Marc Cornellà
2019-Oct-16 21:07 UTC
[Samba] Winbind queries take longer than 1m30s to complete
When I say winbind query I mean from `wbinfo -u` to a simple `getent passwd
SAMDOM\\user`.
When the winbind cache is small, clients that use a program in a network share
of this server get
timeouts while using the program, due to the cache expiring and the query to the
PDC taking too, long.
I've worked around that by setting a winbind cache time longer than the span
of work hours and a cron job that flushes the cache and then runs `wbinfo -u`
and `wbinfo -g` to warm the cache right before work hours. It works for now but
I admit I have no idea what I'm doing.
I've also tried disabling winbind enumeration or setting winbind expand
groups to 1.
Setup:
- AD member server, with a single WS2008R2 PDC.
- Only Samba server in the network and domain.
- Debian Jessie 8.11.
- Samba package, version 2:4.2.14+dfsg-0+deb8u13.
Configuration: (edited domain name, host and user names)
smb.conf:
[global]
workgroup = SAMDOM
netbios name = DEBIAN
realm = SAMDOM.LOCAL
security = ads
# Sincronitzaci? d'usuaris i mapeig
winbind expand groups = 4
winbind refresh tickets = yes
winbind offline logon = yes
winbind normalize names = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 50400 # 14h
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-99999
idmap config SAMDOM : unix_nss_info = yes
# Opcions /etc/passwd per usuaris sincronitzats (disable login)
template shell = /bin/false
template homedir = /nonexistent
# Turn off printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Opcions per intentar solucionar el problema de bloquejos
veto oplock files = *.DBF *.NTX *.dbf *.ntx
blocking locks = no
oplocks = yes
# Logging options
log level = 1 winbind:5
log file = /var/log/samba/log.%m
max log size = 50
#### Debugging/Accounting ####
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
server role = member server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
#======================= Share Definitions ======================
[sys]
comment = system folder
path = /home/sys
browseable = yes
read only = no
create mode = 777
create mask = 766
directory mask = 777
[utilitats]
path = /home/utilitats
browseable = yes
writable = yes
read only = no
create mask = 766
directory mask = 777
[home]
path = /home/
browseable = no
writable = yes
read only = no
create mask = 766
directory mask = 777
valid users = user1,admin1
# recyclebin options
vfs object = recycle
recycle:repository = .recycle
recycle:keeptree = Yes
recycle:versions = Yes
krb5.conf:
[libdefaults]
default_realm = SAMDOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
SAMDOM.LOCAL = {
admin_server = PDC.SAMDOM.LOCAL
kdc = PDC.SAMDOM.LOCAL
}
[domain_realm]
.samdom.local = SAMDOM.LOCAL
samdom.local = SAMDOM.LOCAL
[logging]
default = SYSLOG
I can also provide winbind logs, just tell me at which log level you need them
to be.
Thanks!
Rowland penny
2019-Oct-17 08:47 UTC
[Samba] Winbind queries take longer than 1m30s to complete
On 16/10/2019 22:07, Marc Cornell? via samba wrote:> When I say winbind query I mean from `wbinfo -u` to a simple `getent passwd SAMDOM\\user`. > > When the winbind cache is small, clients that use a program in a network share of this server get > timeouts while using the program, due to the cache expiring and the query to the PDC taking too, long. > > I've worked around that by setting a winbind cache time longer than the span of work hours and a cron job that flushes the cache and then runs `wbinfo -u` and `wbinfo -g` to warm the cache right before work hours. It works for now but I admit I have no idea what I'm doing. > > I've also tried disabling winbind enumeration or setting winbind expand groups to 1. > > Setup: > - AD member server, with a single WS2008R2 PDC.No, you do not have a PDC, you have a single DC which holds the PDC Emulator FSMO role, the two are entirely differently things.> - Only Samba server in the network and domain. > - Debian Jessie 8.11.Upgrade, Jessie is the last stages of extended support.> - Samba package, version 2:4.2.14+dfsg-0+deb8u13.Upgrading would get you a supported version of Samba, 4.2.x went EOL in 2016> > Configuration: (edited domain name, host and user names) > smb.conf: > [global] > workgroup = SAMDOM > netbios name = DEBIAN > realm = SAMDOM.LOCAL > security = ads > > # Sincronitzaci? d'usuaris i mapeig > winbind expand groups = 4Try lowering the above to 2> winbind refresh tickets = yes > winbind offline logon = yes > winbind normalize names = yes > winbind enum users = yes > winbind enum groups = yesRemove the 'winbind enum' lines, they will slow things down and are not required> winbind cache time = 50400 # 14h > > idmap config * : backend = tdb > idmap config * : range = 3000-9999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-99999 > idmap config SAMDOM : unix_nss_info = yesThe 'unix_nss_info' line only makes sense with the 'ad' backend> > # Opcions /etc/passwd per usuaris sincronitzats (disable login) > template shell = /bin/false > template homedir = /nonexistent > > # Turn off printing > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # Opcions per intentar solucionar el problema de bloquejos > veto oplock files = *.DBF *.NTX *.dbf *.ntx > blocking locks = no > oplocks = yes > > # Logging options > log level = 1 winbind:5 > log file = /var/log/samba/log.%m > max log size = 50 > > #### Debugging/Accounting #### > > panic action = /usr/share/samba/panic-action %d > > ####### Authentication ####### > > server role = member server > obey pam restrictions = yes > unix password sync = yesAs you cannot have users in /etc/passwd and AD, having 'unix password sync' doesn't make sense Rowland