sudo very slow after winbind to AD on RHEL6












2















When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.



I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.



I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:



[2013/06/05 10:05:19.481689,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MYDOMAIN'
name : *
name : 'ROOT'
flags : 0x00000008 (8)
[2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED


It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?










share|improve this question



























    2















    When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.



    I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.



    I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:



    [2013/06/05 10:05:19.481689,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
    wbint_LookupName: struct wbint_LookupName
    in: struct wbint_LookupName
    domain : *
    domain : 'MYDOMAIN'
    name : *
    name : 'ROOT'
    flags : 0x00000008 (8)
    [2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
    wbint_LookupName: struct wbint_LookupName
    out: struct wbint_LookupName
    type : *
    type : SID_NAME_USE_NONE (0)
    sid : *
    sid : S-0-0
    result : NT_STATUS_NONE_MAPPED
    [2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
    [2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
    wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED


    It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?










    share|improve this question

























      2












      2








      2


      1






      When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.



      I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.



      I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:



      [2013/06/05 10:05:19.481689,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
      wbint_LookupName: struct wbint_LookupName
      in: struct wbint_LookupName
      domain : *
      domain : 'MYDOMAIN'
      name : *
      name : 'ROOT'
      flags : 0x00000008 (8)
      [2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
      wbint_LookupName: struct wbint_LookupName
      out: struct wbint_LookupName
      type : *
      type : SID_NAME_USE_NONE (0)
      sid : *
      sid : S-0-0
      result : NT_STATUS_NONE_MAPPED
      [2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
      Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
      [2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
      wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED


      It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?










      share|improve this question














      When I run a sudo command after binding my linux machine to an AD domain using samba/winbind, it takes anywhere between 10 seconds and 2 minutes to respond before prompting for my password.



      I've checked my /etc/resolv.conf and DNS seems to be set up properly. Commands like dig run without a hitch so I am assuming the problem must not be related to DNS. As per other posts, I've also made sure both my hostname and FQDN are listed in /etc/hosts for loopback.



      I set my winbind log level to 10 and checked the logs. I don't know what does and doesn't matter but some things I noticed in the logs:



      [2013/06/05 10:05:19.481689,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
      wbint_LookupName: struct wbint_LookupName
      in: struct wbint_LookupName
      domain : *
      domain : 'MYDOMAIN'
      name : *
      name : 'ROOT'
      flags : 0x00000008 (8)
      [2013/06/05 10:05:19.481857, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
      wbint_LookupName: struct wbint_LookupName
      out: struct wbint_LookupName
      type : *
      type : SID_NAME_USE_NONE (0)
      sid : *
      sid : S-0-0
      result : NT_STATUS_NONE_MAPPED
      [2013/06/05 10:05:19.482076, 5] winbindd/winbindd_getgroups.c:186(winbindd_getgroups_recv)
      Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
      [2013/06/05 10:05:19.482121, 10] winbindd/winbindd.c:679(wb_request_done)
      wb_request_done[3787:GETGROUPS]: NT_STATUS_NONE_MAPPED


      It seems to be trying to look up the user ROOT in the domain, which obviously shouldn't be happening... Could this be the root of the cause? If so, how can I fix this?







      linux samba






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jun 5 '13 at 14:18









      MartyMarty

      157311




      157311






















          3 Answers
          3






          active

          oldest

          votes


















          0














          It definitely would do that, Make sure you have



          passwd       files ldap
          group files ldap
          shadow files ldap


          in nsswitch.conf. Every system call that requires elevated
          privileges will otherwise be slow as molasses.






          share|improve this answer
























          • I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind

            – Marty
            Jun 5 '13 at 19:16













          • Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?

            – tink
            Jun 5 '13 at 20:12



















          0














          Not sure it will help, but do you have a username map file that contains:



          root = administrator
          nobody = guest


          and a global parameter in smb.conf pointing to it, such as



          username map = /etc/samba/smbusers



          as well as the global parameter



          map to guest = bad user?






          share|improve this answer































            0














            Try adding



            winbind enum users = no
            winbind enum groups = no
            winbind nested groups = false


            to /etc/samba/smb.conf, in section [global]



            Note: this disables nested groups






            share|improve this answer
























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f604056%2fsudo-very-slow-after-winbind-to-ad-on-rhel6%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              0














              It definitely would do that, Make sure you have



              passwd       files ldap
              group files ldap
              shadow files ldap


              in nsswitch.conf. Every system call that requires elevated
              privileges will otherwise be slow as molasses.






              share|improve this answer
























              • I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind

                – Marty
                Jun 5 '13 at 19:16













              • Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?

                – tink
                Jun 5 '13 at 20:12
















              0














              It definitely would do that, Make sure you have



              passwd       files ldap
              group files ldap
              shadow files ldap


              in nsswitch.conf. Every system call that requires elevated
              privileges will otherwise be slow as molasses.






              share|improve this answer
























              • I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind

                – Marty
                Jun 5 '13 at 19:16













              • Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?

                – tink
                Jun 5 '13 at 20:12














              0












              0








              0







              It definitely would do that, Make sure you have



              passwd       files ldap
              group files ldap
              shadow files ldap


              in nsswitch.conf. Every system call that requires elevated
              privileges will otherwise be slow as molasses.






              share|improve this answer













              It definitely would do that, Make sure you have



              passwd       files ldap
              group files ldap
              shadow files ldap


              in nsswitch.conf. Every system call that requires elevated
              privileges will otherwise be slow as molasses.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Jun 5 '13 at 17:29









              tinktink

              1,3271914




              1,3271914













              • I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind

                – Marty
                Jun 5 '13 at 19:16













              • Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?

                – tink
                Jun 5 '13 at 20:12



















              • I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind

                – Marty
                Jun 5 '13 at 19:16













              • Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?

                – tink
                Jun 5 '13 at 20:12

















              I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind

              – Marty
              Jun 5 '13 at 19:16







              I was sure this would be it but no. My nsswitch.conf already has: passwd: files winbind shadow: files winbind group: files winbind

              – Marty
              Jun 5 '13 at 19:16















              Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?

              – tink
              Jun 5 '13 at 20:12





              Hmmm ... next thought: you have NSCD running, and it wasn't restarted after the change?

              – tink
              Jun 5 '13 at 20:12













              0














              Not sure it will help, but do you have a username map file that contains:



              root = administrator
              nobody = guest


              and a global parameter in smb.conf pointing to it, such as



              username map = /etc/samba/smbusers



              as well as the global parameter



              map to guest = bad user?






              share|improve this answer




























                0














                Not sure it will help, but do you have a username map file that contains:



                root = administrator
                nobody = guest


                and a global parameter in smb.conf pointing to it, such as



                username map = /etc/samba/smbusers



                as well as the global parameter



                map to guest = bad user?






                share|improve this answer


























                  0












                  0








                  0







                  Not sure it will help, but do you have a username map file that contains:



                  root = administrator
                  nobody = guest


                  and a global parameter in smb.conf pointing to it, such as



                  username map = /etc/samba/smbusers



                  as well as the global parameter



                  map to guest = bad user?






                  share|improve this answer













                  Not sure it will help, but do you have a username map file that contains:



                  root = administrator
                  nobody = guest


                  and a global parameter in smb.conf pointing to it, such as



                  username map = /etc/samba/smbusers



                  as well as the global parameter



                  map to guest = bad user?







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jun 6 '13 at 21:15







                  user168261






























                      0














                      Try adding



                      winbind enum users = no
                      winbind enum groups = no
                      winbind nested groups = false


                      to /etc/samba/smb.conf, in section [global]



                      Note: this disables nested groups






                      share|improve this answer




























                        0














                        Try adding



                        winbind enum users = no
                        winbind enum groups = no
                        winbind nested groups = false


                        to /etc/samba/smb.conf, in section [global]



                        Note: this disables nested groups






                        share|improve this answer


























                          0












                          0








                          0







                          Try adding



                          winbind enum users = no
                          winbind enum groups = no
                          winbind nested groups = false


                          to /etc/samba/smb.conf, in section [global]



                          Note: this disables nested groups






                          share|improve this answer













                          Try adding



                          winbind enum users = no
                          winbind enum groups = no
                          winbind nested groups = false


                          to /etc/samba/smb.conf, in section [global]



                          Note: this disables nested groups







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Mar 12 '14 at 12:28









                          WoJWoJ

                          85632238




                          85632238






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f604056%2fsudo-very-slow-after-winbind-to-ad-on-rhel6%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Plaza Victoria

                              Puebla de Zaragoza

                              Musa