[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= Re: idmap_sss Backend for Winbind
From:       Sumit Bose <sbose () redhat ! com>
Date:       2017-10-25 8:17:10
Message-ID: 20171025081709.GI26815 () p ! Speedport_W_724V_Typ_A_05011603_05_020
[Download RAW message or body]

On Tue, Oct 24, 2017 at 08:49:05PM -0000, rdratlos@yahoo.co.uk wrote:
> > On Tue, Oct 24, 2017 at 12:28:53PM -0000, rdratlos(a)yahoo.co.uk wrote:
> > 
> > If you start with empty caches on the winbind side the results should
> > stay the same because changes in the mapping should be very rare. Please
> > note the by default 'idmap cache time' is 1 week because of the rare
> > changes, see man smb.conf for more details.
> > 
> 
> In general I would agree. But winbindd does not follow this principle. If sssd is \
> not running, winbindd will directly contact the AD domain controller and request \
> the UID/SID infomration. As the id mapping setting in smb.conf has been optimized \
> for use of the sss_idmap backend, wbinfo will return the wrong UID and GID as shown \
> in the post before:

I see, maybe this can be prevented on the start script level so that
winbindd is only started if SSSD is running? Additionally the winbindd
cache can be flushed here so that winbind always starts with an empty
cache. But this might have an effect on performance at least during
startup which might not be acceptable.

> 
> > 
> > wbinfo -i rdratlos (from windbindd with sss_idmap)
> > rdratlos:*:10000:10006:Thomas Xyz:/home/MYDOMAIN/rdratlos:/bin/false 
> > 
> 
> For sure, the long running gencache might prevent this, but we ran into this \
> situation when upgrading sssd (-> 1.15.3) and samba (4.7.0) in parallel. The samba \
> debug log showed following error: 
> Failed to register idmap module.
> The module was compiled against SMB_IDMAP_INTERFACE_VERSION 5,
> current SMB_IDMAP_INTERFACE_VERSION is 6.
> Please recompile against the current version of samba!
> 
> Even after rolling back Samba to version 4.6.7 winbindd's long running cache kept \
> the wrong IDs and prevented some users from connecting the file shares. The \
> required information to solve this problem can only be retrieved from low-level \
> debug logs. 

Currently I would expect that reducing 'idmap cache time' to something
like 1 minute would have a bad effect on performance because winbindd
has to talk more often to SSSD via the socket interface. We are working
on adding SID lookups to SSSD's memory cache as well. When this is done
looking up the mapping would be much faster because it will happen in
winbindd's own memory. When this is done lowering 'idmap cache time'
might be a reasonable way to fast recover from different mappings.

bye,
Sumit

> 
> BR
> 
> Thomas
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org


[prev in list] [next in list] [prev in thread] [next in thread]