I have two issues, potentially related, potentially not. First
off, a bit about my environment:

I am experiencing the same issues on two boxes, one of which is
running red hat linux ES 4 update 6 i386, the other running red hat
enterprise linux server release 5.1 x86_64 . Both appear to be
running samba 3.0.25b, both are members of an active directory
domain . There are 7 domain controllers in total, and there are a
largish number of users: approximately 34,000. I am only allowing
users that belong to a certain group to log in, selecting in
/etc/security/pam_winbind.conf with require_membership_of=[GROUP
SID]. I also have this same group named in /etc/sudoers with a
line similar to:

%Name\ Of\ My\ Group ALL=(ALL) ALL

(note that I am using a group name with spaces in it, though it
states in docs this is a no-no it seems to work, initially at least
- more on that later)

The first issue is that after winbindd has been running for a while
(several hours perhaps?) , logins slow down to a crawl. It can
take upwards of two minutes to log in, whether the username exists
in the local passwd file or whether an AD user. If I restart
winbindd, logins are once again snappy.

The second issue is that after I have logged in as an AD user and
the session has sat idle for maybe 10 minutes or so, I get the
following error when trying to sudo:

sudo: uid [some number] does not exist in the passwd file!

If I log out and log back in, I can do sudo commands. Also, of
note, if I run anything that calls getpwent() , sudo once again
works. I came up with this test program:

#include #include #include

int main(int argc, char** argv) {
struct passwd * whatevs = getpwent(); if (whatevs) {
printf("%s:%s:%d:%d:%s:%s:%s\n",
whatevs->pw_name, whatevs->pw_passwd, whatevs->pw_uid,
whatevs->pw_gid, whatevs->pw_gecos, whatevs->pw_dir,
whatevs->pw_shell);
} else {
printf("crap!!!! null\n");
} return 0;
}


Here is my smb.conf:

[global]
workgroup=VANDERBILT
server string = Lamborghini Metaclinic (RHEL5.1) netbios
name = lamborghini realm = DS.VANDERBILT.EDU
preferred master = no security = ADS encrypt passwords = yes log
level = 3 log file = /var/log/samba/%m max log size = 50 printcap
name = cups printing = cups winbind enum users = Yes winbind
enum groups = Yes winbind use default domain = Yes winbind nested
groups = Yes winbind separator = + idmap uid = 1000-100000000
idmap gid = 1000-100000000 idmap backend =
idmap_rid:VANDERBILT=1000-50000000 ;template primary group =
"Domain Users" template shell = /bin/bash winbind offline logon
= yes

Here is my /etc/krb5.conf :

[logging]
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DS.VANDERBILT.EDU dns_lookup_realm = false
dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms]
DS.VANDERBILT.EDU = {
kdc = ds.vanderbilt.edu
}

[domain_realm]
.kerberos.server = DS.VANDERBILT.EDU

[appdefaults]
pam = {
debug = true ticket_lifetime = 36000 renew_lifetime = 36000
forwardable = true krb4_convert = false
}

my /etc/security/pam_winbind.conf:

[global] require_membership_of = [some long SID here]

and I've already given the relevant bits of the sudoers file.

As an aside, is there a way to give an SID instead of a group name
in the /etc/sudoers file?

Nathan Johnson


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba