Zhuchenko Valery
2016-Nov-24 13:26 UTC
[Samba] domain member with winbind, slow smbcacls or smbclient listing
Hi, all!
When I launch (again and again)
smbcacls "//myfileserver/share" "" -U user -W domain
or
smbclient "//myfileserver/share" -U user -W domain -c "ls",
in tcpdump output at myfileserver I see multiple calls to controller via
ldap, therefore these commands are executed slowly.
When I run getent groups at myfileserver, all worked fine, and tcpdump
output is empty.
Help me please, where I'm wrong?
Best regards, Valery.
smbd -V
Version 4.2.10
My winbind settings:
testparm -s |grep winbind
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind expand groups = 10
winbind refresh tickets = Yes
security = ads
idmap config * : range = 16777216-33554431
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 100-20000
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
grep -r winbind /etc/pam.d
/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/system-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:password sufficient pam_winbind.so
use_authtok
/etc/pam.d/smartcard-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/password-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:password sufficient pam_winbind.so
use_authtok
Zhuchenko Valery
2016-Nov-28 05:27 UTC
[Samba] domain member with winbind, slow smbcacls or smbclient listing
I think, the reason is some files acls, which contain uid or gid, absent in the domain. How to make so that winbindd in this case every time didn't connect with controller, but only periodically update data, using parameters winbind cache time and idmap negative cache time? I think so because in logs I see these strings: ...host has no idea of uid ... ...Connected to LDAP server... [2016/11/27 15:02:01.120598, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child daemon request 59 [2016/11/27 15:02:01.120859, 4] ../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid) pdb_default_uid_to_sid: host has no idea of uid 3677 [2016/11/27 15:02:01.122042, 4] ../source3/libsmb/namequery_dc.c:77(ads_dc_name) ads_dc_name: domain=DOMAIN [2016/11/27 15:02:01.122161, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list:.... .......... [2016/11/27 15:02:01.154279, 3] ../source3/libads/ldap.c:541(ads_connect) Successfully contacted LDAP server [2016/11/27 15:02:01.154371, 3] ../source3/libads/ldap.c:584(ads_connect) Connected to LDAP server 24.11.2016 17:26, Zhuchenko Valery via samba:> Hi, all! > > When I launch (again and again) > smbcacls "//myfileserver/share" "" -U user -W domain > or > smbclient "//myfileserver/share" -U user -W domain -c "ls", > in tcpdump output at myfileserver I see multiple calls to controller via > ldap, therefore these commands are executed slowly. > > When I run getent groups at myfileserver, all worked fine, and tcpdump > output is empty. > Help me please, where I'm wrong? > > Best regards, Valery. > > smbd -V > Version 4.2.10 > > My winbind settings: > testparm -s |grep winbind > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind expand groups = 10 > winbind refresh tickets = Yes > > security = ads > idmap config * : range = 16777216-33554431 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 100-20000 > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > > grep -r winbind /etc/pam.d > /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so > use_first_pass > /etc/pam.d/system-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so > use_authtok > /etc/pam.d/smartcard-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so > use_first_pass > /etc/pam.d/password-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/password-auth-ac:password sufficient pam_winbind.so > use_authtok > > >
Zhuchenko Valery
2016-Nov-28 10:53 UTC
[Samba] domain member with winbind, slow smbcacls or smbclient listing
Hi, all
Replacement of the owner (when no user corresponds to file's numeric
user ID) or group replacement (when no group corresponds to file's
numeric group ID) solves a problem (partially).
Check files before changes, and, may be save results:
find "/samba/dir1" \( -nouser -or -nogroup \) -printf
"%u:%g:%p\n">saved
Replacements (in my case, perhaps, it is better to select others the
owner and group)
find "/samba/dir1" -nouser -exec chown root "{}" \;
find "/samba/dir1" -nogroup -exec chgrp root "{}" \;
Or, if there is no opportunity to make changes, how to tell winbindd to
read periodically updated caches only? I don't know how to do it.
Best regards,
Valery
28.11.2016 09:27, Zhuchenko Valery via samba:> I think, the reason is some files acls, which contain uid or gid, absent
> in the domain.
>
> How to make so that winbindd in this case every time didn't connect
with
> controller, but only periodically update data, using parameters winbind
> cache time and idmap negative cache time?
>
> I think so because in logs I see these strings:
> ...host has no idea of uid ...
> ...Connected to LDAP server...
>
>
> [2016/11/27 15:02:01.120598, 4]
> ../source3/winbindd/winbindd_dual.c:1387(child_handler)
> child daemon request 59
> [2016/11/27 15:02:01.120859, 4]
> ../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid)
> pdb_default_uid_to_sid: host has no idea of uid 3677
> [2016/11/27 15:02:01.122042, 4]
> ../source3/libsmb/namequery_dc.c:77(ads_dc_name)
> ads_dc_name: domain=DOMAIN
> [2016/11/27 15:02:01.122161, 3]
> ../source3/libsmb/namequery.c:3133(get_dc_list)
> get_dc_list: preferred server list:....
> ..........
> [2016/11/27 15:02:01.154279, 3] ../source3/libads/ldap.c:541(ads_connect)
> Successfully contacted LDAP server
> [2016/11/27 15:02:01.154371, 3] ../source3/libads/ldap.c:584(ads_connect)
> Connected to LDAP server
>
>
> 24.11.2016 17:26, Zhuchenko Valery via samba:
>> Hi, all!
>>
>> When I launch (again and again)
>> smbcacls "//myfileserver/share" "" -U user -W
domain
>> or
>> smbclient "//myfileserver/share" -U user -W domain -c
"ls",
>> in tcpdump output at myfileserver I see multiple calls to controller
via
>> ldap, therefore these commands are executed slowly.
>>
>> When I run getent groups at myfileserver, all worked fine, and tcpdump
>> output is empty.
>> Help me please, where I'm wrong?
>>
>> Best regards, Valery.
>>
>> smbd -V
>> Version 4.2.10
>>
>> My winbind settings:
>> testparm -s |grep winbind
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind expand groups = 10
>> winbind refresh tickets = Yes
>>
>> security = ads
>> idmap config * : range = 16777216-33554431
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 100-20000
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> /etc/nsswitch.conf
>> passwd: compat winbind
>> group: compat winbind
>>
>> grep -r winbind /etc/pam.d
>> /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so
>> use_first_pass
>> /etc/pam.d/system-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so
>> use_authtok
>> /etc/pam.d/smartcard-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so
>> use_first_pass
>> /etc/pam.d/password-auth-ac:account [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so
>> /etc/pam.d/password-auth-ac:password sufficient pam_winbind.so
>> use_authtok
>>
>>
>>
>
>
Reasonably Related Threads
- domain member with winbind, slow smbcacls or smbclient listing
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID