samba - Feb 2019 - winbind causing huge timeouts/delays since 4.8

On Tue, 26 Feb 2019 15:18:35 +0100
Ralph Böhme <slow at samba.org> wrote:
> On Tue, Feb 26, 2019 at 01:32:51PM +0000, Rowland Penny wrote:
> >On Tue, 26 Feb 2019 12:49:42 +0100 Ralph Böhme  wrote:
> >> On Tue, Feb 26, 2019 at 12:45:45PM +0100, Björn JACKE via samba
> >> wrote:
> >> >To reflect the fact that the owner can be a group also,
winbind
> >> >can assign both a mapped uid number and a gid number for
Windows
> >> >users and groups, both uid and gid have the same value and are
the
> >> >xid. That way Samba can also assign the ownership of files to
a
> >> >group. The idmap backend has to be able to support XID though,
not
> >> >all idmap backends do so.
> >>
> >> in particular idmap_autorid, idmap_rid and idmap_script support
> >> this so called mode, idmap_ad doesn't.
> >
> >I take it that xid is used internally by Samba to identify calculated
> >ID's, because the only place a normal user will come across them is
> >in idmap.ldb. If this is correct, then it doesn't really matter
that
> >idmap_ad doesn't support them, because uidNumber & gidNumber
replaces
> >them.
> 
> Iirc it matters: I guess SID history will not work with idmap_ad.
If it doesn't and should, then it needs fixing.
> 
> >From a users point of view, the only way to get an experience similar
> >to Windows is to use idmap_ad.
> 
> From a certain perspective: maybe. But that's a generalisation, I
> wouldn't go over that bridge.
Where I live, you cannot get out of town without going over a bridge ;-)
> 
> Again: for many fileserver scenarios you're better using
> idmap_autorid.
I do wish people would stop talking about 'fileservers', to me this
means a standalone server. In AD you have domain members, either Unix
or Windows and they should work in a similar way.

Your approach seems to be based on nobody using a Samba Unix domain
member as a workstation and only using them as somewhere to store files
etc i.e. a glorified NAS 

Rowland

On Tue, Feb 26, 2019 at 02:44:52PM +0000, Rowland Penny via samba
wrote:
>> Again: for many fileserver scenarios you're better using
>> idmap_autorid.
>
>I do wish people would stop talking about 'fileservers', to me this
>means a standalone server. In AD you have domain members, either Unix
>or Windows and they should work in a similar way.
>
>Your approach seems to be based on nobody using a Samba Unix domain
>member as a workstation and only using them as somewhere to store files
>etc i.e. a glorified NAS
*sigh* Rowland, this is not *my* "approach", this is a common kind of
setup I
regularily encounter as part of my daily work.

-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

I run samba for a small business domain (less than 10 users), which to me,
seems like a common (and good) use case.  When I ran a Windows server, it
did it all.  AD DC and file server.  I have figured out how to get samba to
do the same, but not without many a headache and some I'm sure, unsupported
workarounds.  While I fully understand the reasoning behind the desire to
run separate servers for separate uses, in my situation, and I'm sure many
others, it makes absolutely no sense to do so.  We have a mixed environment
(both Linux and Windows clients), and remote users who may not connect to a
DC for a month or so.  This may not be a common setup, but doesn't seem way
out in left field, and it is certainly frustrating that samba can't just
take the place of a Windows server, when that is what seems to be its main
purpose for existing.  The fact that all these different backends even
exist is baffling enough to me, and then the fact that none of them can act
like Windows is even more baffling.

Mike E.

On Tue, Feb 26, 2019 at 9:50 AM Ralph Böhme via samba <samba at
lists.samba.org>
wrote:
> On Tue, Feb 26, 2019 at 02:44:52PM +0000, Rowland Penny via samba wrote:
> >> Again: for many fileserver scenarios you're better using
> >> idmap_autorid.
> >
> >I do wish people would stop talking about 'fileservers', to me
this
> >means a standalone server. In AD you have domain members, either Unix
> >or Windows and they should work in a similar way.
> >
> >Your approach seems to be based on nobody using a Samba Unix domain
> >member as a workstation and only using them as somewhere to store files
> >etc i.e. a glorified NAS
>
> *sigh* Rowland, this is not *my* "approach", this is a common
kind of
> setup I
> regularily encounter as part of my daily work.
>
> -slow
>
> --
> Ralph Boehme, Samba Team                https://samba.org/
> Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
> GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>