samba - Feb 2019 - winbind causing huge timeouts/delays since 4.8

On Fri, 22 Feb 2019 15:35:53 +0100
Ralph Böhme via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> On Fri, Feb 22, 2019 at 01:59:15PM +0100, Alexander Spannagel via
> samba wrote:
> >I want to share some findings with the community about hugh 
> >timeouts/delays since upgraded to samba 4.8 end of last year and a 
> >patch fixing this in our setup. It would be great if someone from 
> >samba dev team could take a look and if acceptable apply the patch
> >to the common code base. It may also affect current stable and
> >release candidates.
> >The patch expects the patch from BUG 13503 "getpwnam resolves
local
> >system accounts to AD" being already applied.
> >
> >Within the company i'm working for, we see frequently system 
> >hangs/slowness for a couple of seconds on servers using winbind 
> >passwd/group resolution via nsswitch.conf since we updated our OS
> >from CentOS7.5 to CentOS7.6 which includes a samba update from 4.7
> >to 4.8.
> >
> >We could track it down to winbind and when it is asked for an
> >unknown local user account. This means that the users account in
> >question is not in local passwd and doesn't contain any domain like
> >SOMEDOMAIN\account or account at SOMEDOMAIN. The expected behavior is
> >an immediately return with an error like "no such user" or
"unknown
> >user", but instead a call like "id unknown" takes 60+
seconds.
> 
> hm, can't reproduce:
> 
> slow at titan:~/git/samba/scratch$ git describe 
> samba-4.8.3
> 
> slow at titan:~/git/samba/scratch$ sudo bin/net cache flush
> 
> slow at titan:~/git/samba/scratch$ time bin/wbinfo -i foo
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user foo
> 
> real    0m0.025s
> user    0m0.004s
> sys     0m0.004s
> 
> Can you share your full smb.conf?
> 
> -slow
> 
You might also want to explain why you are using sssd's cache with
winbind.

Rowland

Am 22.02.19 um 15:42 schrieb Rowland Penny via samba:
> On Fri, 22 Feb 2019 15:35:53 +0100
> Ralph Böhme via samba <samba at lists.samba.org> wrote:
> 
>> Hi,
>>
>> On Fri, Feb 22, 2019 at 01:59:15PM +0100, Alexander Spannagel via
>> samba wrote:
s.
>>
>> hm, can't reproduce:
>>
>> slow at titan:~/git/samba/scratch$ git describe
>> samba-4.8.3
>>
>> slow at titan:~/git/samba/scratch$ sudo bin/net cache flush
>>
>> slow at titan:~/git/samba/scratch$ time bin/wbinfo -i foo
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user foo
>>
>> real    0m0.025s
>> user    0m0.004s
>> sys     0m0.004s
>>
>> Can you share your full smb.conf?
Here is the extraction of the global section from our smb.conf:
[root at centos7dev64 ~]# testparm --section-name=global 2>/dev/null < 
/dev/null
# Global parameters
[global]
         dedicated keytab file = /etc/krb5.keytab
         disable spoolss = Yes
         domain master = No
         kerberos method = secrets and keytab
         ldap connection timeout = 10
         ldap timeout = 30
         load printers = No
         local master = No
         log file = /var/log/samba/log.%m
         max log size = 0
         os level = 0
         printcap name = /dev/null
         realm = OPS.GLOBAL.AD
         security = ADS
         server signing = required
         server string = FTP Samba Server
         show add printer wizard = No
         template shell = /bin/bash
         username map = /etc/samba/user.map
         winbind refresh tickets = Yes
         winbind separator = +
         workgroup = OPS
         idmap config * : rangesize = 1000000
         idmap config * : range = 1000000-19999999
         idmap config * : backend = autorid
         map acl inherit = Yes
         printing = bsd
         store dos attributes = Yes
         vfs objects = acl_xattr full_audit recycle extd_audit>>
> 
> You might also want to explain why you are using sssd's cache with
> winbind.
We are running a mixed environment and use sssd for authentication 
against our unix ldap directory on all our unix servers. On a group of 
servers we need to provide smb shares to windows clients/servers and 
dedicated uid/gid mapping for windows users and groups.

Our default setup in nsswitch.conf regarding passwd/shadow/groups looks 
like:
passwd:     files sss
shadow:     files sss
group:      files sss

And on the servers running samba:
passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

As mentioned it worked till the update from samba 4.7 to 4.8. The sssd 
is used for ldap and not AD authentication.

Alex

On Fri, 22 Feb 2019 16:40:46 +0100
Alexander Spannagel via samba <samba at lists.samba.org> wrote:
> Am 22.02.19 um 15:42 schrieb Rowland Penny via samba:
> > On Fri, 22 Feb 2019 15:35:53 +0100
> > Ralph Böhme via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi,
> >>
> >> On Fri, Feb 22, 2019 at 01:59:15PM +0100, Alexander Spannagel via
> >> samba wrote:
> s.
> >>
> >> hm, can't reproduce:
> >>
> >> slow at titan:~/git/samba/scratch$ git describe
> >> samba-4.8.3
> >>
> >> slow at titan:~/git/samba/scratch$ sudo bin/net cache flush
> >>
> >> slow at titan:~/git/samba/scratch$ time bin/wbinfo -i foo
> >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >> Could not get info for user foo
> >>
> >> real    0m0.025s
> >> user    0m0.004s
> >> sys     0m0.004s
> >>
> >> Can you share your full smb.conf?
> 
> Here is the extraction of the global section from our smb.conf:
> [root at centos7dev64 ~]# testparm --section-name=global 2>/dev/null
<
> /dev/null
> # Global parameters
> [global]
>          dedicated keytab file = /etc/krb5.keytab
>          disable spoolss = Yes
>          domain master = No
>          kerberos method = secrets and keytab
>          ldap connection timeout = 10
>          ldap timeout = 30
>          load printers = No
>          local master = No
>          log file = /var/log/samba/log.%m
>          max log size = 0
>          os level = 0
>          printcap name = /dev/null
>          realm = OPS.GLOBAL.AD
>          security = ADS
>          server signing = required
>          server string = FTP Samba Server
>          show add printer wizard = No
>          template shell = /bin/bash
>          username map = /etc/samba/user.map
>          winbind refresh tickets = Yes
>          winbind separator = +
>          workgroup = OPS
>          idmap config * : rangesize = 1000000
>          idmap config * : range = 1000000-19999999
>          idmap config * : backend = autorid
>          map acl inherit = Yes
>          printing = bsd
>          store dos attributes = Yes
>          vfs objects = acl_xattr full_audit recycle extd_audit>>
> 
> > 
> > You might also want to explain why you are using sssd's cache with
> > winbind.
> 
> We are running a mixed environment and use sssd for authentication 
> against our unix ldap directory on all our unix servers. On a group
> of servers we need to provide smb shares to windows clients/servers
> and dedicated uid/gid mapping for windows users and groups.
> 
> Our default setup in nsswitch.conf regarding passwd/shadow/groups
> looks like:
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> 
> And on the servers running samba:
> passwd:     files sss winbind
> shadow:     files sss winbind
> group:      files sss winbind
> 
> As mentioned it worked till the update from samba 4.7 to 4.8. The
> sssd is used for ldap and not AD authentication.
> 
> Alex
> 
If you do have 'files sss winbind' in /etc/nsswitch.conf' and sssd
is running, then it is highly likely that even if winbind is running,
it will not be used. You also shouldn't use winbind on the shadow line
and you shouldn't run winbind and sssd together, sssd has its own
version of one of the winbind libs, and this will undoubtedly interfere
with the Samba one.

Finally, your smb.conf is borked for winbind.

Rowland