Zhuchenko Valery
2016-Nov-24 13:26 UTC
[Samba] domain member with winbind, slow smbcacls or smbclient listing
Hi, all! When I launch (again and again) smbcacls "//myfileserver/share" "" -U user -W domain or smbclient "//myfileserver/share" -U user -W domain -c "ls", in tcpdump output at myfileserver I see multiple calls to controller via ldap, therefore these commands are executed slowly. When I run getent groups at myfileserver, all worked fine, and tcpdump output is empty. Help me please, where I'm wrong? Best regards, Valery. smbd -V Version 4.2.10 My winbind settings: testparm -s |grep winbind winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 10 winbind refresh tickets = Yes security = ads idmap config * : range = 16777216-33554431 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 100-20000 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab /etc/nsswitch.conf passwd: compat winbind group: compat winbind grep -r winbind /etc/pam.d /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so use_first_pass /etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so use_authtok /etc/pam.d/smartcard-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so use_first_pass /etc/pam.d/password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/password-auth-ac:password sufficient pam_winbind.so use_authtok
Zhuchenko Valery
2016-Nov-28 05:27 UTC
[Samba] domain member with winbind, slow smbcacls or smbclient listing
I think, the reason is some files acls, which contain uid or gid, absent in the domain. How to make so that winbindd in this case every time didn't connect with controller, but only periodically update data, using parameters winbind cache time and idmap negative cache time? I think so because in logs I see these strings: ...host has no idea of uid ... ...Connected to LDAP server... [2016/11/27 15:02:01.120598, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child daemon request 59 [2016/11/27 15:02:01.120859, 4] ../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid) pdb_default_uid_to_sid: host has no idea of uid 3677 [2016/11/27 15:02:01.122042, 4] ../source3/libsmb/namequery_dc.c:77(ads_dc_name) ads_dc_name: domain=DOMAIN [2016/11/27 15:02:01.122161, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list:.... .......... [2016/11/27 15:02:01.154279, 3] ../source3/libads/ldap.c:541(ads_connect) Successfully contacted LDAP server [2016/11/27 15:02:01.154371, 3] ../source3/libads/ldap.c:584(ads_connect) Connected to LDAP server 24.11.2016 17:26, Zhuchenko Valery via samba:> Hi, all! > > When I launch (again and again) > smbcacls "//myfileserver/share" "" -U user -W domain > or > smbclient "//myfileserver/share" -U user -W domain -c "ls", > in tcpdump output at myfileserver I see multiple calls to controller via > ldap, therefore these commands are executed slowly. > > When I run getent groups at myfileserver, all worked fine, and tcpdump > output is empty. > Help me please, where I'm wrong? > > Best regards, Valery. > > smbd -V > Version 4.2.10 > > My winbind settings: > testparm -s |grep winbind > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind expand groups = 10 > winbind refresh tickets = Yes > > security = ads > idmap config * : range = 16777216-33554431 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 100-20000 > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > > grep -r winbind /etc/pam.d > /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so > use_first_pass > /etc/pam.d/system-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so > use_authtok > /etc/pam.d/smartcard-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so > use_first_pass > /etc/pam.d/password-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/password-auth-ac:password sufficient pam_winbind.so > use_authtok > > >
Zhuchenko Valery
2016-Nov-28 10:53 UTC
[Samba] domain member with winbind, slow smbcacls or smbclient listing
Hi, all Replacement of the owner (when no user corresponds to file's numeric user ID) or group replacement (when no group corresponds to file's numeric group ID) solves a problem (partially). Check files before changes, and, may be save results: find "/samba/dir1" \( -nouser -or -nogroup \) -printf "%u:%g:%p\n">saved Replacements (in my case, perhaps, it is better to select others the owner and group) find "/samba/dir1" -nouser -exec chown root "{}" \; find "/samba/dir1" -nogroup -exec chgrp root "{}" \; Or, if there is no opportunity to make changes, how to tell winbindd to read periodically updated caches only? I don't know how to do it. Best regards, Valery 28.11.2016 09:27, Zhuchenko Valery via samba:> I think, the reason is some files acls, which contain uid or gid, absent > in the domain. > > How to make so that winbindd in this case every time didn't connect with > controller, but only periodically update data, using parameters winbind > cache time and idmap negative cache time? > > I think so because in logs I see these strings: > ...host has no idea of uid ... > ...Connected to LDAP server... > > > [2016/11/27 15:02:01.120598, 4] > ../source3/winbindd/winbindd_dual.c:1387(child_handler) > child daemon request 59 > [2016/11/27 15:02:01.120859, 4] > ../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid) > pdb_default_uid_to_sid: host has no idea of uid 3677 > [2016/11/27 15:02:01.122042, 4] > ../source3/libsmb/namequery_dc.c:77(ads_dc_name) > ads_dc_name: domain=DOMAIN > [2016/11/27 15:02:01.122161, 3] > ../source3/libsmb/namequery.c:3133(get_dc_list) > get_dc_list: preferred server list:.... > .......... > [2016/11/27 15:02:01.154279, 3] ../source3/libads/ldap.c:541(ads_connect) > Successfully contacted LDAP server > [2016/11/27 15:02:01.154371, 3] ../source3/libads/ldap.c:584(ads_connect) > Connected to LDAP server > > > 24.11.2016 17:26, Zhuchenko Valery via samba: >> Hi, all! >> >> When I launch (again and again) >> smbcacls "//myfileserver/share" "" -U user -W domain >> or >> smbclient "//myfileserver/share" -U user -W domain -c "ls", >> in tcpdump output at myfileserver I see multiple calls to controller via >> ldap, therefore these commands are executed slowly. >> >> When I run getent groups at myfileserver, all worked fine, and tcpdump >> output is empty. >> Help me please, where I'm wrong? >> >> Best regards, Valery. >> >> smbd -V >> Version 4.2.10 >> >> My winbind settings: >> testparm -s |grep winbind >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind expand groups = 10 >> winbind refresh tickets = Yes >> >> security = ads >> idmap config * : range = 16777216-33554431 >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 100-20000 >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> /etc/nsswitch.conf >> passwd: compat winbind >> group: compat winbind >> >> grep -r winbind /etc/pam.d >> /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok >> user_unknown=ignore] pam_winbind.so >> /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so >> use_first_pass >> /etc/pam.d/system-auth-ac:account [default=bad success=ok >> user_unknown=ignore] pam_winbind.so >> /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so >> use_authtok >> /etc/pam.d/smartcard-auth-ac:account [default=bad success=ok >> user_unknown=ignore] pam_winbind.so >> /etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so >> use_first_pass >> /etc/pam.d/password-auth-ac:account [default=bad success=ok >> user_unknown=ignore] pam_winbind.so >> /etc/pam.d/password-auth-ac:password sufficient pam_winbind.so >> use_authtok >> >> >> > >
Seemingly Similar Threads
- domain member with winbind, slow smbcacls or smbclient listing
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID