On 26/06/2023 18:20, Kees van Vloten via samba wrote:> I am quite convinced it is not a DNS issue, although those lookups > obviously fail when you pull the network plug (I guess installing > something like dnsmasq can prevent that). The issue is in the nss > lookups of users and groups: getent passwd <user> or getent passwd > <group>, which implies something in winbind-nss. > I have been using the "lock directory" parameter on my Debian (Bullseye) > machines since nearly forever and added the "winbind request timeout" > recently (after the discussion here), which probably help to reduce the > effects but do not solve the issue. >The problem for me is that I struggle to get the symptoms that Marco does. I have Ubuntu 22.04 running in a VM, it is setup as a Unix domain member, using the 'rid' idmap backend. It works as expected, if I disconnect the network, sometimes it starts running slow, but only sometimes, other times you cannot tell the difference. Now you could be correct about the dns, and I am now beginning to think that Marco's problem has nothing to do with Samba, there is something not set up correctly in the OS, but what, I do not know. As anyone got any suggestions that Marco can try ? Rowland
On 26-06-2023 20:12, Rowland Penny via samba wrote:> > > On 26/06/2023 18:20, Kees van Vloten via samba wrote: > >> I am quite convinced it is not a DNS issue, although those lookups >> obviously fail when you pull the network plug (I guess installing >> something like dnsmasq can prevent that). The issue is in the nss >> lookups of users and groups: getent passwd <user> or getent passwd >> <group>, which implies something in winbind-nss. >> I have been using the "lock directory" parameter on my Debian >> (Bullseye) machines since nearly forever and added the "winbind >> request timeout" recently (after the discussion here), which probably >> help to reduce the effects but do not solve the issue. >> > > The problem for me is that I struggle to get the symptoms that Marco > does. > I have Ubuntu 22.04 running in a VM, it is setup as a Unix domain > member, using the 'rid' idmap backend. > > It works as expected, if I disconnect the network, sometimes it starts > running slow, but only sometimes, other times you cannot tell the > difference. > > Now you could be correct about the dns, and I am now beginning to > think that Marco's problem has nothing to do with Samba, there is > something not set up correctly in the OS, but what, I do not know.I am using rfc2307 and I have been experiencing similar issues since my first message on this topic 2 years ago. Could it be related to the (rfc2307-) idmap backend? One other thing is that I am using rbac which leans heavily on nested groups, perhaps that has is causing issues with caching in winbind?> > As anyone got any suggestions that Marco can try ? > > Rowland >
Markus Dellermann
2023-Jun-26 18:55 UTC
[Samba] PAM Offline Authentication in Ubuntu 22.04
Hi Marco, Rowland, Kees, and all other... Am Montag, 26. Juni 2023, 20:12:26 CEST schrieb Rowland Penny via samba:> On 26/06/2023 18:20, Kees van Vloten via samba wrote: > > I am quite convinced it is not a DNS issue, although those lookups > > obviously fail when you pull the network plug (I guess installing > > something like dnsmasq can prevent that). The issue is in the nss > > lookups of users and groups: getent passwd <user> or getent passwd > > <group>, which implies something in winbind-nss. > > I have been using the "lock directory" parameter on my Debian (Bullseye) > > machines since nearly forever and added the "winbind request timeout" > > recently (after the discussion here), which probably help to reduce the > > effects but do not solve the issue. > > The problem for me is that I struggle to get the symptoms that Marco does. > I have Ubuntu 22.04 running in a VM, it is setup as a Unix domain > member, using the 'rid' idmap backend. > > It works as expected, if I disconnect the network, sometimes it starts > running slow, but only sometimes, other times you cannot tell the > difference. > > Now you could be correct about the dns, and I am now beginning to think > that Marco's problem has nothing to do with Samba, there is something > not set up correctly in the OS, but what, I do not know. > > As anyone got any suggestions that Marco can try ? > > RowlandMarco, you are using the ad-Backend, right? Have you tried with rid-backend or at least "idmap config LNFFVG : unix_nss_info = no" in smb.conf ? Some time ago i have had "this" Problems with some openSUSE based clients. If i remeber correctly, behavior was better after changing smb.conf to rid- backend. To update to 4.18 could be also an good idea, because there are some changes wich should help.. Good Luck! (sorry, for bad english) Markus