[Samba] domain member with winbind, slow smbcacls or smbclient listing
Zhuchenko Valery via samba
When I launch (again and again)
smbcacls "//myfileserver/share" "" -U user -W domain
or
smbclient "//myfileserver/share" -U user -W domain -c "ls",
in tcpdump output at myfileserver I see multiple calls to controller via
ldap, therefore these commands are executed slowly.
When I run getent groups at myfileserver, all worked fine, and tcpdump
output is empty.
Help me please, where I'm wrong?
Best regards, Valery.
smbd -V
Version 4.2.10
My winbind settings:
testparm -s |grep winbind
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind expand groups = 10
winbind refresh tickets = Yes
security = ads
idmap config * : range = 16777216-33554431
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 100-20000
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
grep -r winbind /etc/pam.d
/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/system-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:password sufficient pam_winbind.so
use_authtok
/etc/pam.d/smartcard-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/password-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:password sufficient pam_winbind.so
use_authtok
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Zhuchenko Valery via samba
in the domain.
How to make so that winbindd in this case every time didn't connect with
controller, but only periodically update data, using parameters winbind
cache time and idmap negative cache time?
I think so because in logs I see these strings:
...host has no idea of uid ...
...Connected to LDAP server...
[2016/11/27 15:02:01.120598, 4]
../source3/winbindd/winbindd_dual.c:1387(child_handler)
child daemon request 59
[2016/11/27 15:02:01.120859, 4]
../source3/passdb/pdb_interface.c:1401(pdb_default_uid_to_sid)
pdb_default_uid_to_sid: host has no idea of uid 3677
[2016/11/27 15:02:01.122042, 4]
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
ads_dc_name: domain=DOMAIN
[2016/11/27 15:02:01.122161, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list:....
..........
[2016/11/27 15:02:01.154279, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server
[2016/11/27 15:02:01.154371, 3] ../source3/libads/ldap.c:584(ads_connect)
Connected to LDAP server
24.11.2016 17:26, Zhuchenko Valery via samba:
Zhuchenko Valery via samba
Replacement of the owner (when no user corresponds to file's numeric
user ID) or group replacement (when no group corresponds to file's
numeric group ID) solves a problem (partially).
Check files before changes, and, may be save results:
find "/samba/dir1" \( -nouser -or -nogroup \) -printf "%u:%g:%p\n">saved
Replacements (in my case, perhaps, it is better to select others the
owner and group)
find "/samba/dir1" -nouser -exec chown root "{}" \;
find "/samba/dir1" -nogroup -exec chgrp root "{}" \;
Or, if there is no opportunity to make changes, how to tell winbindd to
read periodically updated caches only? I don't know how to do it.
Best regards,
Valery
28.11.2016 09:27, Zhuchenko Valery via samba: