Hello dear list,
I have running a Samba 3 server (under SLES11) connected to an
LDAP-Server and it is running well.
But now, I like to migrate to Samba 4 and I've made a few tests before.
The whole time I with Samba 3, I was surprised about the many ldap requests so
that I thought about an additional local OpenLDAP proxy cache.
But now with Samba 4 (with the same configuration like Samba 3,
SLES12) the IDMAP
requests are cached in a local tdb (gencache.tdb).
I can check the local cache "net cache list". While the list on Samba
3 is
empty, with Samba 4 there are a lot of IDMAP entires.
No winbind is running.
My questions:
- Is this cache configurable (TTL, ...) - I've nothing found?
- Does the cache configuration and functional principle
differ between Samba 3 and 4?
- How to debug this?
- Why only the cache under Samba 4 is working?
Thanks Meike
==============================================my configuration (same for Samba 3
and 4):
[global]
workgroup = Samba
map to guest = Bad User
security = user
server string = Server1
max protocol = SMB2
deadtime = 600
load printers = no
printcap name = /dev/null
disable spoolss = yes
ldap admin dn = uid=sambauser,o=some,c=domain
passdb backend = ldapsam:"ldap://ldap01.some.domain"
ldap suffix = cn=samba,o=some,c=domain
ldap user suffix = cn=accounts
ldap group suffix = cn=groups
ldap passwd sync = No
log level = 255
syslog = 0
[share1]
path = /daten/share1
comment = share1
writeable = yes
browseable = no
nt acl support = no
inherit permissions = yes
store dos attributes = yes
csc policy = disable
Hello dear list,
can someone help me?
The manual page clearly states:
"The idmap backend provides a plugin interface for *Winbind* to use
varying backends to store SID/uid/gid mapping tables." and
"ID mapping in Samba is the mapping between Windows SIDs and Unix user
and group IDs. This is performed by *Winbindd* with a configurable
plugin interface."
So, that's the reason, why I said "No winbind is running." (on my
server)
So that can explain, why samba 3 is asking the LDAP-Server often, but
why is using samba 4 the cache without winbind?
my configuration (testparm -v -s | grep idmap):
ldap idmap suffix idmap backend = tdb
idmap cache time = 604800
idmap negative cache time = 120
idmap uid idmap gid idmap config * : backend = tdb
Thanks in advance
Meike
2018-06-22 13:40 GMT+02:00 Meike Stone <meike.stone at
googlemail.com>:> Hello dear list,
>
> I have running a Samba 3 server (under SLES11) connected to an
> LDAP-Server and it is running well.
> But now, I like to migrate to Samba 4 and I've made a few tests before.
>
> The whole time I with Samba 3, I was surprised about the many ldap requests
so
> that I thought about an additional local OpenLDAP proxy cache.
>
> But now with Samba 4 (with the same configuration like Samba 3,
> SLES12) the IDMAP
> requests are cached in a local tdb (gencache.tdb).
>
> I can check the local cache "net cache list". While the list on
Samba 3 is
> empty, with Samba 4 there are a lot of IDMAP entires.
>
> No winbind is running.
>
> My questions:
> - Is this cache configurable (TTL, ...) - I've nothing found?
> - Does the cache configuration and functional principle
> differ between Samba 3 and 4?
> - How to debug this?
> - Why only the cache under Samba 4 is working?
>
>
> Thanks Meike
> ==============================================> my configuration (same
for Samba 3 and 4):
>
> [global]
> workgroup = Samba
> map to guest = Bad User
> security = user
> server string = Server1
> max protocol = SMB2
> deadtime = 600
>
> load printers = no
> printcap name = /dev/null
> disable spoolss = yes
>
> ldap admin dn = uid=sambauser,o=some,c=domain
> passdb backend = ldapsam:"ldap://ldap01.some.domain"
>
> ldap suffix = cn=samba,o=some,c=domain
> ldap user suffix = cn=accounts
> ldap group suffix = cn=groups
> ldap passwd sync = No
>
> log level = 255
> syslog = 0
>
> [share1]
> path = /daten/share1
> comment = share1
> writeable = yes
> browseable = no
> nt acl support = no
> inherit permissions = yes
> store dos attributes = yes
> csc policy = disable
On Mon, 25 Jun 2018 10:34:03 +0200 Meike Stone via samba <samba at lists.samba.org> wrote:> Hello dear list, > > can someone help me? > > The manual page clearly states: > "The idmap backend provides a plugin interface for *Winbind* to use > varying backends to store SID/uid/gid mapping tables." and > "ID mapping in Samba is the mapping between Windows SIDs and Unix user > and group IDs. This is performed by *Winbindd* with a configurable > plugin interface." > > So, that's the reason, why I said "No winbind is running." (on my > server) > > So that can explain, why samba 3 is asking the LDAP-Server often, but > why is using samba 4 the cache without winbind? > > my configuration (testparm -v -s | grep idmap): > ldap idmap suffix > idmap backend = tdb > idmap cache time = 604800 > idmap negative cache time = 120 > idmap uid > idmap gid > idmap config * : backend = tdb > > Thanks in advance > Meike > > 2018-06-22 13:40 GMT+02:00 Meike Stone <meike.stone at googlemail.com>: > > Hello dear list, > > > > I have running a Samba 3 server (under SLES11) connected to an > > LDAP-Server and it is running well. > > But now, I like to migrate to Samba 4 and I've made a few tests > > before. > > > > The whole time I with Samba 3, I was surprised about the many ldap > > requests so that I thought about an additional local OpenLDAP proxy > > cache. > > > > But now with Samba 4 (with the same configuration like Samba 3, > > SLES12) the IDMAP > > requests are cached in a local tdb (gencache.tdb). > > > > I can check the local cache "net cache list". While the list on > > Samba 3 is empty, with Samba 4 there are a lot of IDMAP entires. > > > > No winbind is running. > > > > My questions: > > - Is this cache configurable (TTL, ...) - I've nothing found? > > - Does the cache configuration and functional principle > > differ between Samba 3 and 4? > > - How to debug this? > > - Why only the cache under Samba 4 is working? > > > > > > Thanks Meike > > ==============================================> > my configuration (same for Samba 3 and 4): > > > > [global] > > workgroup = Samba > > map to guest = Bad User > > security = user > > server string = Server1 > > max protocol = SMB2 > > deadtime = 600 > > > > load printers = no > > printcap name = /dev/null > > disable spoolss = yes > > > > ldap admin dn = uid=sambauser,o=some,c=domain > > passdb backend = ldapsam:"ldap://ldap01.some.domain" > > > > ldap suffix = cn=samba,o=some,c=domain > > ldap user suffix = cn=accounts > > ldap group suffix = cn=groups > > ldap passwd sync = No > > > > log level = 255 > > syslog = 0 > > > > [share1] > > path = /daten/share1 > > comment = share1 > > writeable = yes > > browseable = no > > nt acl support = no > > inherit permissions = yes > > store dos attributes = yes > > csc policy = disable >I think the bigger question is, why are you trying to run a standalone server as some form of domain member ? A standalone server is just that, it stands alone, all authentication should be done on the standalone server. Samba has changed significantly since version 3.6.x and if you have Windows clients (especially Win 10) you should seriously consider upgrading to AD. Rowland