Web lists-archives.com

Re: [Samba] winbind causing huge timeouts/delays since 4.8




On Sat, 23 Feb 2019 00:00:32 +0100
Alexander Spannagel <aspannagel@xxxxxx> wrote:

> Am 22.02.19 um 23:02 schrieb Rowland Penny via samba:
> > So, you are trying to use 4 different methods of authentication on
> > the same Samba server, Unix, sssd, winbind and ldap, and you expect
> > this to work ?
> > 
> No. we use max. 3 auth providers: (1. and 2. on all unix servers)
> 1. unix (local passwd)
>     for static OS/service accounts across all our env
> 2. sssd (with unix ldap servers as provider)
>     unix experienced user and application related service accounts
> 3. samba/winbind
>     for windows users/services needing access to a group of unix
> servers
> 
> All that worked fine in coexistence since years and just stopped
> working smoothly with update to samba-4.8 and can be fixed with
> provided patches that fixes patch from Bug#13503 from mid of 2018.
> Initial also provided config changes to fix the issues, but they are 
> only workarounds.
> 
> > I repeat, from a Samba point of view, your smb.conf is borked, see
> > here for more info:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> Will take a look, but not certain what configuration options you want 
> point me too.
> 
> > You do not need winbind and sssd on the same Samba server, they do
> > the same thing, pick one and delete the other.
> They don't - as stated above we use sssd for query/caching entries
> from our ldap directory server and not Windows DomainConmtrollers -
> also this is possible, but makes more trouble and don't provide what
> samba's smb/windbind does.
> 
> > 
> > Your borked smb.conf is trying to be a Unix domain member, you do
> > not use ldap in smb.conf
> > 
> Samba authenticate and caching AD accounts is working as expected and 
> without issues.
> 
> > If your smb.conf is set up correctly, your active directory users
> > will become Unix users as well.
> > 
> Indeed it works just fine.
> 
> > You can if you so wish, go to git-lab and creating a fork and make
> > your changes there, see here for more info:
> > 
> > https://wiki.samba.org/index.php/Using_Git_for_Samba_Development
> > 
> > Rowland
> > 
> Thanks for point me there, will take a look.
> 
> Alex

If you have, as you have, 'files sss winbind' in the the passwd & group
line in nsswitch.conf, means this:
First /etc/passwd or /etc/group is searched and if the user or group is
found, this info is returned.
Next sssd will be asked, 'do you know this user or group ?' if found,
the info is returned.
Finally winbind will be asked, 'do you know this user or group ?' if
found, the info is returned.

Lets take a user called 'fred', this user is in AD. The first search
will return nothing, so sssd is asked, this 'asks' AD and returns the
users info. Finally, wait that's it, we have the info, there is no need
to ask winbind for anything.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba