[Samba] winbind - timeouts in domain with >100000 domain users
Ralf Gross
I'm trying out samba with winbind. The domain has >100000 users and
I'm having some problems with the wbinfo and getent programs. The
server is domain member and running debin etch (x86_64) with
samba-3.0.23d.
idmap uid = 70000-300000
idmap gid = 70000-300000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template shell = /bin/false
security = domain
$ wbinfo -i emea\\ralfgro
ralfgro:*:70000:70000:Gross, Ralf:/home/EMEA/ralfgro:/bin/false
$ wbinfo -t
checking the trust secret via RPC calls succeeded
$ id -a ralfgro
...long timeout
$ getent passwd
[local unix users]
...long timeout
Sometimes I get back the list of domain users, but this happens only
rarely. During the these commands I can't connect to my shares with my
domain account. Even the top and ps commands seem to hang.
session setup failed: Call timed out: server did not respond after
20000 milliseconds
If I do an 'ls -l' in a dirctory with files that belong to a doamin
user, it sometimes takes ages to return the file list.
I have a local unix account ralfgro that has uid 50789 and a domain
account that is mapped to uid 70000. If I now copy files to the server
using smbclient they are created with my domain uid. If I create files
with an editor on the local fs (vim) they have the uid of my unix
account. Is this the way it should be? I ask this, because an old
server should be migrate to this new hardware and there are many unix
accounts and much data that already belong to users. The old server
has never been member of this domain, only 'security = server'
was used for authentication.
/etc/passwd
ralfgro:x:50789:50789::/home/ralfgro:/bin/sh
$ wbinfo -i emea\\ralfgro
ralfgro:*:70000:70000:Gross, Ralf:/home/EMEA/ralfgro:/bin/false
$ ls -l /tmp/foo
insgesamt 48
-rw-r--r-- 1 ralfgro ralfgro 5 2007-01-22 14:13 test
-rw-rw---- 1 ralfgro domain users 41180 2007-01-22 14:11 test2
$ ls -ln /tmp/foo
insgesamt 48
-rw-r--r-- 1 50789 50789 5 2007-01-22 14:13 test
-rw-rw---- 1 70000 70000 41180 2007-01-22 14:11 test2
Ralf
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Gerald (Jerry) Carter
Hash: SHA1
Ralf Gross wrote:
> Hi,
>
> I'm trying out samba with winbind. The domain has >100000 users and
> I'm having some problems with the wbinfo and getent programs. The
> server is domain member and running debin etch (x86_64) with
> samba-3.0.23d.
>
> idmap uid = 70000-300000
> idmap gid = 70000-300000
> winbind enum users = yes
> winbind enum groups = yes
Is there any real reason that you have these enabled?
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFtO7YIR7qMdg1EfYRArIbAJ4+7kaiGXPiFcbOVY2R9Ek9RQ19BgCg5o9W
U9M0A3OH1/bnUv5fQPsSyEQ=
=FRnL
-----END PGP SIGNATURE-----
Ralf Gross
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ralf Gross wrote:
> > Hi,
> >
> > I'm trying out samba with winbind. The domain has >100000 users and
> > I'm having some problems with the wbinfo and getent programs. The
> > server is domain member and running debin etch (x86_64) with
> > samba-3.0.23d.
> >
> > idmap uid = 70000-300000
> > idmap gid = 70000-300000
> > winbind enum users = yes
> > winbind enum groups = yes
>
> Is there any real reason that you have these enabled?
>From the smb.conf man page.
Warning
Turning off user enumeration may cause some programs to
behave oddly. For example, the finger program relies on
having access to the full user list when searching for
matching usernames. Default: winbind enum users = no
I tried both settings but I couldn't see any difference.
This is with winbind enum users/groups = no
$ wbinfo -t
checking the trust secret via RPC calls succeeded
$ wbinfo -i emea\\ralfgro
ralfgro:*:70000:70000:Gross, Ralf:/home/EMEA/ralfgro:/bin/false
$ wbinfo -u
...hangs
<ctrl-c>
$ wbinfo -i emea\\ralfgro
Could not get info for user emea\ralfgro
Tha main problem ist not that wbinfo doesn't return all users, it's
the fact that winbind seems to be completely unaccessible afterwards.
[2007/01/22 18:26:14, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine xxxx pipe \NETLOGON fnum 0x4015returned critical
error. Error was Call timed out: server did not respond after 10000
milliseconds
[2007/01/22 18:26:16, 1] libsmb/clientgen.c:cli_rpc_pipe_close(376)
cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x4015 to
machine SSTRD010. Error was Call timed out: server did not respond after 10000
milliseconds
$ /etc/init.d/winbind stop
Stopping the Winbind daemon: winbind.
$ pgrep -l -f winbind
24262 /usr/sbin/winbindd -B
24263 /usr/sbin/winbindd -B
$ pkill -9 winbindd
$ pgrep -l -f winbind
$ /etc/init.d/winbind start
Starting the Winbind daemon: winbind.
$ wbinfo -i emea\\ralfgro
ralfgro:*:70000:70000:Gross, Ralf:/home/EMEA/ralfgro:/bin/false
winbind didn't respond until I killed the process and restarted the daemon.
At the same time winbind hung on this system I could execute 'wbinfo -i
emea\\ralfgro' on an other system with success.
Ralf
Markus Lauterbach
I'm using samba version 2.2.9. On the clientside I'm using Windows XP.
Samba is running as pdc and while I'm in the office, all works fine. During
my session, I can create documents in my personal folder (for example on my
desktop) and when I log out, all files are synced to my serverside profile.
When I work offline (so that I'm not connected to the pbc) and I create
files (*.docs, *.xls, ... ), then these file will be stored in my personal
folders too. The next time I connect to the pdc my local profile will be
synced to the serverside profil. The files on my client are still in the
same direction. Now I log out and the files, generated in "offline mode" are
not synced to my serverside profil.
I already checked the samba.log generated for this client, but it's looking
ok.
What do I do wrong? Why are these files not synced by samba as the pdc? Are
there any hints?
Markus
Chris Smith
> Are
> there any hints?
For starters, here's a couple of hints:
1) Don't step on another thread by using reply to create a new thread. Your
new subject post get's buried in the current thread and you destroy the
continuity of the current thread.
2) Upgrade to a current version of Samba.
Adam Nielsen
> rarely. During the these commands I can't connect to my shares with my
> domain account. Even the top and ps commands seem to hang.
> security = domain
I had this same issue with security=domain. Changing to security=ads
fixed the problem. It seems that domain mode requires a complete list
of users, whereas ads mode is quite happy to look up single users as
and when required.
I also found that security=domain would not reliably detect changes to
group membership. Sometimes reloading winbind would bring the changes
through, sometimes it wouldn't. Again, changing to security=ads fixed
this.
> I have a local unix account ralfgro that has uid 50789 and a domain
> account that is mapped to uid 70000.
So ralfgro == 50789 and domain == 70000
> If I now copy files to the server using smbclient they are created
> with my domain uid.
Correct, as smbclient is connecting with uid 70000.
> If I create files with an editor on the local fs (vim) they have the
> uid of my unix account.
Correct, assuming you're logged on as ralfgro at the time.
> Is this the way it should be? I ask this, because an old server
> should be migrate to this new hardware and there are many unix
> accounts and much data that already belong to users. The old server
> has never been member of this domain, only 'security = server' was
> used for authentication.
The only way you can "fix" this is to make sure that each domain
account is mapped to the same UID as the local user. There are a
number of ways of doing this, check the Samba manual for details.
It may be easier to use SMB for authentication as well, so that the
UNIX users no longer log in with their local username, but the SMB
username (which in your case would mean you'd be logging on with UID
70000.) This way you wouldn't need to manually map any domain accounts
to UIDs.
Cheers,
Adam.
Ralf Gross
> > Sometimes I get back the list of domain users, but this happens only
> > rarely. During the these commands I can't connect to my shares with my
> > domain account. Even the top and ps commands seem to hang.
>
> > security = domain
>
> I had this same issue with security=domain. Changing to security=ads
> fixed the problem. It seems that domain mode requires a complete list
> of users, whereas ads mode is quite happy to look up single users as
> and when required.
No difference here with ADS instead of Domain. winbind is nearly
unusable.
$ wbinfo -t
checking the trust secret via RPC calls succeeded
$ wbinfo -g
[nothing/timeout or Error looking up domain groups]
other terminal:
$ wbinfo -p
Ping to winbindd failed on fd -1
could not ping winbindd!
And that's it. I have to kill the winbindd proccess to get it running
again.
If I avoid to request the whole user/group list, winbind is doing ok,
but getting the directory listing of a dir with 4 files which belong
to domain user sometimes take 30-60 seconds.
At the moment I'm feeling not very confident with winbind in our
environment. Maybe I should stick with 'security = server' and live
with the downside to add local user/groups...
An other thing I do not quite understand: until now I used 'force
group = +ve' to force the group ownership of a file. This is not
working for the test share I created. In the samba logfile I see '
Forced group ve', but the file belongs to the domain group.
-rw-rw---- 1 ralfgro domain users 0 2007-01-25 10:50 bar.txt
> I also found that security=domain would not reliably detect changes to
> group membership. Sometimes reloading winbind would bring the changes
> through, sometimes it wouldn't. Again, changing to security=ads fixed
> this.
>
>
> > I have a local unix account ralfgro that has uid 50789 and a domain
> > account that is mapped to uid 70000.
>
> So ralfgro == 50789 and domain == 70000
>
> > If I now copy files to the server using smbclient they are created
> > with my domain uid.
>
> Correct, as smbclient is connecting with uid 70000.
>
> > If I create files with an editor on the local fs (vim) they have the
> > uid of my unix account.
>
> Correct, assuming you're logged on as ralfgro at the time.
>
> > Is this the way it should be? I ask this, because an old server
> > should be migrate to this new hardware and there are many unix
> > accounts and much data that already belong to users. The old server
> > has never been member of this domain, only 'security = server' was
> > used for authentication.
>
> The only way you can "fix" this is to make sure that each domain
> account is mapped to the same UID as the local user. There are a
> number of ways of doing this, check the Samba manual for details.
Can you gibe me a hint where I can find this in the manual/howto.
Maybe I'm just using the wrong search terms.
> It may be easier to use SMB for authentication as well, so that the
> UNIX users no longer log in with their local username, but the SMB
> username (which in your case would mean you'd be logging on with UID
> 70000.) This way you wouldn't need to manually map any domain accounts
> to UIDs.
I've to look a bit deeper in the authentication documentation. I want
to avoid that all domain members are able to log in this box. This
server is a multi purpose server (cvs, svn, apache, samba). For samba
I want to be able to authenticate against ADS and use existing AD
users/groups. Certain users should also get an local home directory on
that server. For cvs, ssh... it would be nice to use AD too, but I
could not find out how I can restrict the login to certain domain
users. I think this is a pam issue.
Ralf
Adam Nielsen
> unusable.
>
> [nothing/timeout or Error looking up domain groups]
Yes, I think the problem is that when you retrieve the full list of
groups winbind has to assign GIDs to them - if you avoid doing that it
seems to work properly.
The problem I found was that in Domain mode some things (like getting a
directory list) would try to retrieve the full list of groups, whereas
under ADS mode this doesn't seem to happen. Sometimes it takes a few
seconds to show the folder list (it seems that winbind is trying to
reconnect to the AD server) but after that it's usually pretty quick.
You may also have found that doing 'wbinfo -g' has "polluted" the GID
mapping table with thousands of irrelevant IDs, so if possible you can
try deleting that before switching to ADS mode (and then don't pull in
the full list of groups again.)
> An other thing I do not quite understand: until now I used 'force
> group = +ve' to force the group ownership of a file. This is not
> working for the test share I created. In the samba logfile I see '
> Forced group ve', but the file belongs to the domain group.
>
> -rw-rw---- 1 ralfgro domain users 0 2007-01-25 10:50 bar.txt
This is probably because it is forcing the group to be that user's
primary AD group - if you look in AD you'll see there's a mention of
the primary group for POSIX implementations - normally this is set to
Domain Users.
I'm not aware of a way around this (other than changing everyone's
primary group in AD) - I used the GUID bit (chmod g+s) on our folders
so that all the files would inherit the group from the folder itself.
It works well for shared folders, giving access to a single AD group.
> Can you gibe me a hint where I can find this in the manual/howto.
> Maybe I'm just using the wrong search terms.
I'm not sure off the top of my head, but if you look through the
contents page in the manual there's a whole section about joining a
domain and it lists all the various methods of setting up mapping -
this is one of them.
Cheers,
Adam.