0

I have an RHEL 6 server bound to an AD domain. Everything works fine but group lookups are extremely slow. Some lookups can take over 60 seconds. This is very painful when running sudo and when users ssh in and it needs to verify their group membership before granting access. Strangely, when it comes to file permissions, there is no lag when a group is used to limit access via ACL's.

It seems like when groups are looked up, every single member of each group is enumerated. Some groups have over 100,000 members.

Here is my Winbind config:

workgroup = EXAMPLE
password server = AD.EXAMPLE.ORG
realm = EXAMPLE.ORG
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = false
Marty
  • 149
  • 1
  • 1
  • 5
  • have you tried using idmap backend = tdb? ps aux | grep winbind – c4f4t0r Jan 04 '14 at 07:57
  • Will that mode create identical uid/gid on separate systems? That's why I went with `rid` to begin with. – Marty Jan 05 '14 at 22:18
  • if you want to have your user id between servers, you can try as idmap backend ldap, for more information about your problem http://samba.2283325.n4.nabble.com/samba-4-idmap-problem-td2966016.html – c4f4t0r Jan 05 '14 at 23:30
  • I replaced rid with ldap in the config but I notice no difference in group lookup speed. – Marty Jan 06 '14 at 02:52
  • have you tried sssd+kerberos on redhat 6 with sfu on windows server for user unix scheme? – c4f4t0r Jan 06 '14 at 11:06

0 Answers0