samba - Nov 2008 - Configuring idmap for a Samba 3.2.4 AD member server

I'm hoping somebody can point me to the right documentation for
setting up the following scenario.

Earlier this year I had Samba 3.0.28a working as a member server of a
(Windows Server 2003) AD domain, using Solaris 10 and Heimdal
Kerberos.  I was able to log into the server using AD accounts, getent
passwd worked, etc. I was using "secruity=ads" with these settings
(among other):

    netbios name = MYSMBSRV
    realm = MYDOMAIN.FOO.ORG
    use kerberos keytab = Yes
    idmap domains = MYDOMAIN
    idmap config MYDOMAIN:backend = ad
    idmap config MYDOMAIN:default = yes
    idmap config MYDOMAIN:schema_mode = rfc2307
    idmap config MYDOMAIN:range    = 10000 - 300000000
    idmap alloc backend = tdb
    idmap alloc config:range        = 5000 - 9999
    winbind nss info = rfc2307

It may be that some of this is superfluous but I was fortunate enough
that it worked anyway.

Now I'd like to get the same thing going with Samba 3.2.4.  I'm able
to join the samba server to the domain, and kinit
an_account@MYDOMAIN.FOO.ORG works, but that's about it.  Winbindd eats
up all the CPU on one processor when I start it,  and getent passwd
fails to return any non-local accounts. Wbinfo -u sits for a long time
and then fails with "Error looking up domain users".

Looking at a packet dump, I see about a hojillion repeats of this:

...
164	5.581492	...	RPC_NETLOGON	DsrEnumerateDomainTrusts request
165	5.581931	...	RPC_NETLOGON	DsrEnumerateDomainTrusts response
...

My question: Is the following portion of the Official HOWTO up-to-date?

   
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2597583

None of it mentions using "idmap config".  I may be mistaken, but I
don't see anything in the HOWTO about using  "idmap config":

   
http://www.google.com/search?hl=en&q=inurl:Samba-HOWTO-Collection+"idmap+config"

Where should I look for definitive, up-to-date instructions for
configuring this with Samba 3.2.4?

Thanks in advance.

-David


-- 
David Eisner     http://cradle.brokenglass.com

On Mon, Nov 10, 2008 at 3:42 PM, David Eisner <deisner@gmail.com>
wrote:
> None of it mentions using "idmap config".  I may be mistaken, but
I
> don't see anything in the HOWTO about using  "idmap config":
>
>   
http://www.google.com/search?hl=en&q=inurl:Samba-HOWTO-Collection+"idmap+config"
>
> Where should I look for definitive, up-to-date instructions for
> configuring this with Samba 3.2.4?

While I wait for an answer, an update on two discoveries:

1. High CPU for winbindd process

This appears to have happened because I had "winbind cache time = 0"
in smb.conf. I set this to zero at some point to debug a previous
problem.  What happens with the cache time set to zero is that when
winbindd's main() calls process_loop() in an infinite loop (which is
normal), process_loop() in turn calls rescan_trusted_domains() many
times per second.  Normally this would just return without doing
anything until the cache had expired, but with the cache time
parameter set to zero, it queries the server, pegging the CPU and
generating much network traffic.

I don't recall this setting causing a problem in the past.  Perhaps a
redesign of the process loop at some point is responsible.  I think
there should be a warning in the smb.conf man page cautioning against
setting the winbind cache time to zero.


2. When I do a getent passwd, I see this in the winbindd log file:

[2008/11/11 13:24:26,  0] winbindd/winbindd.c:(633)
  request_len_recv: Invalid request size received: 2088 (expected 2096)
[2008/11/11 13:24:26,  0] winbindd/winbindd.c:(633)
  request_len_recv: Invalid request size received: 2088 (expected 2096)
[2008/11/11 13:24:26,  0] winbindd/winbindd.c:(633)
  request_len_recv: Invalid request size received: 2088 (expected 2096)

Is this normal?

Thanks again.

-David

-- 
David Eisner     http://cradle.brokenglass.com