Rowland Penny
2017-Sep-13 16:22 UTC
[Samba] Slow, Incorrect Group Resolution through Winbind
On Wed, 13 Sep 2017 11:58:27 -0400 Sonic <sonicsmith at gmail.com> wrote:> On Wed, Sep 13, 2017 at 11:32 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > On Wed, 13 Sep 2017 11:18:59 -0400 > > Sonic via samba <samba at lists.samba.org> wrote: > > > >> Should be more like: > >> idmap config STUDENTS : range = 16777216-33554431 > >> idmap config STUDENTS : backend = tdb > >> > >> ...plus something like: > >> idmap config * : range = 10000-20000 > >> idmap config * : backend = tdb > >> ... using a different range than configured for STUDENTS. > >> > >> Again "man smb.conf" is your friend. > > > > Obviously not, from the above ;-) > > > > I would expect something like: > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config STUDENTS : backend = rid > > idmap config STUDENTS : range = 16777216-33554431 > > > > Are you stating that only one assignment of tdb can be defined? I use > the rid backend for the domains that are hosted on another server but > wasn't sure whether or not multiple tdb backend assignments were > allowed. Although I've never tried it, the man page does not appear to > state that tdb cannot be used for multiple backends. But I'm reading > the man page for 4.7.0rc5 which may be different. > > ChrisFor the '*' domain you should only the tdb backend (note, you cannot use the rid backend). For the 'DOMAIN' domain you can use several different backends (rid, ad etc) but I wouldn't use the tdb backend, how are you going to be sure you will get the same IDs on all Unix machines ? If you use the 'rid' backend and the same range on all Unix machines, you will get the same IDs without having to add anything to AD. Rowland
On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> For the 'DOMAIN' domain you can use several different backends (rid, ad > etc) but I wouldn't use the tdb backend, how are you going to be sure > you will get the same IDs on all Unix machines ?That's exactly why I personally use rid for the DOMAIN domain. However, you seemed to suggest that my post was incorrect because I left the OP's desired backend (not my choice) in place during my reply, which still, as far as I can tell, is not an incorrect configuration via the info in the man page. If indeed my answer was incorrect than the man page needs some updating. Chris
Thanks for the help and suggestions.
I've removed the deprecated options "idmap uid" and "idmap
gid" and
explicitly set "idmap config * : range" and "idmap config * :
backend." New
output from testparm is at the end of this message. (But note that
previously I was only setting "idmap uid" and "idmap gid" in
the
configuration files, not using specifying the old and new options
simultaneously. The "idmap config" options were apparently implied
since
they're favored over the deprecated options.)
Despite that, I still have the same problem:
editshare at es-exp1:~$ time groups dwill627
dwill627 : groups: cannot find name for group ID 131073
131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
computeradministrativeaccesslabs
KUTZTOWN\computeradministrativeaccessclassrooms
allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
computeradministrativeaccessconferencerooms KUTZTOWN\mediasiteviewonly pcns
kup-passpol-stu-temp editshareusers BUILTIN\users
real 3m56.156s
user 0m0.072s
sys 0m0.000s
editshare at es-exp1:~$ getent group 131073
editshare at es-exp1:~$ echo $?
2
Is it required to set "idmap config" for both the STUDENTS domain and
all
other domains like so?
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config STUDENTS : backend = tdb
idmap config STUDENTS : range = 16777216-33554431
Or can I simply set only the catch-all configuration without setting it for
individual domains? This is how we have historically done it.
idmap config * : backend = tdb
idmap config * : range = 16777216-33554431
-----
amended config:
[global]
workgroup = STUDENTS
realm = STUDENTS.KUTZTOWN.EDU
server string = es-exp1
security = ADS
password server = kustudc01.students.kutztown.edu
kustudc02.students.kutztown.edu
smb passwd file = /var/cache/samba/smbpasswd
passdb backend = smbpasswd
restrict anonymous = 2
log file = /var/log/samba/log.%I
server max protocol = SMB2_22
max protocol = SMB2_22
protocol = SMB2_22
max xmit = 65535
unix extensions = No
max open files = 32768
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
load printers = No
printcap name = /dev/null
machine password timeout = 0
os level = 33
dns proxy = No
wins support = Yes
ldap debug level = 1
ldap debug threshold = 5
template homedir = /home/%U
template shell = /sbin/nologin
winbind request timeout = 10
winbind use default domain = Yes
winbind expand groups = 1
idmap config * : range = 16777216-33554431
idmap config * : backend = tdb
aio read size = 1
aio write size = 1
use sendfile = Yes
include = /etc/samba/smb.0.0.0.0.conf
wide links = Yes
Regards,
Rich Otero
Technical Support and Professional Services
EditShare
rotero at editshare.com
617-782-0479 <(617)%20782-0479>
On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 13 Sep 2017 11:58:27 -0400
> Sonic <sonicsmith at gmail.com> wrote:
>
> > On Wed, Sep 13, 2017 at 11:32 AM, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > > On Wed, 13 Sep 2017 11:18:59 -0400
> > > Sonic via samba <samba at lists.samba.org> wrote:
> > >
> > >> Should be more like:
> > >> idmap config STUDENTS : range = 16777216-33554431
> > >> idmap config STUDENTS : backend = tdb
> > >>
> > >> ...plus something like:
> > >> idmap config * : range = 10000-20000
> > >> idmap config * : backend = tdb
> > >> ... using a different range than configured for STUDENTS.
> > >>
> > >> Again "man smb.conf" is your friend.
> > >
> > > Obviously not, from the above ;-)
> > >
> > > I would expect something like:
> > >
> > > idmap config * : backend = tdb
> > > idmap config * : range = 3000-7999
> > > idmap config STUDENTS : backend = rid
> > > idmap config STUDENTS : range = 16777216-33554431
> > >
> >
> > Are you stating that only one assignment of tdb can be defined? I use
> > the rid backend for the domains that are hosted on another server but
> > wasn't sure whether or not multiple tdb backend assignments were
> > allowed. Although I've never tried it, the man page does not
appear to
> > state that tdb cannot be used for multiple backends. But I'm
reading
> > the man page for 4.7.0rc5 which may be different.
> >
> > Chris
>
> For the '*' domain you should only the tdb backend (note, you
cannot
> use the rid backend).
>
> For the 'DOMAIN' domain you can use several different backends
(rid, ad
> etc) but I wouldn't use the tdb backend, how are you going to be sure
> you will get the same IDs on all Unix machines ?
> If you use the 'rid' backend and the same range on all Unix
machines,
> you will get the same IDs without having to add anything to AD.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland Penny
2017-Sep-13 16:49 UTC
[Samba] Slow, Incorrect Group Resolution through Winbind
On Wed, 13 Sep 2017 12:37:17 -0400 Sonic <sonicsmith at gmail.com> wrote:> On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > For the 'DOMAIN' domain you can use several different backends > > (rid, ad etc) but I wouldn't use the tdb backend, how are you going > > to be sure you will get the same IDs on all Unix machines ? > > That's exactly why I personally use rid for the DOMAIN domain. > However, you seemed to suggest that my post was incorrect because I > left the OP's desired backend (not my choice) in place during my > reply, which still, as far as I can tell, is not an incorrect > configuration via the info in the man page. If indeed my answer was > incorrect than the man page needs some updating. > > ChrisYou posted: Should be more like: idmap config STUDENTS : range = 16777216-33554431 idmap config STUDENTS : backend = tdb And, yes the smb.conf manpage does say this: These are suitable for use in the default idmap configuration. and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a Unix domain member, because the manpage also says this: these create mappings of their own using internal unixid counters and store the mappings in a database. This means there is no way to ensure that users and groups will get the same ID on different Unix domain members. Rowland
Rowland Penny
2017-Sep-13 17:01 UTC
[Samba] Slow, Incorrect Group Resolution through Winbind
On Wed, 13 Sep 2017 12:42:06 -0400 Rich Otero <rotero at editshare.com> wrote:> Thanks for the help and suggestions. > > I've removed the deprecated options "idmap uid" and "idmap gid" and > explicitly set "idmap config * : range" and "idmap config * : > backend." New output from testparm is at the end of this message. > (But note that previously I was only setting "idmap uid" and "idmap > gid" in the configuration files, not using specifying the old and new > options simultaneously. The "idmap config" options were apparently > implied since they're favored over the deprecated options.) > > Despite that, I still have the same problem: > > editshare at es-exp1:~$ time groups dwill627 > dwill627 : groups: cannot find name for group ID 131073 > 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\ > computeradministrativeaccesslabs > KUTZTOWN\computeradministrativeaccessclassrooms > allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\ > computeradministrativeaccessconferencerooms > KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers > BUILTIN\users > > real 3m56.156s > user 0m0.072s > sys 0m0.000s > > editshare at es-exp1:~$ getent group 131073 > editshare at es-exp1:~$ echo $? > 2 > > Is it required to set "idmap config" for both the STUDENTS domain and > all other domains like so? > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config STUDENTS : backend = tdb > idmap config STUDENTS : range = 16777216-33554431Yes> > Or can I simply set only the catch-all configuration without setting > it for individual domains? This is how we have historically done it. > > idmap config * : backend = tdb > idmap config * : range = 16777216-33554431This puts everything into the '*' domain and is wrong.> > ----- > > amended config: > > [global] > workgroup = STUDENTS > realm = STUDENTS.KUTZTOWN.EDU > server string = es-exp1 > security = ADS > password server = kustudc01.students.kutztown.edu > kustudc02.students.kutztown.eduRemove the next three lines> smb passwd file = /var/cache/samba/smbpasswd > passdb backend = smbpasswd > restrict anonymous = 2 > log file = /var/log/samba/log.%I > server max protocol = SMB2_22 > max protocol = SMB2_22 > protocol = SMB2_22 > max xmit = 65535 > unix extensions = No > max open files = 32768 > socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576 > load printers = No > printcap name = /dev/nullremove the next two lines, you do not need them.> machine password timeout = 0 > os level = 33 > dns proxy = No > wins support = Yesremove the next two lines, you do not need them.> ldap debug level = 1 > ldap debug threshold = 5 > template homedir = /home/%U > template shell = /sbin/nologin > winbind request timeout = 10 > winbind use default domain = Yes > winbind expand groups = 1You also need the 'DOMAIN' lines, set these to the range below, Then change the line below to a different range that does not overlap> idmap config * : range = 16777216-33554431 > idmap config * : backend = tdb > aio read size = 1 > aio write size = 1 > use sendfile = Yes > include = /etc/samba/smb.0.0.0.0.conf > wide links = Yes >Rowland Rowland