Gibbings, Kevan
2007-Nov-22 19:18 UTC
[Samba] Solaris 9 Winbind "ls -l" hangs - group mapping
OS Solaris 5.9 (9) Generic_122300-13 (clean build)
nscd daemon has been disabled and is not running
No NIS or NISPLUS
Samba Version 3.0.26a
Complied using the following options --with-acl-support -with-winbind
-with-pam
smbd, nmbd & winbind daemons are all started
[global]
workgroup = MTCB2
security = domain
log level = 3
log file = /usr/local/samba/var/samba.log.%U
max log size = 20000
ldap ssl = no
wins server = 172.26.175.1
dns proxy = yes
name resolve order = wins bcast host
idmap uid = 10000-20000
idmap gid = 1000-2000
winbind enum users = yes
winbind enum groups = yes
template homedir = /usr/people/winnt/%D/%U
template shell = /bin/csh
[data]
comment = Data
path = /data
valid users = @"MTCB2\domain users"
browseable = yes
available = yes
read only = No
Requirement: Use winbind to authenticate XP clients.
Domain Windows 2003 (Domain functional level 2000 native)
nsswitch.conf
passwd: files winbind
group: files winbind
I have complied configured and installed Samba on a test network. I have
joined the samba server as a domain member on to the Windows 2003 domain
and I can list all the users and groups in the domain using wbinfo -u
and groups using wbinfo -g. I can also list all the users using "getent
passwd" but when I run the command "getent group" I only get one
of the
domain groups returned.
I can logon to an XP client access the shares on the Samba server and
create files, folders etc. I can list these file on the UNIX server
using "ls" but if I try and use "ls -l" the command just
hangs. Also
"smbstatus" hands if there are any files open.
If I remove the winbind from the group entry in the nsswitch.conf file
then I can list the contents of the folders, obviously the group names
do not appear but the domain usernames do. I can then also get a from
"smbstatus" again all group name a shown as there mapped ID
Authentication is very quick, there just seems to be a problem with
group mapping.
I followed the instructions on this web page to install and configure.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#
id412113
Other tests carried out
smbclient -L hostname
nmblookup -B ip_addr __SAMBA__
nmblookup -N ip_addre "*"
nmlookup -M DOMAIN
The gid range does not clash with existing groups and I cannot see any
errors in the log files.
All give normal output.
Any ideas?
Regards
Kevan Gibbings
System Engineer
SAIC Motor UK Technical Centre Ltd
Southam Road, Radford Semele, Leamington Spa, Warwickshire, CV31 1FQ, UK
Direct Dial +44 (0)1926 319496 Direct Fax +44 (0)1926 477144
Tel +44 (0)1926 319319 Fax +44(0) 1926 477144
Email kevan.gibbings@partner.saicmotor.co.uk
<mailto:kevan.gibbings@partner.saicmotor.co.uk>
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you have received this e-mail in error please notify the sender immediately and
delete this e-mail from your system. Please note that any views or opinions
presented in this e-mail are solely those of the author and do not necessarily
represent those of SAIC Motor UK Technical Centre Limited (save for reports and
other documentation formally approved and signed for release to the intended
recipient). Only Directors or Duly Authorised Officers are authorised to enter
into legally binding obligations on behalf of SAIC Motor UK Technical Centre
Limited unless the obligation is contained within a SAIC Motor UK Technical
Centre Limited Purchase Order.
SAIC Motor UK Technical Centre Limited may monitor outgoing and incoming e-mails
and other telecommunications on its e-mail and telecommunications systems. By
replying to this e-mail you give consent to such monitoring. The recipient
should check e-mail and any attachments for the presence of viruses. SAIC Motor
UK Technical Centre Limited accepts no liability for any damage caused by any
virus transmitted by this e-mail.
SAIC Motor UK Technical Centre Limited is registered in England with number
05437330. The registered office of SAIC Motor UK Technical Centre Limited is 100
New Bridge Street, London, EC4V 6JA. The communications address is Southam Road,
Radford Semele, Leamington Spa, Warwickshire CV31 1FQ
I removed winbind from group entry in /etc/nsswitch.conf, otherwise ssh
session would timeout and lost connection. In this way, Samba still
works. Samba still can use domain groups and domain users to grant
access. Only 'getent group domain_group" doesn't work.
Cheers
Junmin
-----Original Message-----
From: samba-bounces+junmin.bai=dha.gov.au@lists.samba.org
[mailto:samba-bounces+junmin.bai=dha.gov.au@lists.samba.org] On Behalf
Of Gibbings, Kevan
Sent: Friday, 23 November 2007 4:36 AM
To: samba@lists.samba.org
Subject: [Samba] Solaris 9 Winbind "ls -l" hangs - group mapping
OS Solaris 5.9 (9) Generic_122300-13 (clean build)
nscd daemon has been disabled and is not running
No NIS or NISPLUS
Samba Version 3.0.26a
Complied using the following options --with-acl-support -with-winbind
-with-pam
smbd, nmbd & winbind daemons are all started
[global]
workgroup = MTCB2
security = domain
log level = 3
log file = /usr/local/samba/var/samba.log.%U
max log size = 20000
ldap ssl = no
wins server = 172.26.175.1
dns proxy = yes
name resolve order = wins bcast host
idmap uid = 10000-20000
idmap gid = 1000-2000
winbind enum users = yes
winbind enum groups = yes
template homedir = /usr/people/winnt/%D/%U
template shell = /bin/csh
[data]
comment = Data
path = /data
valid users = @"MTCB2\domain users"
browseable = yes
available = yes
read only = No
Requirement: Use winbind to authenticate XP clients.
Domain Windows 2003 (Domain functional level 2000 native)
nsswitch.conf
passwd: files winbind
group: files winbind
I have complied configured and installed Samba on a test network. I have
joined the samba server as a domain member on to the Windows 2003 domain
and I can list all the users and groups in the domain using wbinfo -u
and groups using wbinfo -g. I can also list all the users using "getent
passwd" but when I run the command "getent group" I only get one
of the
domain groups returned.
I can logon to an XP client access the shares on the Samba server and
create files, folders etc. I can list these file on the UNIX server
using "ls" but if I try and use "ls -l" the command just
hangs. Also
"smbstatus" hands if there are any files open.
If I remove the winbind from the group entry in the nsswitch.conf file
then I can list the contents of the folders, obviously the group names
do not appear but the domain usernames do. I can then also get a from
"smbstatus" again all group name a shown as there mapped ID
Authentication is very quick, there just seems to be a problem with
group mapping.
I followed the instructions on this web page to install and configure.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#
id412113
Other tests carried out
smbclient -L hostname
nmblookup -B ip_addr __SAMBA__
nmblookup -N ip_addre "*"
nmlookup -M DOMAIN
The gid range does not clash with existing groups and I cannot see any
errors in the log files.
All give normal output.
Any ideas?
Regards
Kevan Gibbings
System Engineer
SAIC Motor UK Technical Centre Ltd
Southam Road, Radford Semele, Leamington Spa, Warwickshire, CV31 1FQ, UK
Direct Dial +44 (0)1926 319496 Direct Fax +44 (0)1926 477144 Tel +44
(0)1926 319319 Fax +44(0) 1926 477144 Email
kevan.gibbings@partner.saicmotor.co.uk
<mailto:kevan.gibbings@partner.saicmotor.co.uk>
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this e-mail in error please notify the
sender immediately and delete this e-mail from your system. Please note
that any views or opinions presented in this e-mail are solely those of
the author and do not necessarily represent those of SAIC Motor UK
Technical Centre Limited (save for reports and other documentation
formally approved and signed for release to the intended recipient).
Only Directors or Duly Authorised Officers are authorised to enter into
legally binding obligations on behalf of SAIC Motor UK Technical Centre
Limited unless the obligation is contained within a SAIC Motor UK
Technical Centre Limited Purchase Order.
SAIC Motor UK Technical Centre Limited may monitor outgoing and incoming
e-mails and other telecommunications on its e-mail and
telecommunications systems. By replying to this e-mail you give consent
to such monitoring. The recipient should check e-mail and any
attachments for the presence of viruses. SAIC Motor UK Technical Centre
Limited accepts no liability for any damage caused by any virus
transmitted by this e-mail.
SAIC Motor UK Technical Centre Limited is registered in England with
number 05437330. The registered office of SAIC Motor UK Technical Centre
Limited is 100 New Bridge Street, London, EC4V 6JA. The communications
address is Southam Road, Radford Semele, Leamington Spa, Warwickshire
CV31 1FQ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Important: This email and any attachments may be confidential and may be
privileged.
If the email is not addressed to you please return it to us and destroy any
copies you may have.
Unauthorised use of this email and any attachment is prohibited.
Defence Housing Australia will send you correspondence and documents
by email if you request or if you use email to contact us.
Email is not a secure form of communication and may transmit computer viruses.
We take no responsibility for misdirection, corruption or unauthorised use of
email communications
nor for any damage that may be caused as a result of transmitting or receiving
an email communication.
It is your responsibility to establish your own protection against viruses or
other damage.
This message has been scanned for viruses
and spam by SurfControl RiskFilter - E-mail.
Gibbings, Kevan
2007-Nov-23 09:37 UTC
[Samba] Solaris 9 Winbind "ls -l" hangs - group mapping
Thanks for your reply, I have got a stage further with this problem and discovered it is a time out issue. "getent group" only returns the first group "Domain Admins" the next group in the list is "Domain Users" this group has over 573 members (all users). As this is a test domain, I proved this by deleting the majority of users and "getent groups" then returns all the group names. I can further prove this by listing some of the other groups by name i.e. getent group "Domain\design" This works fine and returns all the users. I recreated the users (scripted!!) and getent groups fails again. But I have found that by deleting just 40 members all groups are listed. Not sure where to go from here. I think this must be a Solaris issue, a timeout somewhere? A limitation of the number of users in a group? I think I can get round this issue by forcing the files to be created on the samba share as one particular group. But I would rather solve the problem! I have found similar reference on other sites, but no solution. This could be a problem with ldap client, but the client is not configured or running on my Solaris install. If it could be how do I configure ldap client on Solaris? Regards Kevan Gibbings -----Original Message----- From: herman [mailto:herman@aeronetworks.ca] Sent: 23 November 2007 06:20 To: Gibbings, Kevan Subject: Re: [Samba] Solaris 9 Winbind "ls -l" hangs - group mapping Solaris... Review your hostname definition carefully. Ensure that the FQDN is defined and that it maps to the correct ipaddress. Test it with nslookup. Solaris can get very cranky if there is something wrong with this. Also review the ldap configuration. It can be the ldap configuration that causes the delay. Test an ldap query against ADS manually. Cheers, H. Gibbings, Kevan wrote:> OS Solaris 5.9 (9) Generic_122300-13 (clean build) > > nscd daemon has been disabled and is not running > > No NIS or NISPLUS > > > > Samba Version 3.0.26a > > Complied using the following options --with-acl-support -with-winbind > -with-pam > > > > smbd, nmbd & winbind daemons are all started > > > > [global] > > workgroup = MTCB2 > > security = domain > > > > log level = 3 > > log file = /usr/local/samba/var/samba.log.%U > > max log size = 20000 > > ldap ssl = no > > > > wins server = 172.26.175.1 > > dns proxy = yes > > name resolve order = wins bcast host > > > > idmap uid = 10000-20000 > > idmap gid = 1000-2000 > > > > winbind enum users = yes > > winbind enum groups = yes > > template homedir = /usr/people/winnt/%D/%U > > template shell = /bin/csh > > > > [data] > > comment = Data > > path = /data > > valid users = @"MTCB2\domain users" > > browseable = yes > > available = yes > > read only = No > > > > Requirement: Use winbind to authenticate XP clients. > > > > Domain Windows 2003 (Domain functional level 2000 native) > > > > nsswitch.conf > > passwd: files winbind > > group: files winbind > > > > I have complied configured and installed Samba on a test network. Ihave> joined the samba server as a domain member on to the Windows 2003domain> and I can list all the users and groups in the domain using wbinfo -u > and groups using wbinfo -g. I can also list all the users using"getent> passwd" but when I run the command "getent group" I only get one ofthe> domain groups returned. > > > > I can logon to an XP client access the shares on the Samba server and > create files, folders etc. I can list these file on the UNIX server > using "ls" but if I try and use "ls -l" the command just hangs. Also > "smbstatus" hands if there are any files open. > > > > If I remove the winbind from the group entry in the nsswitch.conf file > then I can list the contents of the folders, obviously the group names > do not appear but the domain usernames do. I can then also get a from > "smbstatus" again all group name a shown as there mapped ID > > > > Authentication is very quick, there just seems to be a problem with > group mapping. > > > > > > I followed the instructions on this web page to install and configure. > > > >http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#> id412113 > > > > > > Other tests carried out > > > > smbclient -L hostname > > nmblookup -B ip_addr __SAMBA__ > > nmblookup -N ip_addre "*" > > nmlookup -M DOMAIN > > > > The gid range does not clash with existing groups and I cannot see any > errors in the log files. > > > > All give normal output. > > > > Any ideas? > > > > Regards > Kevan Gibbings > System Engineer > SAIC Motor UK Technical Centre Ltd > Southam Road, Radford Semele, Leamington Spa, Warwickshire, CV31 1FQ,UK> Direct Dial +44 (0)1926 319496 Direct Fax +44 (0)1926 477144 > Tel +44 (0)1926 319319 Fax +44(0) 1926 477144 > Email kevan.gibbings@partner.saicmotor.co.uk > <mailto:kevan.gibbings@partner.saicmotor.co.uk> > > > This e-mail and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of SAIC Motor UK Technical Centre Limited (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors or Duly Authorised Officers are authorised to enter into legally binding obligations on behalf of SAIC Motor UK Technical Centre Limited unless the obligation is contained within a SAIC Motor UK Technical Centre Limited Purchase Order.> > SAIC Motor UK Technical Centre Limited may monitor outgoing andincoming e-mails and other telecommunications on its e-mail and telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. SAIC Motor UK Technical Centre Limited accepts no liability for any damage caused by any virus transmitted by this e-mail.> > SAIC Motor UK Technical Centre Limited is registered in England withnumber 05437330. The registered office of SAIC Motor UK Technical Centre Limited is 100 New Bridge Street, London, EC4V 6JA. The communications address is Southam Road, Radford Semele, Leamington Spa, Warwickshire CV31 1FQ>
Gibbings, Kevan
2007-Nov-27 14:38 UTC
[Samba] Solaris 9 Winbind "ls -l" hangs - group mapping
Found the answer to the problem, I think! When listing the groups from the Solaris server "getent group" I believe there is a maximum length of string that "getent" can handle. I have proved this by configuring a new test domain with its netbios name only 2 charters long (old name one was 5). I then recreated all the users (scripted!!) and "getent group" can now return a full list of groups. This means that it is not the number of users it is the length of string returned. I have taken this one step further and created an extra 500 users and again "getent group" fails to list the "Domain Users" group. We have a contract with Sun so I will report as a bug, I have checked the latest patches but no joy. Regards Kevan Gibbings -----Original Message----- From: samba-bounces+kevan.gibbings=partner.saicmotor.co.uk@lists.samba.org [mailto:samba-bounces+kevan.gibbings=partner.saicmotor.co.uk@lists.samba .org] On Behalf Of Gibbings, Kevan Sent: 23 November 2007 09:36 To: herman Cc: samba@lists.samba.org Subject: RE: [Samba] Solaris 9 Winbind "ls -l" hangs - group mapping Thanks for your reply, I have got a stage further with this problem and discovered it is a time out issue. "getent group" only returns the first group "Domain Admins" the next group in the list is "Domain Users" this group has over 573 members (all users). As this is a test domain, I proved this by deleting the majority of users and "getent groups" then returns all the group names. I can further prove this by listing some of the other groups by name i.e. getent group "Domain\design" This works fine and returns all the users. I recreated the users (scripted!!) and getent groups fails again. But I have found that by deleting just 40 members all groups are listed. Not sure where to go from here. I think this must be a Solaris issue, a timeout somewhere? A limitation of the number of users in a group? I think I can get round this issue by forcing the files to be created on the samba share as one particular group. But I would rather solve the problem! I have found similar reference on other sites, but no solution. This could be a problem with ldap client, but the client is not configured or running on my Solaris install. If it could be how do I configure ldap client on Solaris? Regards Kevan Gibbings -----Original Message----- From: herman [mailto:herman@aeronetworks.ca] Sent: 23 November 2007 06:20 To: Gibbings, Kevan Subject: Re: [Samba] Solaris 9 Winbind "ls -l" hangs - group mapping Solaris... Review your hostname definition carefully. Ensure that the FQDN is defined and that it maps to the correct ipaddress. Test it with nslookup. Solaris can get very cranky if there is something wrong with this. Also review the ldap configuration. It can be the ldap configuration that causes the delay. Test an ldap query against ADS manually. Cheers, H. Gibbings, Kevan wrote:> OS Solaris 5.9 (9) Generic_122300-13 (clean build) > > nscd daemon has been disabled and is not running > > No NIS or NISPLUS > > > > Samba Version 3.0.26a > > Complied using the following options --with-acl-support -with-winbind > -with-pam > > > > smbd, nmbd & winbind daemons are all started > > > > [global] > > workgroup = MTCB2 > > security = domain > > > > log level = 3 > > log file = /usr/local/samba/var/samba.log.%U > > max log size = 20000 > > ldap ssl = no > > > > wins server = 172.26.175.1 > > dns proxy = yes > > name resolve order = wins bcast host > > > > idmap uid = 10000-20000 > > idmap gid = 1000-2000 > > > > winbind enum users = yes > > winbind enum groups = yes > > template homedir = /usr/people/winnt/%D/%U > > template shell = /bin/csh > > > > [data] > > comment = Data > > path = /data > > valid users = @"MTCB2\domain users" > > browseable = yes > > available = yes > > read only = No > > > > Requirement: Use winbind to authenticate XP clients. > > > > Domain Windows 2003 (Domain functional level 2000 native) > > > > nsswitch.conf > > passwd: files winbind > > group: files winbind > > > > I have complied configured and installed Samba on a test network. Ihave> joined the samba server as a domain member on to the Windows 2003domain> and I can list all the users and groups in the domain using wbinfo -u > and groups using wbinfo -g. I can also list all the users using"getent> passwd" but when I run the command "getent group" I only get one ofthe> domain groups returned. > > > > I can logon to an XP client access the shares on the Samba server and > create files, folders etc. I can list these file on the UNIX server > using "ls" but if I try and use "ls -l" the command just hangs. Also > "smbstatus" hands if there are any files open. > > > > If I remove the winbind from the group entry in the nsswitch.conf file > then I can list the contents of the folders, obviously the group names > do not appear but the domain usernames do. I can then also get a from > "smbstatus" again all group name a shown as there mapped ID > > > > Authentication is very quick, there just seems to be a problem with > group mapping. > > > > > > I followed the instructions on this web page to install and configure. > > > >http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#> id412113 > > > > > > Other tests carried out > > > > smbclient -L hostname > > nmblookup -B ip_addr __SAMBA__ > > nmblookup -N ip_addre "*" > > nmlookup -M DOMAIN > > > > The gid range does not clash with existing groups and I cannot see any > errors in the log files. > > > > All give normal output. > > > > Any ideas? > > > > Regards > Kevan Gibbings > System Engineer > SAIC Motor UK Technical Centre Ltd > Southam Road, Radford Semele, Leamington Spa, Warwickshire, CV31 1FQ,UK> Direct Dial +44 (0)1926 319496 Direct Fax +44 (0)1926 477144 > Tel +44 (0)1926 319319 Fax +44(0) 1926 477144 > Email kevan.gibbings@partner.saicmotor.co.uk > <mailto:kevan.gibbings@partner.saicmotor.co.uk> > > > This e-mail and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of SAIC Motor UK Technical Centre Limited (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors or Duly Authorised Officers are authorised to enter into legally binding obligations on behalf of SAIC Motor UK Technical Centre Limited unless the obligation is contained within a SAIC Motor UK Technical Centre Limited Purchase Order.> > SAIC Motor UK Technical Centre Limited may monitor outgoing andincoming e-mails and other telecommunications on its e-mail and telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. SAIC Motor UK Technical Centre Limited accepts no liability for any damage caused by any virus transmitted by this e-mail.> > SAIC Motor UK Technical Centre Limited is registered in England withnumber 05437330. The registered office of SAIC Motor UK Technical Centre Limited is 100 New Bridge Street, London, EC4V 6JA. The communications address is Southam Road, Radford Semele, Leamington Spa, Warwickshire CV31 1FQ>-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba