Hi Jeremy,
> Sorry, didn't look too closely at your winbindd issue. > winbindd will cache all information to allow disconnected > operation (we made this work perfectly at SuSE), so there > certainly shouldn't be a problem with a loss of connection to a DC. I am sorry to report that I am in fact using SuSE, and this problem is very easy to reproduce if I power off my AD domain, then wait (I guess) 10 minutes - then try and ssh to my Linux box. There is no way to log into the box. If I am fortunate to have a terminal open already logged in, I cannot run commands like "ls" or "man" "getfacl" or many others. The machine is useless until I "killall winbindd" then magically the system is back to normal and commands are able to execute. I looked at the init script for that version on SUSE for winbind and it is running in cached mode. If it helps to know, I have about 40000 user/group objects in the windows 2003 R2 AD (with 1 child domain) and I try and put as many acls as I can in the filesystem permissions using setfacl for my cross platform filesystem capability testing. I doubt this is the issue though, I just want you to be informed in case some gotcha I dont know about exists for this scenerio. I have a nice server with plenty of ram and cpu oomph and a nice RAID setup so I doubt it is that either. I am hoping some light can be shed on this issue, so here is my smb.conf and system info:. samba-3.2.7-11.2.1.x86_64 krb5-1.6.3-50.1.x86_64 openSUSE 11.0 (X86-64) VERSION = 11.0 [global] workgroup=qa2k3192 realm=QA2K3192.EDU server string=HSA-PFX10101001 - 10.10.1.72 os level=24 domain master=no local master=no preferred master=yes encrypt passwords=yes level2 oplocks=yes security=ads password server=* wins server= inherit acls=yes map acl inherit=yes log file=/var/log/samba/log%m dos filemode=yes printing=BSD printcap name = /dev/null admin users = webadmin username map = /etc/samba/smbusers winbind enum users=no winbind enum groups=no map to guest = bad user interfaces = eth2 disable spoolss = yes idmap domains = \ QA2K3192 \ QA2K3SUB192 #QA2K3192 S-1-5-21-937701456-36023052-1036737269 idmap config QA2K3192:backend = rid idmap config QA2K3192:base_rid = 0 idmap config QA2K3192:range = 1000000 - 1999999 #QA2K3SUB192 S-1-5-21-3854371235-711543302-3856612158 idmap config QA2K3SUB192:backend = rid idmap config QA2K3SUB192:base_rid = 0 idmap config QA2K3SUB192:range = 2000000 - 2999999 [company] comment=foo path=/cifs/company writeable=yes browseable=yes hosts allow= hosts deny= inherit acls=yes guest ok=no force unknown acl user=no valid users = @"QA2K3192\domain admins",@"QA2K3SUB192\domain admins",@QA2K3192\ladies write list = @"QA2K3192\domain admins",@"QA2K3SUB192\domain admins",@QA2K3192\ladies read list = I desperately hope we can nail down this issue... it is giving me support headaches when people change their networks then want to reconfigure the samba server last.. catch 22! . Thank you again, -Clayton On Tue, 13 Oct 2009 21:14:30 -0700, Jeremy Allison <[email protected]> wrote: > On Tue, Oct 13, 2009 at 08:10:56PM -0700, Clayton Hill wrote: >> Thank you for the info Jeremy >> >> I think I will try EXT4 and see if I have better results then - also I >> agree with you about streams - I just think some of my more foolish >> clients wont. >> Better just tell them "NO" firmly and then give them the example you >> gave - ;-) > > Well I'm not saying we won't support streams in Samba, > we'll just have to do it by layering meta-data over > the filesystem. We already have 2 vfs modules that > implement this. > >> Any workaround for the winbind problem I have? This to me is a very >> serious problem and all I can think of for a solution is of making a >> script that would ping the DC and if the connection to the DC was gone, >> to kill winbind, then if the DC is back, start winbind back up. >> IS this a good idea? It seems very very bad and hacky to me... I am >> hoping with all my fingers crossed that you have a better solution! > > Sorry, didn't look too closely at your winbindd issue. > winbindd will cache all information to allow disconnected > operation (we made this work perfectly at SuSE), so there > certainly shouldn't be a problem with a loss of connection to a DC. > > Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
