David Walling
2019-Aug-30 17:15 UTC
[Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba
/etc/samba/user_and_group_map.txt contains Windows username/group to linux username/group mappings. In our setup, all users exist in ldap, as do the directory groups, but the linux user and group information (namely uid/gid) do not. This has been setup such that the users connect to samba as the windows username (ex. PRODUCTION+user1) for an authroized group (PRODUCTION+group1), but the files and permissions on the linux samba server are created and managed with the appropriate uid/gids. Example: linuxuser=PRODUCTION+windowsuser G-234=PRODUCTION+directorygroup I do not believe we are using sssd, but are using winbind. Its quite possible we don't have this setup optimally, but this setup does work as needed, outside of these occasional crash/unresponsive states. Thanks! David W.
Rowland penny
2019-Aug-30 17:52 UTC
[Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba
On 30/08/2019 18:15, David Walling wrote:> /etc/samba/user_and_group_map.txt contains Windows username/group to > linux username/group mappings.? In our setup, all users exist in ldap, > as do the directory groups, but the linux user and group information > (namely uid/gid) do not.? This has been setup such that the users > connect to samba as the windows username (ex. PRODUCTION+user1) for an > authroized group (PRODUCTION+group1), but the files and permissions on > the linux samba server are created and managed with the appropriate > uid/gids. > > Example: > > linuxuser=PRODUCTION+windowsuser > G-234=PRODUCTION+directorygroup > > I do not believe we are using sssd, but are using winbind.? Its quite > possible we don't have this setup optimally, but this setup does work > as needed, outside of these occasional crash/unresponsive states. > > Thanks! > > David W.Why are you doing this ? Why not just have everything in AD ? Using AD would allow Windows users & groups? to become Unix users and groups e.g. 'getent passwd rowland' gives me: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash 'rowland' is only in AD and nowhere else Try using this smb.conf: [global] ??????? workgroup = PRODUCTION ??????? security = ADS ??????? realm = PRODUCTION.REDACTED.ORG ??????? netbios name = service-samba4 ??????? idmap config *:backend = tdb ??????? idmap config *:range = 3000-7999 ??????? idmap config PRODUCTION : backend = rid ??????? idmap config PRODUCTION : range = 100000-200000 ??????? bind interfaces only = yes ??????? interfaces = eth0 ~ change to your network device ??????? preferred master = no ??????? winbind separator = + ??????? max log size = 20000 ??????? log level = 1 smbd:10 ??????? log file = /var/log/samba/log.%m ??????? dns proxy = no ??????? username map = /etc/samba/user.map ??????? # ACL Settings ??????? vfs objects = acl_xattr ??????? map acl inherit = yes ??????? store dos attributes = yes ??????? # Multichannel ??????? aio read size = 0 ??????? aio write size = 0 ??????? # Prevent zombie processes ??????? deadtime = 15 ??????? csc policy = disable [share1] ??????? path = /samba/share1 ??????? read only = no ??????? inherit acls = yes ??????? inherit permissions = yes ??????? create mask = 700 ??????? directory mask = 700 ??????? valid users = @"G-817803" ??????? hosts allow =? redacted and create /etc/samba/user.map with just this content: !root = PRODUCTION\Administrator Restart nmbd.smbd and winbind and run: getent passwd PRODUCTION\'A_VALID_USERNAME' Rowland
David Walling
2019-Sep-03 13:52 UTC
[Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba
Unfortunately I do not have the ability to add the user/group information to AD directly at this time. Does anyone know exactly what the following error message "means"? It shows up every time these symptoms occur, and if I could understand why the lookup fails, I might be able to prevent the issue. "lookup_name_smbconf for CLIENTHOSTNAME$ failed" ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org> Sent: Friday, August 30, 2019 12:52 PM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] flood of (auth in progress) connections from unresponsive windows client crashing samba On 30/08/2019 18:15, David Walling wrote:> /etc/samba/user_and_group_map.txt contains Windows username/group to > linux username/group mappings. In our setup, all users exist in ldap, > as do the directory groups, but the linux user and group information > (namely uid/gid) do not. This has been setup such that the users > connect to samba as the windows username (ex. PRODUCTION+user1) for an > authroized group (PRODUCTION+group1), but the files and permissions on > the linux samba server are created and managed with the appropriate > uid/gids. > > Example: > > linuxuser=PRODUCTION+windowsuser > G-234=PRODUCTION+directorygroup > > I do not believe we are using sssd, but are using winbind. Its quite > possible we don't have this setup optimally, but this setup does work > as needed, outside of these occasional crash/unresponsive states. > > Thanks! > > David W.Why are you doing this ? Why not just have everything in AD ? Using AD would allow Windows users & groups to become Unix users and groups e.g. 'getent passwd rowland' gives me: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash 'rowland' is only in AD and nowhere else Try using this smb.conf: [global] workgroup = PRODUCTION security = ADS realm = PRODUCTION.REDACTED.ORG netbios name = service-samba4 idmap config *:backend = tdb idmap config *:range = 3000-7999 idmap config PRODUCTION : backend = rid idmap config PRODUCTION : range = 100000-200000 bind interfaces only = yes interfaces = eth0 ~ change to your network device preferred master = no winbind separator = + max log size = 20000 log level = 1 smbd:10 log file = /var/log/samba/log.%m dns proxy = no username map = /etc/samba/user.map # ACL Settings vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Multichannel aio read size = 0 aio write size = 0 # Prevent zombie processes deadtime = 15 csc policy = disable [share1] path = /samba/share1 read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = @"G-817803" hosts allow = redacted and create /etc/samba/user.map with just this content: !root = PRODUCTION\Administrator Restart nmbd.smbd and winbind and run: getent passwd PRODUCTION\'A_VALID_USERNAME' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba>> This message is from an external sender. Learn more about why this << >> matters at https://links.utexas.edu/rtyclf. <<
Possibly Parallel Threads
- flood of (auth in progress) connections from unresponsive windows client crashing samba
- flood of (auth in progress) connections from unresponsive windows client crashing samba
- flood of (auth in progress) connections from unresponsive windows client crashing samba
- flood of (auth in progress) connections from unresponsive windows client crashing samba
- flood of (auth in progress) connections from unresponsive windows client crashing samba