sudo very slow after winbind to AD on RHEL6
When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.
I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.
I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:
[2013/06/05 10:05:19.481689, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MYDOMAIN'
name : *
name : 'ROOT'
flags : 0x00000008 (8)
[2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED
It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?
linux samba
asked Jun 5 '13 at 14:18
MartyMarty
157311
add a comment |
When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.
I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.
I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:
[2013/06/05 10:05:19.481689, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MYDOMAIN'
name : *
name : 'ROOT'
flags : 0x00000008 (8)
[2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED
It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?
linux samba
asked Jun 5 '13 at 14:18
MartyMarty
157311
add a comment |
When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.
I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.
I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:
[2013/06/05 10:05:19.481689, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MYDOMAIN'
name : *
name : 'ROOT'
flags : 0x00000008 (8)
[2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED
It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?
linux samba
asked Jun 5 '13 at 14:18
MartyMarty
157311
When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.
I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.
I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:
[2013/06/05 10:05:19.481689, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MYDOMAIN'
name : *
name : 'ROOT'
flags : 0x00000008 (8)
[2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED
It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?
linux samba
linux samba
asked Jun 5 '13 at 14:18
MartyMarty
157311
asked Jun 5 '13 at 14:18
MartyMarty
157311
asked Jun 5 '13 at 14:18
MartyMarty
157311
asked Jun 5 '13 at 14:18
MartyMarty
157311
asked Jun 5 '13 at 14:18
MartyMarty
157311
157311
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
It definitely would do that, Make sure you have
passwd files ldap
group files ldap
shadow files ldap
in nsswitch.conf. Every system call that requires elevated
privileges will otherwise be slow as molasses.
answered Jun 5 '13 at 17:29
tinktink
1,3271914
I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind
– Marty
Jun 5 '13 at 19:16
Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?
– tink
Jun 5 '13 at 20:12
add a comment |
Not sure it will help, but do you have a username map file that contains:
root = administrator
nobody = guest
and a global parameter in smb.conf pointing to it, such as
username map = /etc/samba/smbusers
as well as the global parameter
map to guest = bad user?
add a comment |
Try adding
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
to /etc/samba/smb.conf, in section [global]
Note: this disables nested groups
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
add a comment |
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f604056%2fsudo-very-slow-after-winbind-to-ad-on-rhel6%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
It definitely would do that, Make sure you have
passwd files ldap
group files ldap
shadow files ldap
in nsswitch.conf. Every system call that requires elevated
privileges will otherwise be slow as molasses.
answered Jun 5 '13 at 17:29
tinktink
1,3271914
I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind
– Marty
Jun 5 '13 at 19:16
Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?
– tink
Jun 5 '13 at 20:12
add a comment |
It definitely would do that, Make sure you have
passwd files ldap
group files ldap
shadow files ldap
in nsswitch.conf. Every system call that requires elevated
privileges will otherwise be slow as molasses.
answered Jun 5 '13 at 17:29
tinktink
1,3271914
I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind
– Marty
Jun 5 '13 at 19:16
Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?
– tink
Jun 5 '13 at 20:12
add a comment |
It definitely would do that, Make sure you have
passwd files ldap
group files ldap
shadow files ldap
in nsswitch.conf. Every system call that requires elevated
privileges will otherwise be slow as molasses.
answered Jun 5 '13 at 17:29
tinktink
1,3271914
It definitely would do that, Make sure you have
passwd files ldap
group files ldap
shadow files ldap
in nsswitch.conf. Every system call that requires elevated
privileges will otherwise be slow as molasses.
answered Jun 5 '13 at 17:29
tinktink
1,3271914
answered Jun 5 '13 at 17:29
tinktink
1,3271914
answered Jun 5 '13 at 17:29
tinktink
1,3271914
answered Jun 5 '13 at 17:29
tinktink
1,3271914
1,3271914
I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind
– Marty
Jun 5 '13 at 19:16
Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?
– tink
Jun 5 '13 at 20:12
add a comment |
I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind
– Marty
Jun 5 '13 at 19:16
Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?
– tink
Jun 5 '13 at 20:12
I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind
– Marty
Jun 5 '13 at 19:16
I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind
– Marty
Jun 5 '13 at 19:16
Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?
– tink
Jun 5 '13 at 20:12
Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?
– tink
Jun 5 '13 at 20:12
add a comment |
Not sure it will help, but do you have a username map file that contains:
root = administrator
nobody = guest
and a global parameter in smb.conf pointing to it, such as
username map = /etc/samba/smbusers
as well as the global parameter
map to guest = bad user?
add a comment |
Not sure it will help, but do you have a username map file that contains:
root = administrator
nobody = guest
and a global parameter in smb.conf pointing to it, such as
username map = /etc/samba/smbusers
as well as the global parameter
map to guest = bad user?
add a comment |
Not sure it will help, but do you have a username map file that contains:
root = administrator
nobody = guest
and a global parameter in smb.conf pointing to it, such as
username map = /etc/samba/smbusers
as well as the global parameter
map to guest = bad user?
Not sure it will help, but do you have a username map file that contains:
root = administrator
nobody = guest
and a global parameter in smb.conf pointing to it, such as
username map = /etc/samba/smbusers
as well as the global parameter
map to guest = bad user?
answered Jun 6 '13 at 21:15
user168261
add a comment |
add a comment |
Try adding
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
to /etc/samba/smb.conf, in section [global]
Note: this disables nested groups
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
add a comment |
Try adding
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
to /etc/samba/smb.conf, in section [global]
Note: this disables nested groups
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
add a comment |
Try adding
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
to /etc/samba/smb.conf, in section [global]
Note: this disables nested groups
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
Try adding
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
to /etc/samba/smb.conf, in section [global]
Note: this disables nested groups
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
answered Mar 12 '14 at 12:28
WoJWoJ
85632238
85632238
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f604056%2fsudo-very-slow-after-winbind-to-ad-on-rhel6%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
