Oh, apologies, I thought you were referring to the fact that I had changed your -d0 to -d10 since I was getting no output for 10 minutes... :) smb.conf [global] workgroup = DOMAIN security = ADS realm = DOMAIN.LOCAL idmap config *:backend = tdb idmap config *:range = 95000-99999 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 100000-999999 winbind trusted domains only = no winbind use default domain = yes winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U /etc/resolv.conf search domain.local nameserver 10.x.x.20 nameserver 10.x.x.21 nameserver 10.x.x.11 nameserver 10.x.y.10 nameserver 10.x.y.20 nameserver 10.y.x.90 nameserver 10.y.x.21 nameserver 10.y.x.90 /etc/hosts 127.0.0.1 localhost proxy1 proxy2 printer 127.0.1.1 hostname.dev.domain.local hostname # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters /etc/krb5.conf [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true It's running on Ubuntu 17.10. James October 30, 2017 4:20 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 30 Oct 2017 15:51:28 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> I must admit I assumed that it was completely hung which is why I >> looked at your command line to see if there was a typo etc... but >> here's the output you asked for:- >> >> root at hostname:~# time samba-tool group listmembers testgroup -H >> ldap://adserver -d0 FUNC-UNIX >> >> real 11m33.761s <------ LONG TIME! >> user 0m0.327s >> sys 0m0.021s >> >> I guess they have some nested groups set up... it does appear to be >> returning something, but obviously not at list of users. >> >> However, for example:- >> >> root at hostname:~# time wbinfo -g jlewis | grep testgroup >> testgroup >> >> real 0m0.134s >> user 0m0.019s >> sys 0m0.005s >> >> I don't have any issue logging on, or using the host... > > Will you please post the info I asked you to post, plus I think you > better tell us what OS you are using. > > Whilst nested groups might slow things down, it shouldn't slow things > down to the extent you are seeing. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On Mon, 30 Oct 2017 17:32:17 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> Oh, apologies, I thought you were referring to the fact that I had > changed your -d0 to -d10 since I was getting no output for 10 > minutes... :) > > smb.conf > [global] > workgroup = DOMAIN > security = ADS > realm = DOMAIN.LOCAL > > idmap config *:backend = tdb > idmap config *:range = 95000-99999 > idmap config DOMAIN:backend = rid > idmap config DOMAIN:range = 100000-999999 > > winbind trusted domains only = no > winbind use default domain = yes > winbind refresh tickets = yes > > template shell = /bin/bash > template homedir = /home/%D/%U > > /etc/resolv.conf > search domain.local > nameserver 10.x.x.20 > nameserver 10.x.x.21 > nameserver 10.x.x.11 > nameserver 10.x.y.10 > nameserver 10.x.y.20 > nameserver 10.y.x.90 > nameserver 10.y.x.21 > nameserver 10.y.x.90Are all of the above DCs ? If not remove any that aren't> > /etc/hosts > 127.0.0.1 localhost proxy1 proxy2 printer > 127.0.1.1 hostname.dev.domain.local hostnameAha, your Unix domain members IP isn't 127.0.1.1, so either change '127.0.1.1' to its ipaddress, if it has a fixed IP, or remove the line if it is getting its IP via DHCP. Rowland
On Mon, Oct 30, 2017 at 2:03 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:>> >> /etc/hosts >> 127.0.0.1 localhost proxy1 proxy2 printer >> 127.0.1.1 hostname.dev.domain.local hostname > > Aha, your Unix domain members IP isn't 127.0.1.1, so either change > '127.0.1.1' to its ipaddress, if it has a fixed IP, or remove the line > if it is getting its IP via DHCP. > > RowlandThat little trick is used so that contacts to the loopback, at 127.0.0.0/8, can be set to a distinct IP address and ensure the trafic is recorded separately, even though coming in on the loopback address. It can be very handy for segregating SSH and webshost traffic separately from localhost traffic.