samba - Jan 2019 - Winbind, cached logons and 'user persistency'...

Hai Marco, 


Maybe the winbind cache time is set to low for this. 


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: donderdag 17 januari 2019 15:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind, cached logons and 'user 
> persistency'...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > Your Exim is not complaining about users, but is 
> complaining about a non deliverable message,
> > due to not reaching the destination ip adres. ( Unrouteable 
> address ) 
> 
> No, i'ts an ACL that reply 'Unroutable address' for non 
> existant users.
> Don't help spammers to find useful address. ;-)
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> Maybe the winbind cache time is set to low for this. 
OK. But this look still strange/dangerous to me. Two 'open point':

1) seems to me that there's many 'cache time' parameters:

  + idmap cache time, default 604800 (one week); seems related only to
    SID<->GID/UID query, so unrelated here.

  + winbind cache time, default 300 (5 minutes); this seems the
    parameter i need to tackle with.

but... HOW work that cache? There's a 'negative' timeout also? Or
simply cache data and use cached data if all DC are not available?


2) in my network i've 7 DCs. Tearing down the main switch i've surely
 disconnected all the remote DCs. But still i've two local one, one of
that in the same phisical proxmox server of the DM member that lost
cache. So could be reachable!!

I suppose that a DM will try to contact *all* DCs (at first glance, the
same-site-dc; after all available DCs), right?

There's some things i can do to make sure DCs are alive and kicking?


Ah, DM are 4.8.8+nmu-1~deb9, your packages.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Hai Marco,  
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 18 januari 2019 10:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind, cached logons and 'user 
> persistency'...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > Maybe the winbind cache time is set to low for this. 
> 
> OK. But this look still strange/dangerous to me. Two 'open point':
> 
> 1) seems to me that there's many 'cache time' parameters:
> 
>   + idmap cache time, default 604800 (one week); seems related only to
>     SID<->GID/UID query, so unrelated here.
> 
>   + winbind cache time, default 300 (5 minutes); this seems the
>     parameter i need to tackle with.
> 
> but... HOW work that cache? There's a 'negative' timeout also?
Or
> simply cache data and use cached data if all DC are not available?
Poe, this i dont know, i dont know all code... 
Rowland, you know this? 
> 
> 
> 2) in my network i've 7 DCs. Tearing down the main switch i've
surely
>  disconnected all the remote DCs. But still i've two local one, one of
> that in the same phisical proxmox server of the DM member that lost
> cache. So could be reachable!!
Does proxmod allow routing internaly? This i dont know. 
Simple test, pull the cable out of the proxmod host server, ping these 2 vm
servers within proxmod.
Can you test this? 
> 
> I suppose that a DM will try to contact *all* DCs (at first 
> glance, the same-site-dc; after all available DCs), right?
> 
> There's some things i can do to make sure DCs are alive and kicking?
Can you show the output of : dig your.domain.tld 
> 
> 
> Ah, DM are 4.8.8+nmu-1~deb9, your packages.
Ah, good to see your are 4.8.8 now :-) 
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 18 Jan 2019 10:41:10 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Marco,  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Marco Gaiarin via samba
> > Verzonden: vrijdag 18 januari 2019 10:03
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Winbind, cached logons and 'user 
> > persistency'...
> > 
> > Mandi! L.P.H. van Belle via samba
> >   In chel di` si favelave...
> > 
> > > Maybe the winbind cache time is set to low for this. 
> > 
> > OK. But this look still strange/dangerous to me. Two 'open
point':
> > 
> > 1) seems to me that there's many 'cache time' parameters:
> > 
> >   + idmap cache time, default 604800 (one week); seems related only
> > to SID<->GID/UID query, so unrelated here.
> > 
> >   + winbind cache time, default 300 (5 minutes); this seems the
> >     parameter i need to tackle with.
> > 
> > but... HOW work that cache? There's a 'negative' timeout
also? Or
> > simply cache data and use cached data if all DC are not available?
> Poe, this i dont know, i dont know all code... 
> Rowland, you know this? 
> 
No, I have never had to mess with this, but 'man smb.conf' says this:

           This parameter specifies the number of seconds the winbindd(8)
           daemon will cache user and group information before querying a
           Windows NT server again.

It looks like you reduce the time to make the cache refresh more often
and increase it to make the cache last longer, I would presume setting
it to '0' would make winbind query the server without using the cache,
but this is just a guess.

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 18 januari 2019 11:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind, cached logons and 'user 
> persistency'...
> 
> On Fri, 18 Jan 2019 10:41:10 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai Marco,  
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > Marco Gaiarin via samba
> > > Verzonden: vrijdag 18 januari 2019 10:03
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Winbind, cached logons and 'user 
> > > persistency'...
> > > 
> > > Mandi! L.P.H. van Belle via samba
> > >   In chel di` si favelave...
> > > 
> > > > Maybe the winbind cache time is set to low for this. 
> > > 
> > > OK. But this look still strange/dangerous to me. Two 'open
point':
> > > 
> > > 1) seems to me that there's many 'cache time'
parameters:
> > > 
> > >   + idmap cache time, default 604800 (one week); seems 
> related only
> > > to SID<->GID/UID query, so unrelated here.
> > > 
> > >   + winbind cache time, default 300 (5 minutes); this seems the
> > >     parameter i need to tackle with.
> > > 
> > > but... HOW work that cache? There's a 'negative'
timeout also? Or
> > > simply cache data and use cached data if all DC are not
available?
> > Poe, this i dont know, i dont know all code... 
> > Rowland, you know this? 
> > 
> 
> No, I have never had to mess with this, but 'man smb.conf' says
this:
> 
>            This parameter specifies the number of seconds the 
> winbindd(8)
>            daemon will cache user and group information 
> before querying a
>            Windows NT server again.
> 
> It looks like you reduce the time to make the cache refresh more often
> and increase it to make the cache last longer, I would presume setting
> it to '0' would make winbind query the server without using the
cache,
> but this is just a guess.
> 
> Rowland
> 
> -- 
Maybe https://wiki.debian.org/LDAP/NSS  is a better solution for the mailserver.

But personaly, the mail server should have replied with a better NDR. 
Like : 4.4.1 The recipient’s server is not responding, so something like that. 

If it was my server, i would fix the mail setup not samba. 
I just cant tell much about exim, i prefer postfix. 

But this like might help, it shows a lot, maybe it helps reviewing the setup and
add improvements.
https://bitlair.nl/Projects/Mailserver_with_Debian,_Exim,_spamassassin,_greylistd,_DKIM,_SRS,_SPF,_DMARC,_forwarding,_LDAP,_dovecot,_LMTP,_disk_crypto
I've about the same but in a postfix setup. 


Greetz, 

Louis