samba - Jan 2007 - winbind - timeouts in domain with >100000 domain users

Hi,

I'm trying out samba with winbind. The domain has >100000 users and
I'm having some problems with the wbinfo and getent programs. The
server is domain member and running debin etch (x86_64) with
samba-3.0.23d.

idmap uid = 70000-300000
idmap gid = 70000-300000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template shell = /bin/false
security = domain

$ wbinfo -i emea\\ralfgro
ralfgro:*:70000:70000:Gross, Ralf:/home/EMEA/ralfgro:/bin/false

$ wbinfo -t
checking the trust secret via RPC calls succeeded

$ id -a ralfgro
...long timeout
 
$ getent passwd
[local unix users]
...long timeout 

Sometimes I get back the list of domain users, but this happens only
rarely. During the these commands I can't connect to my shares with my
domain account. Even the top and ps commands seem to hang.

session setup failed: Call timed out: server did not respond after
20000 milliseconds

If I do an 'ls -l' in a dirctory with files that belong to a doamin
user, it sometimes takes ages to return the file list.


I have a local unix account ralfgro that has uid 50789 and a domain
account that is mapped to uid 70000. If I now copy files to the server
using smbclient they are created with my domain uid. If I create files
with an editor on the local fs (vim) they have the uid  of my unix
account. Is this the way it should be? I ask this, because an old
server should be migrate to this new hardware and there are many unix
accounts and much data that already belong to users. The old server
has never been member of this domain, only 'security = server'
was used for authentication.

/etc/passwd
ralfgro:x:50789:50789::/home/ralfgro:/bin/sh

$ wbinfo -i emea\\ralfgro
ralfgro:*:70000:70000:Gross, Ralf:/home/EMEA/ralfgro:/bin/false

$ ls -l /tmp/foo
insgesamt 48
-rw-r--r-- 1 ralfgro ralfgro          5 2007-01-22 14:13 test
-rw-rw---- 1 ralfgro domain users 41180 2007-01-22 14:11 test2

$ ls -ln /tmp/foo
insgesamt 48
-rw-r--r-- 1 50789 50789     5 2007-01-22 14:13 test
-rw-rw---- 1 70000 70000 41180 2007-01-22 14:11 test2


Ralf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ralf Gross wrote:
> Hi,
> 
> I'm trying out samba with winbind. The domain has >100000 users and
> I'm having some problems with the wbinfo and getent programs. The
> server is domain member and running debin etch (x86_64) with
> samba-3.0.23d.
> 
> idmap uid = 70000-300000
> idmap gid = 70000-300000
> winbind enum users = yes
> winbind enum groups = yes
Is there any real reason that you have these enabled?






jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFtO7YIR7qMdg1EfYRArIbAJ4+7kaiGXPiFcbOVY2R9Ek9RQ19BgCg5o9W
U9M0A3OH1/bnUv5fQPsSyEQ=FRnL
-----END PGP SIGNATURE-----

> Sometimes I get back the list of domain users, but this happens only
> rarely. During the these commands I can't connect to my shares with my
> domain account. Even the top and ps commands seem to hang.
> security = domain
I had this same issue with security=domain.  Changing to security=ads
fixed the problem.  It seems that domain mode requires a complete list
of users, whereas ads mode is quite happy to look up single users as
and when required.

I also found that security=domain would not reliably detect changes to
group membership.  Sometimes reloading winbind would bring the changes
through, sometimes it wouldn't.  Again, changing to security=ads fixed
this.

> I have a local unix account ralfgro that has uid 50789 and a domain
> account that is mapped to uid 70000.
So ralfgro == 50789 and domain == 70000
> If I now copy files to the server using smbclient they are created
> with my domain uid.
Correct, as smbclient is connecting with uid 70000.
> If I create files with an editor on the local fs (vim) they have the
> uid  of my unix account.
Correct, assuming you're logged on as ralfgro at the time.
> Is this the way it should be? I ask this, because an old server
> should be migrate to this new hardware and there are many unix
> accounts and much data that already belong to users. The old server
> has never been member of this domain, only 'security = server' was
> used for authentication.
The only way you can "fix" this is to make sure that each domain
account is mapped to the same UID as the local user.  There are a
number of ways of doing this, check the Samba manual for details.

It may be easier to use SMB for authentication as well, so that the
UNIX users no longer log in with their local username, but the SMB
username (which in your case would mean you'd be logging on with UID
70000.)  This way you wouldn't need to manually map any domain accounts
to UIDs.

Cheers,
Adam.