Rowland Penny
2017-Sep-13 17:01 UTC
[Samba] Slow, Incorrect Group Resolution through Winbind
On Wed, 13 Sep 2017 12:42:06 -0400 Rich Otero <rotero at editshare.com> wrote:> Thanks for the help and suggestions. > > I've removed the deprecated options "idmap uid" and "idmap gid" and > explicitly set "idmap config * : range" and "idmap config * : > backend." New output from testparm is at the end of this message. > (But note that previously I was only setting "idmap uid" and "idmap > gid" in the configuration files, not using specifying the old and new > options simultaneously. The "idmap config" options were apparently > implied since they're favored over the deprecated options.) > > Despite that, I still have the same problem: > > editshare at es-exp1:~$ time groups dwill627 > dwill627 : groups: cannot find name for group ID 131073 > 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\ > computeradministrativeaccesslabs > KUTZTOWN\computeradministrativeaccessclassrooms > allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\ > computeradministrativeaccessconferencerooms > KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers > BUILTIN\users > > real 3m56.156s > user 0m0.072s > sys 0m0.000s > > editshare at es-exp1:~$ getent group 131073 > editshare at es-exp1:~$ echo $? > 2 > > Is it required to set "idmap config" for both the STUDENTS domain and > all other domains like so? > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config STUDENTS : backend = tdb > idmap config STUDENTS : range = 16777216-33554431Yes> > Or can I simply set only the catch-all configuration without setting > it for individual domains? This is how we have historically done it. > > idmap config * : backend = tdb > idmap config * : range = 16777216-33554431This puts everything into the '*' domain and is wrong.> > ----- > > amended config: > > [global] > workgroup = STUDENTS > realm = STUDENTS.KUTZTOWN.EDU > server string = es-exp1 > security = ADS > password server = kustudc01.students.kutztown.edu > kustudc02.students.kutztown.eduRemove the next three lines> smb passwd file = /var/cache/samba/smbpasswd > passdb backend = smbpasswd > restrict anonymous = 2 > log file = /var/log/samba/log.%I > server max protocol = SMB2_22 > max protocol = SMB2_22 > protocol = SMB2_22 > max xmit = 65535 > unix extensions = No > max open files = 32768 > socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576 > load printers = No > printcap name = /dev/nullremove the next two lines, you do not need them.> machine password timeout = 0 > os level = 33 > dns proxy = No > wins support = Yesremove the next two lines, you do not need them.> ldap debug level = 1 > ldap debug threshold = 5 > template homedir = /home/%U > template shell = /sbin/nologin > winbind request timeout = 10 > winbind use default domain = Yes > winbind expand groups = 1You also need the 'DOMAIN' lines, set these to the range below, Then change the line below to a different range that does not overlap> idmap config * : range = 16777216-33554431 > idmap config * : backend = tdb > aio read size = 1 > aio write size = 1 > use sendfile = Yes > include = /etc/samba/smb.0.0.0.0.conf > wide links = Yes >Rowland Rowland
> > > Is it required to set "idmap config" for both the STUDENTS domain and > > all other domains like so? > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config STUDENTS : backend = tdb > > idmap config STUDENTS : range = 16777216-33554431 > Yes> Or can I simply set only the catch-all configuration without setting > > it for individual domains? This is how we have historically done it. > > > > idmap config * : backend = tdb > > idmap config * : range = 16777216-33554431 > This puts everything into the '*' domain and is wrong.Perhaps this is another place where the description in the manual could be clearer. My reading of it is that the configuration for the * domain applies to all domains that have not been explicitly configured (which is the way I thought I was using it). Remove the next three lines> > smb passwd file = /var/cache/samba/smbpasswd > > passdb backend = smbpasswdI don't understand this suggestion. What if I have non-domain users who are stored in passdb? (I do.)> restrict anonymous = 2This doesn't make sense to me either. What does it have to do with Winbind's interaction with AD? We set this option because automated network security audits such as Qualys consider allowing anonymous connections to be a vulnerability and nothing that we do relies on anonymous connections to Samba anyway. remove the next two lines, you do not need them.> > machine password timeout = 0We set "machine password timeout" to 0 because we have some systems where Samba must run with the same configuration on two highly available nodes. Therefore, we disable periodically changing the machine password and we ensure that both nodes have the same stored password by periodically synchronizing the secrets file from the primary node to the secondary node.> os level = 33Our product can consist of multiple independent Samba servers in a group. Within the group, there can be one "master" server and many "auxiliary" servers. On masters, we raise "os level" to 65 and on auxiliaries, we lower it to 33 so that only the master is capable of becoming the local master browser. I don't understand how this is related to AD integration. remove the next two lines, you do not need them.> > ldap debug level = 1 > > ldap debug threshold = 5I had set these so that I could see more detailed messages about the LDAP calls. How does this contribute to the problem I am trying to solve? Regards, Rich Otero Technical Support and Professional Services EditShare rotero at editshare.com 617-782-0479 On Wed, Sep 13, 2017 at 1:01 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 13 Sep 2017 12:42:06 -0400 > Rich Otero <rotero at editshare.com> wrote: > > > Thanks for the help and suggestions. > > > > I've removed the deprecated options "idmap uid" and "idmap gid" and > > explicitly set "idmap config * : range" and "idmap config * : > > backend." New output from testparm is at the end of this message. > > (But note that previously I was only setting "idmap uid" and "idmap > > gid" in the configuration files, not using specifying the old and new > > options simultaneously. The "idmap config" options were apparently > > implied since they're favored over the deprecated options.) > > > > Despite that, I still have the same problem: > > > > editshare at es-exp1:~$ time groups dwill627 > > dwill627 : groups: cannot find name for group ID 131073 > > 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\ > > computeradministrativeaccesslabs > > KUTZTOWN\computeradministrativeaccessclassrooms > > allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\ > > computeradministrativeaccessconferencerooms > > KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers > > BUILTIN\users > > > > real 3m56.156s > > user 0m0.072s > > sys 0m0.000s > > > > editshare at es-exp1:~$ getent group 131073 > > editshare at es-exp1:~$ echo $? > > 2 > > > > Is it required to set "idmap config" for both the STUDENTS domain and > > all other domains like so? > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config STUDENTS : backend = tdb > > idmap config STUDENTS : range = 16777216-33554431 > > Yes > > > > > Or can I simply set only the catch-all configuration without setting > > it for individual domains? This is how we have historically done it. > > > > idmap config * : backend = tdb > > idmap config * : range = 16777216-33554431 > > This puts everything into the '*' domain and is wrong. > > > > > ----- > > > > amended config: > > > > [global] > > workgroup = STUDENTS > > realm = STUDENTS.KUTZTOWN.EDU > > server string = es-exp1 > > security = ADS > > password server = kustudc01.students.kutztown.edu > > kustudc02.students.kutztown.edu > > Remove the next three lines > > > smb passwd file = /var/cache/samba/smbpasswd > > passdb backend = smbpasswd > > restrict anonymous = 2 > > log file = /var/log/samba/log.%I > > server max protocol = SMB2_22 > > max protocol = SMB2_22 > > protocol = SMB2_22 > > max xmit = 65535 > > unix extensions = No > > max open files = 32768 > > socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576 > > load printers = No > > printcap name = /dev/null > > remove the next two lines, you do not need them. > > > machine password timeout = 0 > > os level = 33 > > dns proxy = No > > wins support = Yes > > remove the next two lines, you do not need them. > > > ldap debug level = 1 > > ldap debug threshold = 5 > > template homedir = /home/%U > > template shell = /sbin/nologin > > winbind request timeout = 10 > > winbind use default domain = Yes > > winbind expand groups = 1 > > You also need the 'DOMAIN' lines, set these to the range below, > Then change the line below to a different range that does not overlap > > > idmap config * : range = 16777216-33554431 > > idmap config * : backend = tdb > > aio read size = 1 > > aio write size = 1 > > use sendfile = Yes > > include = /etc/samba/smb.0.0.0.0.conf > > wide links = Yes > > > > Rowland > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Sep-13 18:47 UTC
[Samba] Slow, Incorrect Group Resolution through Winbind
On Wed, 13 Sep 2017 14:10:48 -0400 Rich Otero <rotero at editshare.com> wrote:> Perhaps this is another place where the description in the manual > could be clearer. My reading of it is that the configuration for the > * domain applies to all domains that have not been explicitly > configured (which is the way I thought I was using it).Yes, but how do you know which domain is which ?> > Remove the next three lines > > > smb passwd file = /var/cache/samba/smbpasswd > > > passdb backend = smbpasswd > > > I don't understand this suggestion. What if I have non-domain users > who are stored in passdb? (I do.)Because smbpasswd is deprecated by the now now default tdbsam and if you remove those lines, you will start to use the default.> > > restrict anonymous = 2 > > > This doesn't make sense to me either. What does it have to do with > Winbind's interaction with AD? We set this option because automated > network security audits such as Qualys consider allowing anonymous > connections to be a vulnerability and nothing that we do relies on > anonymous connections to Samba anyway.I would remove it because it can break some applications> > remove the next two lines, you do not need them. > > > machine password timeout = 0 > > > We set "machine password timeout" to 0 because we have some systems > where Samba must run with the same configuration on two highly > available nodes. Therefore, we disable periodically changing the > machine password and we ensure that both nodes have the same stored > password by periodically synchronizing the secrets file from the > primary node to the secondary node.I cannot recommend doing this, you should have different passwords for each machine.> > > os level = 33 > > Our product can consist of multiple independent Samba servers in a > group. Within the group, there can be one "master" server and many > "auxiliary" servers. On masters, we raise "os level" to 65 and on > auxiliaries, we lower it to 33 so that only the master is capable of > becoming the local master browser. I don't understand how this is > related to AD integration.Because even if this line was 254 it wouldn't win an election with an AD DC, so why bother.> > remove the next two lines, you do not need them. > > > ldap debug level = 1 > > > ldap debug threshold = 5 > > > I had set these so that I could see more detailed messages about the > LDAP calls. How does this contribute to the problem I am trying to > solve?They probably don't, but they shouldn't be there on an Unix domain member. All I can say is, I do not and never will set up a Unix domain member in the way you have. I also do not have any of the problems you are having, but it is your computer, so set it up how you like. Rowland