samba_2_2 sambatest (security=server) and ldap performance

Thu Oct 31 11:18:01 GMT 2002

Andrew Bartlett wrote:
> On Thu, Oct 31, 2002 at 11:33:15AM +0100, Ignacio Coupeau wrote:
> 
>>We have several samba printservers and fileservers with 
>>"security=server" validating against several PDC with ldap (samba 2.2.6).
>>
>>I found a lot of ldap request like:
>>	(uid=SAMBATESTPSERVER04)
>>beating the ldap servers: one before *each* validation in every print 
>>job or share session.
>>
>>I found this is related with a security issue as Jeremy says in the
>>server_validate() function.
>>
>>To avoid this I tried to use security=domain because server_validate() 
>>is called by check_server_security(), but our servers joined to the 
>>domain-asigned likes very much ask to the neighborn PDC as 
>>"security=server" than their domain-asigned-server (perhaps the 
>>subneting, or so... is a big and complex network).
>>
>>The question is if I can skip the code around 
>>"if(!tested_password_server) {"
>>to avoid the calls to ldap and if it is safe.
>>
>>We are using only samba servers.
> 
> 
> You could, but you really don't want to.  Security=server
> is really nasty.  Fix whatever is causing Samba to pick the
> wrong DC for secruity=domain.  You can still specify the
> server to use.

I'm tracking it, but is amazing...
for example
	../bin/smbpasswd -r ENIGMA -j CTI-SMB-2
joins the pserver01 to ENIGMA perfectly.

pserver01 has "security server=enigma", but resolve in every PDC (of 
course the ldap base is te same), like "security server=*" but in server 
mode (for example in the PDC3 or PDC1) instead domain mode in ENIGMA...
it looks like if a broadcast is performed and the winner is the nearest 
PDC because the trusted pdc (ENIGMA) is in other subnet... amazing!

Ignacio

-- 
____________________________________________________
Ignacio Coupeau, Ph.D.     e-mail: icoupeau at unav.es
CTI, Director              fax:    948 425619
University of Navarra      voice:  948 425600
Pamplona, SPAIN            http://www.unav.es/cti/