samba - Feb 2019 - winbind causing huge timeouts/delays since 4.8

On Tue, 26 Feb 2019 12:49:42 +0100
Ralph Böhme via samba <samba at lists.samba.org> wrote:
> On Tue, Feb 26, 2019 at 12:45:45PM +0100, Björn JACKE via samba wrote:
> >On 2019-02-25 at 11:32 +0000 Rowland Penny via samba sent off:
> >> > (I take it xid stands for both uid and gid?)
> >>
> >> No, I think it was chosen to differentiate them from uidNumber
&
> >> gidNumber attributes, they are similar but not the same. They also
> >> only exist on DC's
> >
> >in Windows the owner of a file can be a group.
> >
> >In the unix world the main owner is always a user.
> >
> >To reflect the fact that the owner can be a group also, winbind
> >can assign both a mapped uid number and a gid number for Windows
> >users and groups, both uid and gid have the same value and are the
> >xid. That way Samba can also assign the ownership of files to a
> >group. The idmap backend has to be able to support XID though, not
> >all idmap backends do so.
> 
> in particular idmap_autorid, idmap_rid and idmap_script support this
> so called mode, idmap_ad doesn't.
> 
> -slow
> 
I take it that xid is used internally by Samba to identify calculated
ID's, because the only place a normal user will come across them is in
idmap.ldb. If this is correct, then it doesn't really matter that
idmap_ad doesn't support them, because uidNumber & gidNumber replaces
them.

From a users point of view, the only way to get an experience similar
to Windows is to use idmap_ad.

Rowland

On Tue, Feb 26, 2019 at 01:32:51PM +0000, Rowland Penny
wrote:
>On Tue, 26 Feb 2019 12:49:42 +0100 Ralph Böhme  wrote:
>> On Tue, Feb 26, 2019 at 12:45:45PM +0100, Björn JACKE via samba wrote:
>> >To reflect the fact that the owner can be a group also, winbind
>> >can assign both a mapped uid number and a gid number for Windows
>> >users and groups, both uid and gid have the same value and are the
>> >xid. That way Samba can also assign the ownership of files to a
>> >group. The idmap backend has to be able to support XID though, not
>> >all idmap backends do so.
>>
>> in particular idmap_autorid, idmap_rid and idmap_script support this
>> so called mode, idmap_ad doesn't.
>
>I take it that xid is used internally by Samba to identify calculated
>ID's, because the only place a normal user will come across them is in
>idmap.ldb. If this is correct, then it doesn't really matter that
>idmap_ad doesn't support them, because uidNumber & gidNumber
replaces
>them.
Iirc it matters: I guess SID history will not work with idmap_ad.
>From a users point of view, the only way to get an experience similar
>to Windows is to use idmap_ad.
From a certain perspective: maybe. But that's a generalisation, I
wouldn't go
over that bridge.

Again: for many fileserver scenarios you're better using idmap_autorid.

-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

On Tue, 26 Feb 2019 15:18:35 +0100
Ralph Böhme <slow at samba.org> wrote:
> On Tue, Feb 26, 2019 at 01:32:51PM +0000, Rowland Penny wrote:
> >On Tue, 26 Feb 2019 12:49:42 +0100 Ralph Böhme  wrote:
> >> On Tue, Feb 26, 2019 at 12:45:45PM +0100, Björn JACKE via samba
> >> wrote:
> >> >To reflect the fact that the owner can be a group also,
winbind
> >> >can assign both a mapped uid number and a gid number for
Windows
> >> >users and groups, both uid and gid have the same value and are
the
> >> >xid. That way Samba can also assign the ownership of files to
a
> >> >group. The idmap backend has to be able to support XID though,
not
> >> >all idmap backends do so.
> >>
> >> in particular idmap_autorid, idmap_rid and idmap_script support
> >> this so called mode, idmap_ad doesn't.
> >
> >I take it that xid is used internally by Samba to identify calculated
> >ID's, because the only place a normal user will come across them is
> >in idmap.ldb. If this is correct, then it doesn't really matter
that
> >idmap_ad doesn't support them, because uidNumber & gidNumber
replaces
> >them.
> 
> Iirc it matters: I guess SID history will not work with idmap_ad.
If it doesn't and should, then it needs fixing.
> 
> >From a users point of view, the only way to get an experience similar
> >to Windows is to use idmap_ad.
> 
> From a certain perspective: maybe. But that's a generalisation, I
> wouldn't go over that bridge.
Where I live, you cannot get out of town without going over a bridge ;-)
> 
> Again: for many fileserver scenarios you're better using
> idmap_autorid.
I do wish people would stop talking about 'fileservers', to me this
means a standalone server. In AD you have domain members, either Unix
or Windows and they should work in a similar way.

Your approach seems to be based on nobody using a Samba Unix domain
member as a workstation and only using them as somewhere to store files
etc i.e. a glorified NAS 

Rowland