Rowland Penny
2019-Feb-24 18:53 UTC
[Samba] winbind causing huge timeouts/delays since 4.8
On Sun, 24 Feb 2019 19:25:14 +0100 Ralph Böhme <slow at samba.org> wrote:> > Am 24.02.2019 um 18:48 schrieb Rowland Penny via samba > <samba at lists.samba.org>: > > On Sun, 24 Feb 2019 18:28:43 +0100 Ralph Böhme <slow at samba.org> > > wrote: > >> Am 24.02.2019 um 16:42 schrieb Rowland Penny via samba > >> <samba at lists.samba.org>: > >>> On Sun, 24 Feb 2019 15:58:39 +0100 Ralph Böhme <slow at samba.org> > >>> wrote: > >>>> Another thing that a customer has just been bitten by, was a > >>>> subtle bug in winbindd's idmap cache that resulted in all > >>>> xid2sid requests going through the idmap backend, iow winbindd > >>>> issued LDAP requests. With a few thousand users, things came to > >>>> a grinding halt. > >>>> > >>>> https://bugzilla.samba.org/show_bug.cgi?id=13802 > >>>> > >>>> Patch just landed upstream. > >>> > >>> That is the bug I was referring to and probably (amongst all the > >>> other cruft) what was causing the OP's problem. > >> > >> Unlikely. > > > > It is was I thought, but as the OP's setup is so convoluted, it is > > hard to say. > > I don't think it's convoluted, it's certainly beyond the simple > standard setup we all wish everybody was using, but I don't think it > is broken as is. I just think an appropriate analysis requires more > resources then is available on the list. > > >>> However, this has nothing to > >>> do with using the 'ad' backend with Active Directory. We keep > >>> dancing around this problem, saying things like 'we need to fix > >>> this', we have been saying this since Samba 4 was released. > >> > >> Which problem? Fix what? Been saying what? > > > > There have been numerous discussions about the 'ad' backend over the > > years and they have all gone nowhere. The 'ad' backend still works > > in the same way as it did when Samba 4 was released and you still > > have to store the next uidNumber & gidNumber outside AD if you use > > the Samba tools. > > Looks like you're mixing AD DC use case with member server use case. > Can we please keep that seperate? Afaict, the one has nothing to do > with the other.So a Samba AD DC has nothing to do with a Unix member server, could have fooled me ;-) This is the sort of thinking that is holding Samba back. You use any Windows domain computer and you get the same identity, You cannot do this on Unix domain computers.> > >>> Windows Uses the SID-RID to identify the user and the domain it > >>> comes from, surely we can find a way to do this for Samba, we are > >>> half way there with the 'rid' backend. > >> > >> I'm not really what "there" implies for you, but it seems > >> idmap_autorid is eventually the backend that takes you "there". :) > > > > No it doesn't, at the moment, the only way to get the same ID on all > > Unix machines (this includes DC's) is to use the 'ad' backend. > > Sure. But only certain use cases require the same id on all machines, > many don't. I'm just saying that you should better not use idmap_ad, > but instead use eg idmap_autorid unless you're setup requires > idmap_ad.I am not saying don't use autorid, I am saying that I will not use it, I just do not see the point to it, the 'ad' and rid' backends work for most users. Perhaps if there was more documentation, I might change my mind, but it took me long enough to understand the 'ad' backend, but once I did, it all clicked in to place. The other problem is that 'ad' is the only one that allows you to set individual login shells and Unic home dirs. Perhaps that is part of the 'problem', there are just too many winbind backends.> > > You think autorid is the way forward, well sorry, but in my > > opinion, it isn't. > > Rowland, this is not about *the* way forward, this is about using the > right backend at the right time.No Ralph, it is about *the* way forward, Samba needs to get to the point that it works exactly like Windows (or better), Samba has to outdo Windows. Rowland
On Sun, Feb 24, 2019 at 06:53:04PM +0000, Rowland Penny via samba wrote:>On Sun, 24 Feb 2019 19:25:14 +0100 >Ralph Böhme <slow at samba.org> wrote: >> Am 24.02.2019 um 18:48 schrieb Rowland Penny via samba <samba at lists.samba.org>: >> >> I'm not really what "there" implies for you, but it seems >> >> idmap_autorid is eventually the backend that takes you "there". :) >> > >> > No it doesn't, at the moment, the only way to get the same ID on all >> > Unix machines (this includes DC's) is to use the 'ad' backend. >> >> Sure. But only certain use cases require the same id on all machines, >> many don't. I'm just saying that you should better not use idmap_ad, >> but instead use eg idmap_autorid unless you're setup requires >> idmap_ad. > >I am not saying don't use autorid, I am saying that I will not use it, >I just do not see the point to it, the 'ad' and rid' backends work for >most users.As said, idmap_ad is broken by design, so eg it also doesn't work with trusts. Most users should use idmap_autorid.>> > You think autorid is the way forward, well sorry, but in my >> > opinion, it isn't. >> >> Rowland, this is not about *the* way forward, this is about using the >> right backend at the right time. > >No Ralph, it is about *the* way forward, Samba needs to get to the >point that it works exactly like Windows (or better), Samba has to >outdo Windows.that's what I'm saying, to behave like Windows you have to stop using idmap_ad. :) -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
Rowland Penny
2019-Feb-25 18:37 UTC
[Samba] winbind causing huge timeouts/delays since 4.8
On Mon, 25 Feb 2019 19:26:26 +0100 Ralph Böhme <slow at samba.org> wrote:> > On Sun, Feb 24, 2019 at 06:53:04PM +0000, Rowland Penny via samba > wrote: > >On Sun, 24 Feb 2019 19:25:14 +0100 >Ralph Böhme <slow at samba.org> > >wrote: > >> Am 24.02.2019 um 18:48 schrieb Rowland Penny via samba > >> <samba at lists.samba.org>: > >> >> I'm not really what "there" implies for you, but it seems > >> >> idmap_autorid is eventually the backend that takes you > >> >> "there". :) > >> > > >> > No it doesn't, at the moment, the only way to get the same ID on > >> > all Unix machines (this includes DC's) is to use the 'ad' > >> > backend. > >> > >> Sure. But only certain use cases require the same id on all > >> machines, many don't. I'm just saying that you should better not > >> use idmap_ad, but instead use eg idmap_autorid unless you're setup > >> requires idmap_ad. > > > >I am not saying don't use autorid, I am saying that I will not use > >it, I just do not see the point to it, the 'ad' and rid' backends > >work for most users. > > As said, idmap_ad is broken by design, so eg it also doesn't work > with trusts. Most users should use idmap_autorid. > > >> > You think autorid is the way forward, well sorry, but in my > >> > opinion, it isn't. > >> > >> Rowland, this is not about *the* way forward, this is about using > >> the right backend at the right time. > > > >No Ralph, it is about *the* way forward, Samba needs to get to the > >point that it works exactly like Windows (or better), Samba has to > >outdo Windows. > > that's what I'm saying, to behave like Windows you have to stop using > idmap_ad. :) > > -slow >And idmap_autorid is broken by design, it only gets you the ID's, nothing else. I personally think that what is required is something like a cross between the 'ad' backend and everything else. The 'ad' backend to set homedirs, login shells etc and everything else to set the ID's from the RID, the domain could be identified from the SID. Rowland