samba - Feb 2019 - winbind causing huge timeouts/delays since 4.8

> Am 23.02.2019 um 22:23 schrieb Rowland Penny via samba <samba at
lists.samba.org>:
>>>>> He also has these:
>>>>> 
>>>>> idmap config * : rangesize = 1000000
>>>>> idmap config * : range = 1000000-19999999
>>>>> idmap config * : backend = autorid
>>>>> 
>>>>> The '*' domain is meant for the Well Known SIDs and
anything
>>>>> outside the Samba domain. I would have expected something
like
>>>>> this:
>>>>> 
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 3000-7999
>>>>> idmap config OPS : backend = rid
>>>>> idmap config OPS : range = 10000-999999
>>>> 
>>>> That should also be fixed.
>>>> 
>>>> 
>> We use this as we have a multi-domain setup on windows side and this
>> is a suggested setup from wiki.samba.org:
>> https://wiki.samba.org/index.php/Idmap_config_autorid
> 
> Cannot argue with that fact, it is there, but it also says it is meant
> to be used with the 'DOMAIN' domain not the '*' domain,
looks like I
> will have to make that more prominent.
idmap_autorid can be used as default domain, Alexander's idmap config is
perfectly fine.

-slow

On Sat, 23 Feb 2019 22:45:04 +0100
Ralph Böhme <slow at samba.org> wrote:
> 
> > Am 23.02.2019 um 22:23 schrieb Rowland Penny via samba
> > <samba at lists.samba.org>:
> >>>>> He also has these:
> >>>>> 
> >>>>> idmap config * : rangesize = 1000000
> >>>>> idmap config * : range = 1000000-19999999
> >>>>> idmap config * : backend = autorid
> >>>>> 
> >>>>> The '*' domain is meant for the Well Known
SIDs and anything
> >>>>> outside the Samba domain. I would have expected
something like
> >>>>> this:
> >>>>> 
> >>>>> idmap config * : backend = tdb
> >>>>> idmap config * : range = 3000-7999
> >>>>> idmap config OPS : backend = rid
> >>>>> idmap config OPS : range = 10000-999999
> >>>> 
> >>>> That should also be fixed.
> >>>> 
> >>>> 
> >> We use this as we have a multi-domain setup on windows side and
> >> this is a suggested setup from wiki.samba.org:
> >> https://wiki.samba.org/index.php/Idmap_config_autorid
> > 
> > Cannot argue with that fact, it is there, but it also says it is
> > meant to be used with the 'DOMAIN' domain not the '*'
domain, looks
> > like I will have to make that more prominent.
> 
> idmap_autorid can be used as default domain, Alexander's idmap config
> is perfectly fine.
> 
> -slow
Well yes, it could be used for the default domain, but what about the
'DOMAIN' domain ?

From my understanding, the default range is meant for the Well Known
SIDs and anything outside the given domains and there are less than two
hundred Well known SIDs.

To be honest, I have never really seen the point to autorid, it just
seems to be the 'rid' backend with a way to set the range size.

I will stick to recommending using 'tdb' for the '*' domain and
'ad'
or 'rid' for any other domains.

Rowland

On Sun, Feb 24, 2019 at 08:16:55AM +0000, Rowland Penny via samba
wrote:
> Well yes, it could be used for the default domain, but what about the
> 'DOMAIN' domain ?
> 
> From my understanding, the default range is meant for the Well Known
> SIDs and anything outside the given domains and there are less than two
> hundred Well known SIDs.
> 
> To be honest, I have never really seen the point to autorid, it just
> seems to be the 'rid' backend with a way to set the range size.
> 
> I will stick to recommending using 'tdb' for the '*' domain
and 'ad'
> or 'rid' for any other domains.
Autorid is made to combine the efficiency of rid with the ease of
configuration of tdb. tdb generates a lot of entries in its database,
autorid is very small. For me, if we could, we would make autorid the
default these days. But this would break too many existing tdb default
setups. Of course, wherever people have SFU maintained in AD, that is
clearly preferrable. For everybody else, I think autorid is just a
great idea. But that's mostly me :-)

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kontakt at sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
AG Göttingen: HR-B 2816 - http://www.sernet.de