Remy Zandwijk
2019-Feb-23 12:47 UTC
[Samba] winbind causing huge timeouts/delays since 4.8
> On 23 Feb 2019, at 09:33, Rowland Penny via samba <samba at lists.samba.org> wrote: > > If you have, as you have, 'files sss winbind' in the the passwd & group > line in nsswitch.conf, means this: > First /etc/passwd or /etc/group is searched and if the user or group is > found, this info is returned. > Next sssd will be asked, 'do you know this user or group ?' if found, > the info is returned. > Finally winbind will be asked, 'do you know this user or group ?' if > found, the info is returned. > > Lets take a user called 'fred', this user is in AD. The first search > will return nothing, so sssd is asked, this 'asks' AD and returns the > users info. Finally, wait that's it, we have the info, there is no need > to ask winbind for anything.That is incorrect. Alexander stated:> No. we use max. 3 auth providers: (1. and 2. on all unix servers) > 1. unix (local passwd) > for static OS/service accounts across all our env > 2. sssd (with unix ldap servers as provider) > unix experienced user and application related service accounts > 3. samba/winbind > for windows users/services needing access to a group of unix serversAnd:> They don't - as stated above we use sssd for query/caching entries from our ldap directory server and not Windows DomainConmtrollers - also this is possible, but makes more trouble and don't provide what samba's smb/windbind does.He clearly writes (in multiple emails) that sssd is configured to use his unix ldap servers and not AD. Maybe three sources of user databases is not regular, but I fail to see why this should be a problem (provided that usernames, uidNumbers and such are unique across the databases). -Remy
Rowland Penny
2019-Feb-23 13:07 UTC
[Samba] winbind causing huge timeouts/delays since 4.8
On Sat, 23 Feb 2019 13:47:54 +0100 Remy Zandwijk via samba <samba at lists.samba.org> wrote:> > > > On 23 Feb 2019, at 09:33, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > If you have, as you have, 'files sss winbind' in the the passwd & > > group line in nsswitch.conf, means this: > > First /etc/passwd or /etc/group is searched and if the user or > > group is found, this info is returned. > > Next sssd will be asked, 'do you know this user or group ?' if > > found, the info is returned. > > Finally winbind will be asked, 'do you know this user or group ?' if > > found, the info is returned. > > > > Lets take a user called 'fred', this user is in AD. The first search > > will return nothing, so sssd is asked, this 'asks' AD and returns > > the users info. Finally, wait that's it, we have the info, there is > > no need to ask winbind for anything. > > That is incorrect. Alexander stated: > > > No. we use max. 3 auth providers: (1. and 2. on all unix servers) > > 1. unix (local passwd) > > for static OS/service accounts across all our env > > 2. sssd (with unix ldap servers as provider) > > unix experienced user and application related service accounts > > 3. samba/winbind > > for windows users/services needing access to a group of unix > > servers > > And: > > > They don't - as stated above we use sssd for query/caching entries > > from our ldap directory server and not Windows DomainConmtrollers - > > also this is possible, but makes more trouble and don't provide > > what samba's smb/windbind does. > > He clearly writes (in multiple emails) that sssd is configured to use > his unix ldap servers and not AD. > > Maybe three sources of user databases is not regular, but I fail to > see why this should be a problem (provided that usernames, uidNumbers > and such are unique across the databases).And there is the problem, if 'fred' is in /etc/passwd, that user will be used, but what if you meant fred in ldap or AD ? There is absolutely no point in having 4 databases (yes there are 4, Unix, sssd, winbind and the ldap lines in smb.conf), they could all be combined in AD. The main problem is that the OP wants Samba changing to cope with his mess, it might be a valid change, but the reason for the change is invalid. Rowland
Remy Zandwijk
2019-Feb-23 13:21 UTC
[Samba] winbind causing huge timeouts/delays since 4.8
> On 23 Feb 2019, at 14:07, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Sat, 23 Feb 2019 13:47:54 +0100 > Remy Zandwijk via samba <samba at lists.samba.org> wrote: > >> >> >>> On 23 Feb 2019, at 09:33, Rowland Penny via samba >>> <samba at lists.samba.org> wrote: >>> >>> If you have, as you have, 'files sss winbind' in the the passwd & >>> group line in nsswitch.conf, means this: >>> First /etc/passwd or /etc/group is searched and if the user or >>> group is found, this info is returned. >>> Next sssd will be asked, 'do you know this user or group ?' if >>> found, the info is returned. >>> Finally winbind will be asked, 'do you know this user or group ?' if >>> found, the info is returned. >>> >>> Lets take a user called 'fred', this user is in AD. The first search >>> will return nothing, so sssd is asked, this 'asks' AD and returns >>> the users info. Finally, wait that's it, we have the info, there is >>> no need to ask winbind for anything. >> >> That is incorrect. Alexander stated: >> >>> No. we use max. 3 auth providers: (1. and 2. on all unix servers) >>> 1. unix (local passwd) >>> for static OS/service accounts across all our env >>> 2. sssd (with unix ldap servers as provider) >>> unix experienced user and application related service accounts >>> 3. samba/winbind >>> for windows users/services needing access to a group of unix >>> servers >> >> And: >> >>> They don't - as stated above we use sssd for query/caching entries >>> from our ldap directory server and not Windows DomainConmtrollers - >>> also this is possible, but makes more trouble and don't provide >>> what samba's smb/windbind does. >> >> He clearly writes (in multiple emails) that sssd is configured to use >> his unix ldap servers and not AD. >> >> Maybe three sources of user databases is not regular, but I fail to >> see why this should be a problem (provided that usernames, uidNumbers >> and such are unique across the databases). > > And there is the problem, if 'fred' is in /etc/passwd, that user will > be used, but what if you meant fred in ldap or AD ? > > There is absolutely no point in having 4 databases (yes there are 4, > Unix, sssd, winbind and the ldap lines in smb.conf), they could all be > combined in AD. > > The main problem is that the OP wants Samba changing to cope with his > mess, it might be a valid change, but the reason for the change is > invalid.Well, I think the problem is you _assume_ users are in multiple databases and we just don't know that. I think there is a good change Alexander perfectly knows what he is doing and users are unique across databases. Nevertheless, at some point nss is clearly querying winbind, which means nss did not find the user in either /etc/passwd nor via sssd. In the case that winbind _is_ queried, Alexander is experiencing, like he wrote, 'frequently system hangs/slowness for a couple of seconds' and he observed that winbind is causing this behaviour. So maybe we should set our focus on winbind instead of the multiple database stuff and figure out why it behaves like this since the upgrade from 4.7 to 4.8. I would say we should start with fixing the winbind stuff in smb.conf. Right? -Remy P.S. I am following this thread since I also noticed occasional 'hangs' when the system is querying winbind. This is Samba 4.8.7 on FreeBSD 11.2.