samba - Feb 2019 - winbind causing huge timeouts/delays since 4.8

On Sun, 24 Feb 2019 15:58:39 +0100
Ralph Böhme <slow at samba.org> wrote:
> Am 24.02.2019 um 12:46 schrieb Rowland Penny via samba
> <samba at lists.samba.org>:
> > Seen where ? and how ?
> 
> one problem is that, by design, as a domain member, it makes us
> behave different compared to a Windows system. Hic sunt dracones.
Why not just say 'here be dragons' instead of using a dead language.

Yes we do behave a bit different from Windows, even more so when we do
stupid things like introducing 'unix_primary_group = yes'.
> 
> Another thing that a customer has just been bitten by, was a subtle
> bug in winbindd's idmap cache that resulted in all xid2sid requests
> going through the idmap backend, iow winbindd issued LDAP requests.
> With a few thousand users, things came to a grinding halt.
> 
> https://bugzilla.samba.org/show_bug.cgi?id=13802
> 
> Patch just landed upstream.
> 
> -slow
That is the bug I was referring to and probably (amongst all the other
cruft) what was causing the OP's problem. However, this has nothing to
do with using the 'ad' backend with Active Directory. We keep dancing
around this problem, saying things like 'we need to fix this', we
have been saying this since Samba 4 was released.

Windows Uses the SID-RID to identify the user and the domain it
comes from, surely we can find a way to do this for Samba, we are
half way there with the 'rid' backend.

Rowland

Am 24.02.2019 um 16:42 schrieb Rowland Penny via samba <samba at
lists.samba.org>:
> On Sun, 24 Feb 2019 15:58:39 +0100 Ralph Böhme <slow at samba.org>
wrote:
>> Another thing that a customer has just been bitten by, was a subtle
>> bug in winbindd's idmap cache that resulted in all xid2sid requests
>> going through the idmap backend, iow winbindd issued LDAP requests.
>> With a few thousand users, things came to a grinding halt.
>> 
>> https://bugzilla.samba.org/show_bug.cgi?id=13802
>> 
>> Patch just landed upstream.
> 
> That is the bug I was referring to and probably (amongst all the other
> cruft) what was causing the OP's problem.
Unlikely.
> However, this has nothing to
> do with using the 'ad' backend with Active Directory. We keep
dancing
> around this problem, saying things like 'we need to fix this', we
> have been saying this since Samba 4 was released.
Which problem? Fix what? Been saying what?
> Windows Uses the SID-RID to identify the user and the domain it
> comes from, surely we can find a way to do this for Samba, we are
> half way there with the 'rid' backend.
I'm not really what "there" implies for you, but it seems
idmap_autorid is eventually the backend that takes you "there". :)

-slow

On Sun, 24 Feb 2019 18:28:43 +0100
Ralph Böhme <slow at samba.org> wrote:
> 
> Am 24.02.2019 um 16:42 schrieb Rowland Penny via samba
> <samba at lists.samba.org>:
> > On Sun, 24 Feb 2019 15:58:39 +0100 Ralph Böhme <slow at
samba.org>
> > wrote:
> >> Another thing that a customer has just been bitten by, was a
subtle
> >> bug in winbindd's idmap cache that resulted in all xid2sid
requests
> >> going through the idmap backend, iow winbindd issued LDAP
requests.
> >> With a few thousand users, things came to a grinding halt.
> >> 
> >> https://bugzilla.samba.org/show_bug.cgi?id=13802
> >> 
> >> Patch just landed upstream.
> > 
> > That is the bug I was referring to and probably (amongst all the
> > other cruft) what was causing the OP's problem.
> 
> Unlikely.
It is was I thought, but as the OP's setup is so convoluted, it is hard
to say.
> 
> > However, this has nothing to
> > do with using the 'ad' backend with Active Directory. We keep
> > dancing around this problem, saying things like 'we need to fix
> > this', we have been saying this since Samba 4 was released.
> 
> Which problem? Fix what? Been saying what?
There have been numerous discussions about the 'ad' backend over the
years and they have all gone nowhere. The 'ad' backend still works in
the same way as it did when Samba 4 was released and you still have to
store the next uidNumber & gidNumber outside AD if you use the Samba
tools.
> 
> > Windows Uses the SID-RID to identify the user and the domain it
> > comes from, surely we can find a way to do this for Samba, we are
> > half way there with the 'rid' backend.
> 
> I'm not really what "there" implies for you, but it seems
> idmap_autorid is eventually the backend that takes you "there".
:)
No it doesn't, at the moment, the only way to get the same ID on all
Unix machines (this includes DC's) is to use the 'ad' backend. You
think autorid is the way forward, well sorry, but in my opinion, it
isn't.

Rowland