.02.19 um 17:02 schrieb Rowland Penny via samba:
> > If you do have 'files sss winbind' in /etc/nsswitch.conf' and sssd
> > is running, then it is highly likely that even if winbind is
> > running, it will not be used. You also shouldn't use winbind on the
> > shadow line and you shouldn't run winbind and sssd together, sssd
> > has its own version of one of the winbind libs, and this will
> > undoubtedly interfere with the Samba one.
> On our linux servers ldap should always be used before asking AD via 
> samba/winbind (as stated in nsswitch.conf). The sssd and samba libs
> are separated (we are on unix not windows) so there shouldn't be any 
> "randomly" usage and if one of them or both have some buggy code
> maybe triggered by special config combinations - but really don't
> want to point to one or the other just want to solve an issue we hit
> in our environment.
> 
> Anyhow i did some more patch testing and found two more ways to solve 
> our issues instead of adding the line "return false;":
> 1. replace the patched line with this one:
> 	fstrcpy(domain, namespace);
>     so in our setup domain would be set to namespace which is is set
> to 2. don't use the patch added via Bug 13503 at all
> 
> So for me it looks the issue is caused somehwere later in code, when 
> function parse_domain_user sets namespace to something different than 
> domain - in our case namespace=lp_netbios_name()='HOSTNAME' and
> domain=''. If i would be asked, i would go with solution 1 (patch
> file attached) to keep fix for Bug 13503 and assume not breaking it -
> maybe Mr. Schneider could take a look if it would still fix the
> reported Bug.
> 
> > 
> > Finally, your smb.conf is borked for winbind.
> > 
> We have different setup on some servers using ldap server as idmap 
> backend instead using autorid, but those show same issue and so 
> shouldn't be related at all.
> 
> Alex

So, you are trying to use 4 different methods of authentication on the
same Samba server, Unix, sssd, winbind and ldap, and you expect this to
work ?

I repeat, from a Samba point of view, your smb.conf is borked, see here
for more info:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

You do not need winbind and sssd on the same Samba server, they do the
same thing, pick one and delete the other.

Your borked smb.conf is trying to be a Unix domain member, you do not
use ldap in smb.conf

If your smb.conf is set up correctly, your active directory users will
become Unix users as well.

You can if you so wish, go to git-lab and creating a fork and make your
changes there, see here for more info:

https://wiki.samba.org/index.php/Using_Git_for_Samba_Development

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba