sudo very slow after winbind to AD on RHEL6

Question

sudo very slow after winbind to AD on RHEL6

When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.

I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.

I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:

[2013/06/05 10:05:19.481689,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
   wbint_LookupName: struct wbint_LookupName
      in: struct wbint_LookupName
          domain                   : *
              domain                   : 'MYDOMAIN'
          name                     : *
              name                     : 'ROOT'
          flags                    : 0x00000008 (8)
[2013/06/05 10:05:19.481857,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
   wbint_LookupName: struct wbint_LookupName
      out: struct wbint_LookupName
          type                     : *
              type                     : SID_NAME_USE_NONE (0)
          sid                      : *
              sid                      : S-0-0
          result                   : NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482076,  5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
  wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED

It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?

linux

samba

asked on Super User Jun 5, 2013 by

Marty

3 Answers

It definitely would do that, Make sure you have

passwd       files ldap
group        files ldap
shadow       files ldap

in nsswitch.conf. Every system call that requires elevated privileges will otherwise be slow as molasses.

answered on Super User Jun 5, 2013 by

tink

Not sure it will help, but do you have a username map file that contains:

root = administrator
nobody = guest

and a global parameter in smb.conf pointing to it, such as

username map = /etc/samba/smbusers

as well as the global parameter

map to guest = bad user?

answered on Super User Jun 6, 2013 by (unknown user)

Try adding

winbind enum users = no
winbind enum groups = no
winbind nested groups = false

to /etc/samba/smb.conf, in section [global]

Note: this disables nested groups

answered on Super User Mar 12, 2014 by

WoJ

User contributions licensed under CC BY-SA 3.0