Slow, Incorrect Group Resolution through Winbind

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
Hello. I am observing some strange behavior on a Linux system that has
joined a Windows Active Directory domain using the Samba suite. Our servers
are based on Ubuntu v12.04 but have kernel v3.12.17 and Samba v4.3.6.

The problem that I'm trying to understand is that group name resolution
through Winbind occasionally fails. Here's an example where one group name
could not be resolved. This causes "groups" to hang, presumably because it
is waiting for Winbind to provide the name and Winbind is waiting for the
domain controller:

editshare@es-exp1:~$ time groups dwill627
dwill627 : domain users _adsso_editors editors exp1-promos groups: cannot
find name for group ID 16777230
16777230 KUTZTOWN\computeradministrativeaccessclassrooms allstudents
KUTZTOWN\oitfs_software_r
KUTZTOWN\computeradministrativeaccessconferencerooms
KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
BUILTIN\users

real    1m21.472s
user    0m0.064s
sys     0m0.000s

However, the user dwill627 is apparently not a member of the group with ID
16777230:

editshare@es-exp1:~$ getent group 16777230
KUTZTOWN\computeradministrativeaccesslabs:x:16777230:KUTZTOWN\techcreel,KUTZTOWN\techstamm,KUTZTOWN\techeben,KUTZTOWN\techjulian,KUTZTOWN\chemnmr,KUTZTOWN\librarypatron,KUTZTOWN\olympiad,KUTZTOWN\labprint

I don't understand why there is this discrepancy.

Here's the global configuration as reported by "testparm:"

[global]
        workgroup = STUDENTS
        realm = STUDENTS.KUTZTOWN.EDU
        server string = es-exp1
        security = ADS
        password server = kustudc01.students.kutztown.edu,
kustudc02.students.kutztown.edu
        smb passwd file = /var/cache/samba/smbpasswd
        passdb backend = smbpasswd
        restrict anonymous = 2
        log file = /var/log/samba/log.%I
        server max protocol = SMB2_22
        max protocol = SMB2_22
        protocol = SMB2_22
        max xmit = 65535
        unix extensions = No
        max open files = 32768
        socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
        load printers = No
        printcap name = /dev/null
        machine password timeout = 0
        os level = 33
        dns proxy = No
        wins support = Yes
        ldap debug level = 1
        ldap debug threshold = 5
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template homedir = /home/%U
        template shell = /sbin/nologin
        winbind use default domain = Yes
        winbind expand groups = 1
        idmap config * : range = 16777216-33554431
        idmap config * : backend = tdb
        aio read size = 1
        aio write size = 1
        use sendfile = Yes
        include = /etc/samba/smb.0.0.0.0.conf
        wide links = Yes

I know that we are using some deprecated options, but this configuration
typically works well for us. From that whole config, these are the few
options that I have added in the course of troubleshooting this system
(some of which are unrelated to my current question):

ldap debug level = 1
ldap debug threshold = 5
log level = winbind:5
password server = kustudc01.students.kutztown.edu
kustudc02.students.kutztown.edu
winbind request timeout = 10

Besides the logging options, allow me to explain the other two: I set
"password server" to restrict Winbind from contacting DCs that it can't
actually reach. For reasons that I do not completely understand, our
customer has setup DNS such that it provides SRV records that point to
hosts that we are prevented from accessing by a firewall. The two DCs that
I've listed for "password server" are the ones that are accessible to our
server (on the same side of the firewall). I set "winbind request timeout"
to attempt to deal with the unusually long time to resolve group IDs to
group name. My thought is that if we can't resolve a GID because a DC is
taking too long to reply, a short timeout should either cause Winbind to
try another DC or give up altogether. I've lightly tested this change and
it seems to help.

One theory that I have is that Winbind is still trying to contact one of
the inaccessible DCs to do group ID resolution. (I understand that the GID
comes from the idmap mechanism, not the DC, but I imagine that there still
must be some initial interaction with the DC. Is that accurate?) Does
"password server" affect group ID resolution? Or is it only used for user
authentication as the manual suggests? If it has nothing to do with group
ID resolution, is there a corresponding option for Winbind that would have
this effect? (I couldn't find one.)

But even if I could explain that part of it (GID resolution taking a very
long time), the other behavior is also quite confusing: Considering the
example with the dwill627 account that I showed, why is "groups dwill627"
attempting to resolve GID 16777230 if "getent group 16777230" indicates
that dwill627 isn't a member? Is there a problem in the idmap?

Regards,
Rich Otero
Technical Support and Professional Services
EditShare
[hidden email]
617-782-0479
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, 13 Sep 2017 10:48:18 -0400
Rich Otero via samba <[hidden email]> wrote:

> Hello. I am observing some strange behavior on a Linux system that has
> joined a Windows Active Directory domain using the Samba suite. Our
> servers are based on Ubuntu v12.04 but have kernel v3.12.17 and Samba
> v4.3.6.
>
> The problem that I'm trying to understand is that group name
> resolution through Winbind occasionally fails. Here's an example
> where one group name could not be resolved. This causes "groups" to
> hang, presumably because it is waiting for Winbind to provide the
> name and Winbind is waiting for the domain controller:
>
> editshare@es-exp1:~$ time groups dwill627
> dwill627 : domain users _adsso_editors editors exp1-promos groups:
> cannot find name for group ID 16777230
> 16777230 KUTZTOWN\computeradministrativeaccessclassrooms allstudents
> KUTZTOWN\oitfs_software_r
> KUTZTOWN\computeradministrativeaccessconferencerooms
> KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> BUILTIN\users
>
> real    1m21.472s
> user    0m0.064s
> sys     0m0.000s
>
> However, the user dwill627 is apparently not a member of the group
> with ID 16777230:
>
> editshare@es-exp1:~$ getent group 16777230
> KUTZTOWN\computeradministrativeaccesslabs:x:16777230:KUTZTOWN\techcreel,KUTZTOWN\techstamm,KUTZTOWN\techeben,KUTZTOWN\techjulian,KUTZTOWN\chemnmr,KUTZTOWN\librarypatron,KUTZTOWN\olympiad,KUTZTOWN\labprint
>
> I don't understand why there is this discrepancy.
>
> Here's the global configuration as reported by "testparm:"
>
> [global]
>         workgroup = STUDENTS
>         realm = STUDENTS.KUTZTOWN.EDU
>         server string = es-exp1
>         security = ADS
>         password server = kustudc01.students.kutztown.edu,
> kustudc02.students.kutztown.edu
>         smb passwd file = /var/cache/samba/smbpasswd
>         passdb backend = smbpasswd
>         restrict anonymous = 2
>         log file = /var/log/samba/log.%I
>         server max protocol = SMB2_22
>         max protocol = SMB2_22
>         protocol = SMB2_22
>         max xmit = 65535
>         unix extensions = No
>         max open files = 32768
>         socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
>         load printers = No
>         printcap name = /dev/null
>         machine password timeout = 0
>         os level = 33
>         dns proxy = No
>         wins support = Yes
>         ldap debug level = 1
>         ldap debug threshold = 5
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         template homedir = /home/%U
>         template shell = /sbin/nologin
>         winbind use default domain = Yes
>         winbind expand groups = 1
>         idmap config * : range = 16777216-33554431
>         idmap config * : backend = tdb
>         aio read size = 1
>         aio write size = 1
>         use sendfile = Yes
>         include = /etc/samba/smb.0.0.0.0.conf
>         wide links = Yes
>

Sorry but your smb.conf is borked, you seem to have a mixture of
deprecated settings combined with the new way of doing things, can I
suggest you go and read these wiki pages:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_rid

I feel I should also point that both Ubuntu 12.04 and Samba 4.3.6 are
EOL

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, Sep 13, 2017 at 10:48 AM, Rich Otero via samba
<[hidden email]> wrote:

>         server max protocol = SMB2_22
>         max protocol = SMB2_22
>         protocol = SMB2_22

The 3 lines above all mean the same thing, the last 2 are synonyms of the first.
Taking a peek at "man smb.conf" is a good place to start.

>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431

The above 2 lines should be dropped.

>         idmap config * : range = 16777216-33554431
>         idmap config * : backend = tdb

Should be more like:
         idmap config STUDENTS : range = 16777216-33554431
         idmap config STUDENTS : backend = tdb

...plus something like:
         idmap config * : range = 10000-20000
         idmap config * : backend = tdb
... using a different range than configured for STUDENTS.

Again "man smb.conf" is your friend.

> I know that we are using some deprecated options, but this configuration
> typically works well for us.

Apparently not :-)

> Besides the logging options, allow me to explain the other two: I set
> "password server" to restrict Winbind from contacting DCs that it can't
> actually reach.

Not really sure that the "password server" parameter has any affect on
winbind, think it's just an smbd directive.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, 13 Sep 2017 11:18:59 -0400
Sonic via samba <[hidden email]> wrote:

> On Wed, Sep 13, 2017 at 10:48 AM, Rich Otero via samba
> <[hidden email]> wrote:
>

> >         idmap config * : range = 16777216-33554431
> >         idmap config * : backend = tdb
>
> Should be more like:
>          idmap config STUDENTS : range = 16777216-33554431
>          idmap config STUDENTS : backend = tdb
>
> ...plus something like:
>          idmap config * : range = 10000-20000
>          idmap config * : backend = tdb
> ... using a different range than configured for STUDENTS.
>
> Again "man smb.conf" is your friend.

Obviously not, from the above ;-)

I would expect something like:

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config STUDENTS : backend = rid
        idmap config STUDENTS : range = 16777216-33554431

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, Sep 13, 2017 at 11:32 AM, Rowland Penny via samba
<[hidden email]> wrote:

> On Wed, 13 Sep 2017 11:18:59 -0400
> Sonic via samba <[hidden email]> wrote:
>
>> Should be more like:
>>          idmap config STUDENTS : range = 16777216-33554431
>>          idmap config STUDENTS : backend = tdb
>>
>> ...plus something like:
>>          idmap config * : range = 10000-20000
>>          idmap config * : backend = tdb
>> ... using a different range than configured for STUDENTS.
>>
>> Again "man smb.conf" is your friend.
>
> Obviously not, from the above ;-)
>
> I would expect something like:
>
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config STUDENTS : backend = rid
>         idmap config STUDENTS : range = 16777216-33554431
>

Are you stating that only one assignment of tdb can be defined? I use
the rid backend for the domains that are hosted on another server but
wasn't sure whether or not multiple tdb backend assignments were
allowed. Although I've never tried it, the man page does not appear to
state that tdb cannot be used for multiple backends. But I'm reading
the man page for 4.7.0rc5 which may be different.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, 13 Sep 2017 11:58:27 -0400
Sonic <[hidden email]> wrote:

> On Wed, Sep 13, 2017 at 11:32 AM, Rowland Penny via samba
> <[hidden email]> wrote:
> > On Wed, 13 Sep 2017 11:18:59 -0400
> > Sonic via samba <[hidden email]> wrote:
> >
> >> Should be more like:
> >>          idmap config STUDENTS : range = 16777216-33554431
> >>          idmap config STUDENTS : backend = tdb
> >>
> >> ...plus something like:
> >>          idmap config * : range = 10000-20000
> >>          idmap config * : backend = tdb
> >> ... using a different range than configured for STUDENTS.
> >>
> >> Again "man smb.conf" is your friend.
> >
> > Obviously not, from the above ;-)
> >
> > I would expect something like:
> >
> >         idmap config * : backend = tdb
> >         idmap config * : range = 3000-7999
> >         idmap config STUDENTS : backend = rid
> >         idmap config STUDENTS : range = 16777216-33554431
> >
>
> Are you stating that only one assignment of tdb can be defined? I use
> the rid backend for the domains that are hosted on another server but
> wasn't sure whether or not multiple tdb backend assignments were
> allowed. Although I've never tried it, the man page does not appear to
> state that tdb cannot be used for multiple backends. But I'm reading
> the man page for 4.7.0rc5 which may be different.
>
> Chris

For the '*' domain you should only the tdb backend (note, you cannot
use the rid backend).

For the 'DOMAIN' domain you can use several different backends (rid, ad
etc) but I wouldn't use the tdb backend, how are you going to be sure
you will get the same IDs on all Unix machines ?
If you use the 'rid' backend and the same range on all Unix machines,
you will get the same IDs without having to add anything to AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba
<[hidden email]> wrote:
> For the 'DOMAIN' domain you can use several different backends (rid, ad
> etc) but I wouldn't use the tdb backend, how are you going to be sure
> you will get the same IDs on all Unix machines ?

That's exactly why I personally use rid for the DOMAIN domain.
However, you seemed to suggest that my post was incorrect because I
left the OP's desired backend (not my choice) in place during my
reply, which still, as far as I can tell, is not an incorrect
configuration via the info in the man page. If indeed my answer was
incorrect than the man page needs some updating.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
In reply to this post by Samba - General mailing list
Thanks for the help and suggestions.

I've removed the deprecated options "idmap uid" and "idmap gid" and
explicitly set "idmap config * : range" and "idmap config * : backend." New
output from testparm is at the end of this message. (But note that
previously I was only setting "idmap uid" and "idmap gid" in the
configuration files, not using specifying the old and new options
simultaneously. The "idmap config" options were apparently implied since
they're favored over the deprecated options.)

Despite that, I still have the same problem:

editshare@es-exp1:~$ time groups dwill627
dwill627 : groups: cannot find name for group ID 131073
131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
computeradministrativeaccesslabs
KUTZTOWN\computeradministrativeaccessclassrooms
allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
computeradministrativeaccessconferencerooms KUTZTOWN\mediasiteviewonly pcns
kup-passpol-stu-temp editshareusers BUILTIN\users

real    3m56.156s
user    0m0.072s
sys     0m0.000s

editshare@es-exp1:~$ getent group 131073
editshare@es-exp1:~$ echo $?
2

Is it required to set "idmap config" for both the STUDENTS domain and all
other domains like so?

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config STUDENTS : backend = tdb
idmap config STUDENTS : range = 16777216-33554431

Or can I simply set only the catch-all configuration without setting it for
individual domains? This is how we have historically done it.

idmap config * : backend = tdb
idmap config * : range = 16777216-33554431

-----

amended config:

[global]
        workgroup = STUDENTS
        realm = STUDENTS.KUTZTOWN.EDU
        server string = es-exp1
        security = ADS
        password server = kustudc01.students.kutztown.edu
kustudc02.students.kutztown.edu
        smb passwd file = /var/cache/samba/smbpasswd
        passdb backend = smbpasswd
        restrict anonymous = 2
        log file = /var/log/samba/log.%I
        server max protocol = SMB2_22
        max protocol = SMB2_22
        protocol = SMB2_22
        max xmit = 65535
        unix extensions = No
        max open files = 32768
        socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
        load printers = No
        printcap name = /dev/null
        machine password timeout = 0
        os level = 33
        dns proxy = No
        wins support = Yes
        ldap debug level = 1
        ldap debug threshold = 5
        template homedir = /home/%U
        template shell = /sbin/nologin
        winbind request timeout = 10
        winbind use default domain = Yes
        winbind expand groups = 1
        idmap config * : range = 16777216-33554431
        idmap config * : backend = tdb
        aio read size = 1
        aio write size = 1
        use sendfile = Yes
        include = /etc/samba/smb.0.0.0.0.conf
        wide links = Yes

Regards,
Rich Otero
Technical Support and Professional Services
EditShare
[hidden email]
617-782-0479 <(617)%20782-0479>

On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Wed, 13 Sep 2017 11:58:27 -0400
> Sonic <[hidden email]> wrote:
>
> > On Wed, Sep 13, 2017 at 11:32 AM, Rowland Penny via samba
> > <[hidden email]> wrote:
> > > On Wed, 13 Sep 2017 11:18:59 -0400
> > > Sonic via samba <[hidden email]> wrote:
> > >
> > >> Should be more like:
> > >>          idmap config STUDENTS : range = 16777216-33554431
> > >>          idmap config STUDENTS : backend = tdb
> > >>
> > >> ...plus something like:
> > >>          idmap config * : range = 10000-20000
> > >>          idmap config * : backend = tdb
> > >> ... using a different range than configured for STUDENTS.
> > >>
> > >> Again "man smb.conf" is your friend.
> > >
> > > Obviously not, from the above ;-)
> > >
> > > I would expect something like:
> > >
> > >         idmap config * : backend = tdb
> > >         idmap config * : range = 3000-7999
> > >         idmap config STUDENTS : backend = rid
> > >         idmap config STUDENTS : range = 16777216-33554431
> > >
> >
> > Are you stating that only one assignment of tdb can be defined? I use
> > the rid backend for the domains that are hosted on another server but
> > wasn't sure whether or not multiple tdb backend assignments were
> > allowed. Although I've never tried it, the man page does not appear to
> > state that tdb cannot be used for multiple backends. But I'm reading
> > the man page for 4.7.0rc5 which may be different.
> >
> > Chris
>
> For the '*' domain you should only the tdb backend (note, you cannot
> use the rid backend).
>
> For the 'DOMAIN' domain you can use several different backends (rid, ad
> etc) but I wouldn't use the tdb backend, how are you going to be sure
> you will get the same IDs on all Unix machines ?
> If you use the 'rid' backend and the same range on all Unix machines,
> you will get the same IDs without having to add anything to AD.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 13 Sep 2017 12:37:17 -0400
Sonic <[hidden email]> wrote:

> On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba
> <[hidden email]> wrote:
> > For the 'DOMAIN' domain you can use several different backends
> > (rid, ad etc) but I wouldn't use the tdb backend, how are you going
> > to be sure you will get the same IDs on all Unix machines ?
>
> That's exactly why I personally use rid for the DOMAIN domain.
> However, you seemed to suggest that my post was incorrect because I
> left the OP's desired backend (not my choice) in place during my
> reply, which still, as far as I can tell, is not an incorrect
> configuration via the info in the man page. If indeed my answer was
> incorrect than the man page needs some updating.
>
> Chris

You posted:

Should be more like:
         idmap config STUDENTS : range = 16777216-33554431
         idmap config STUDENTS : backend = tdb

And, yes the smb.conf manpage does say this:

These are suitable for use in the default idmap configuration.

and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a Unix
domain member, because the manpage also says this:

these create mappings of their own using internal unixid counters and
store the mappings in a database.

This means there is no way to ensure that users and groups will get the
same ID on different Unix domain members.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, Sep 13, 2017 at 12:49 PM, Rowland Penny via samba
<[hidden email]> wrote:

> And, yes the smb.conf manpage does say this:
>
> These are suitable for use in the default idmap configuration.
>
> and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a Unix
> domain member, because the manpage also says this:
>
> these create mappings of their own using internal unixid counters and
> store the mappings in a database.
>
> This means there is no way to ensure that users and groups will get the
> same ID on different Unix domain members.

I'm the first to agree that using tdb for the DOMAIN domain is not
ideal. However, it is not invalid (as far as I can tell from the
documentation).

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 13 Sep 2017 12:42:06 -0400
Rich Otero <[hidden email]> wrote:

> Thanks for the help and suggestions.
>
> I've removed the deprecated options "idmap uid" and "idmap gid" and
> explicitly set "idmap config * : range" and "idmap config * :
> backend." New output from testparm is at the end of this message.
> (But note that previously I was only setting "idmap uid" and "idmap
> gid" in the configuration files, not using specifying the old and new
> options simultaneously. The "idmap config" options were apparently
> implied since they're favored over the deprecated options.)
>
> Despite that, I still have the same problem:
>
> editshare@es-exp1:~$ time groups dwill627
> dwill627 : groups: cannot find name for group ID 131073
> 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
> computeradministrativeaccesslabs
> KUTZTOWN\computeradministrativeaccessclassrooms
> allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
> computeradministrativeaccessconferencerooms
> KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> BUILTIN\users
>
> real    3m56.156s
> user    0m0.072s
> sys     0m0.000s
>
> editshare@es-exp1:~$ getent group 131073
> editshare@es-exp1:~$ echo $?
> 2
>
> Is it required to set "idmap config" for both the STUDENTS domain and
> all other domains like so?
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config STUDENTS : backend = tdb
> idmap config STUDENTS : range = 16777216-33554431

Yes

>
> Or can I simply set only the catch-all configuration without setting
> it for individual domains? This is how we have historically done it.
>
> idmap config * : backend = tdb
> idmap config * : range = 16777216-33554431

This puts everything into the '*' domain and is wrong.

>
> -----
>
> amended config:
>
> [global]
>         workgroup = STUDENTS
>         realm = STUDENTS.KUTZTOWN.EDU
>         server string = es-exp1
>         security = ADS
>         password server = kustudc01.students.kutztown.edu
> kustudc02.students.kutztown.edu

Remove the next three lines

>         smb passwd file = /var/cache/samba/smbpasswd
>         passdb backend = smbpasswd
>         restrict anonymous = 2
>         log file = /var/log/samba/log.%I
>         server max protocol = SMB2_22
>         max protocol = SMB2_22
>         protocol = SMB2_22
>         max xmit = 65535
>         unix extensions = No
>         max open files = 32768
>         socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
>         load printers = No
>         printcap name = /dev/null

remove the next two lines, you do not need them.

>         machine password timeout = 0
>         os level = 33
>         dns proxy = No
>         wins support = Yes

remove the next two lines, you do not need them.

>         ldap debug level = 1
>         ldap debug threshold = 5
>         template homedir = /home/%U
>         template shell = /sbin/nologin
>         winbind request timeout = 10
>         winbind use default domain = Yes
>         winbind expand groups = 1

You also need the 'DOMAIN' lines, set these to the range below,
Then change the line below to a different range that does not overlap

>         idmap config * : range = 16777216-33554431
>         idmap config * : backend = tdb
>         aio read size = 1
>         aio write size = 1
>         use sendfile = Yes
>         include = /etc/samba/smb.0.0.0.0.conf
>         wide links = Yes
>

Rowland
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 13 Sep 2017 12:55:58 -0400
Sonic <[hidden email]> wrote:

> On Wed, Sep 13, 2017 at 12:49 PM, Rowland Penny via samba
> <[hidden email]> wrote:
> > And, yes the smb.conf manpage does say this:
> >
> > These are suitable for use in the default idmap configuration.
> >
> > and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a
> > Unix domain member, because the manpage also says this:
> >
> > these create mappings of their own using internal unixid counters
> > and store the mappings in a database.
> >
> > This means there is no way to ensure that users and groups will get
> > the same ID on different Unix domain members.
>
> I'm the first to agree that using tdb for the DOMAIN domain is not
> ideal. However, it is not invalid (as far as I can tell from the
> documentation).
>
> Chris

I am not saying it is invalid, I am just saying you should not use them
for the 'DOMAIN' backend because you have no way to get consistent IDs.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, Sep 13, 2017 at 1:03 PM, Rowland Penny via samba
<[hidden email]> wrote:
> I am not saying it is invalid

Exactly why I questioned your first reply to me in this thread:
===============================
> Again "man smb.conf" is your friend.

Obviously not, from the above ;-)
===============================

I don't mind eating crow but it does have to be properly prepared.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
In reply to this post by Samba - General mailing list
>
> > Is it required to set "idmap config" for both the STUDENTS domain and
> > all other domains like so?
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config STUDENTS : backend = tdb
> > idmap config STUDENTS : range = 16777216-33554431
> Yes


> Or can I simply set only the catch-all configuration without setting
> > it for individual domains? This is how we have historically done it.
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 16777216-33554431
> This puts everything into the '*' domain and is wrong.


Perhaps this is another place where the description in the manual could be
clearer. My reading of it is that the configuration for the * domain
applies to all domains that have not been explicitly configured (which is
the way I thought I was using it).

Remove the next three lines
> >         smb passwd file = /var/cache/samba/smbpasswd
> >         passdb backend = smbpasswd


I don't understand this suggestion. What if I have non-domain users who are
stored in passdb? (I do.)

>         restrict anonymous = 2


This doesn't make sense to me either. What does it have to do with
Winbind's interaction with AD? We set this option because automated network
security audits such as Qualys consider allowing anonymous connections to
be a vulnerability and nothing that we do relies on anonymous connections
to Samba anyway.

remove the next two lines, you do not need them.
> >         machine password timeout = 0


We set "machine password timeout" to 0 because we have some systems where
Samba must run with the same configuration on two highly available nodes.
Therefore, we disable periodically changing the machine password and we
ensure that both nodes have the same stored password by periodically
synchronizing the secrets file from the primary node to the secondary node.

>         os level = 33

Our product can consist of multiple independent Samba servers in a group.
Within the group, there can be one "master" server and many "auxiliary"
servers. On masters, we raise "os level" to 65 and on auxiliaries, we lower
it to 33 so that only the master is capable of becoming the local master
browser. I don't understand how this is related to AD integration.

remove the next two lines, you do not need them.
> >         ldap debug level = 1
> >         ldap debug threshold = 5


I had set these so that I could see more detailed messages about the LDAP
calls. How does this contribute to the problem I am trying to solve?

Regards,
Rich Otero
Technical Support and Professional Services
EditShare
[hidden email]
617-782-0479

On Wed, Sep 13, 2017 at 1:01 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Wed, 13 Sep 2017 12:42:06 -0400
> Rich Otero <[hidden email]> wrote:
>
> > Thanks for the help and suggestions.
> >
> > I've removed the deprecated options "idmap uid" and "idmap gid" and
> > explicitly set "idmap config * : range" and "idmap config * :
> > backend." New output from testparm is at the end of this message.
> > (But note that previously I was only setting "idmap uid" and "idmap
> > gid" in the configuration files, not using specifying the old and new
> > options simultaneously. The "idmap config" options were apparently
> > implied since they're favored over the deprecated options.)
> >
> > Despite that, I still have the same problem:
> >
> > editshare@es-exp1:~$ time groups dwill627
> > dwill627 : groups: cannot find name for group ID 131073
> > 131073 _adsso_editors editors exp1-promos domain users KUTZTOWN\
> > computeradministrativeaccesslabs
> > KUTZTOWN\computeradministrativeaccessclassrooms
> > allstudents KUTZTOWN\oitfs_software_r KUTZTOWN\
> > computeradministrativeaccessconferencerooms
> > KUTZTOWN\mediasiteviewonly pcns kup-passpol-stu-temp editshareusers
> > BUILTIN\users
> >
> > real    3m56.156s
> > user    0m0.072s
> > sys     0m0.000s
> >
> > editshare@es-exp1:~$ getent group 131073
> > editshare@es-exp1:~$ echo $?
> > 2
> >
> > Is it required to set "idmap config" for both the STUDENTS domain and
> > all other domains like so?
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config STUDENTS : backend = tdb
> > idmap config STUDENTS : range = 16777216-33554431
>
> Yes
>
> >
> > Or can I simply set only the catch-all configuration without setting
> > it for individual domains? This is how we have historically done it.
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 16777216-33554431
>
> This puts everything into the '*' domain and is wrong.
>
> >
> > -----
> >
> > amended config:
> >
> > [global]
> >         workgroup = STUDENTS
> >         realm = STUDENTS.KUTZTOWN.EDU
> >         server string = es-exp1
> >         security = ADS
> >         password server = kustudc01.students.kutztown.edu
> > kustudc02.students.kutztown.edu
>
> Remove the next three lines
>
> >         smb passwd file = /var/cache/samba/smbpasswd
> >         passdb backend = smbpasswd
> >         restrict anonymous = 2
> >         log file = /var/log/samba/log.%I
> >         server max protocol = SMB2_22
> >         max protocol = SMB2_22
> >         protocol = SMB2_22
> >         max xmit = 65535
> >         unix extensions = No
> >         max open files = 32768
> >         socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=1048576
> >         load printers = No
> >         printcap name = /dev/null
>
> remove the next two lines, you do not need them.
>
> >         machine password timeout = 0
> >         os level = 33
> >         dns proxy = No
> >         wins support = Yes
>
> remove the next two lines, you do not need them.
>
> >         ldap debug level = 1
> >         ldap debug threshold = 5
> >         template homedir = /home/%U
> >         template shell = /sbin/nologin
> >         winbind request timeout = 10
> >         winbind use default domain = Yes
> >         winbind expand groups = 1
>
> You also need the 'DOMAIN' lines, set these to the range below,
> Then change the line below to a different range that does not overlap
>
> >         idmap config * : range = 16777216-33554431
> >         idmap config * : backend = tdb
> >         aio read size = 1
> >         aio write size = 1
> >         use sendfile = Yes
> >         include = /etc/samba/smb.0.0.0.0.conf
> >         wide links = Yes
> >
>
> Rowland
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow, Incorrect Group Resolution through Winbind

Samba - General mailing list
On Wed, 13 Sep 2017 14:10:48 -0400
Rich Otero <[hidden email]> wrote:

> Perhaps this is another place where the description in the manual
> could be clearer. My reading of it is that the configuration for the
> * domain applies to all domains that have not been explicitly
> configured (which is the way I thought I was using it).

Yes, but how do you know which domain is which ?

>
> Remove the next three lines
> > >         smb passwd file = /var/cache/samba/smbpasswd
> > >         passdb backend = smbpasswd
>
>
> I don't understand this suggestion. What if I have non-domain users
> who are stored in passdb? (I do.)

Because smbpasswd is deprecated by the now now default tdbsam and if
you remove those lines, you will start to use the default.

>
> >         restrict anonymous = 2
>
>
> This doesn't make sense to me either. What does it have to do with
> Winbind's interaction with AD? We set this option because automated
> network security audits such as Qualys consider allowing anonymous
> connections to be a vulnerability and nothing that we do relies on
> anonymous connections to Samba anyway.

I would remove it because it can break some applications

>
> remove the next two lines, you do not need them.
> > >         machine password timeout = 0
>
>
> We set "machine password timeout" to 0 because we have some systems
> where Samba must run with the same configuration on two highly
> available nodes. Therefore, we disable periodically changing the
> machine password and we ensure that both nodes have the same stored
> password by periodically synchronizing the secrets file from the
> primary node to the secondary node.

I cannot recommend doing this, you should have different passwords for
each machine.
 
>
> >         os level = 33
>
> Our product can consist of multiple independent Samba servers in a
> group. Within the group, there can be one "master" server and many
> "auxiliary" servers. On masters, we raise "os level" to 65 and on
> auxiliaries, we lower it to 33 so that only the master is capable of
> becoming the local master browser. I don't understand how this is
> related to AD integration.

Because even if this line was 254 it wouldn't win an election with an
AD DC, so why bother.

>
> remove the next two lines, you do not need them.
> > >         ldap debug level = 1
> > >         ldap debug threshold = 5
>
>
> I had set these so that I could see more detailed messages about the
> LDAP calls. How does this contribute to the problem I am trying to
> solve?

They probably don't, but they shouldn't be there on an Unix domain
member.

All I can say is, I do not and never will set up a Unix domain member
in the way you have. I also do not have any of the problems you are
having, but it is your computer, so set it up how you like.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba