Samba 3.5.2 and remote AD authentication very slow
MICHAEL BROWN
mbrown at mesainc.com
Thu Apr 1 08:16:18 MDT 2010
Greetings,
I have multiple SLES 10 SP2 servers running 3.5.2 joined to a remote AD domain. These servers in question do not have
a local AD server for in which to bind and verify credentials. These locations have 10 Mbs. internet connections to
the locations that do have the AD servers, in which they are a member of.
The problem I am seeing is that it takes about 40 seconds to verify credentials on these remote servers in order to
get to the shares. I ran a packet trace from a SLES server to the AD server and I am seeing about 4,000 TLS
source and destination packets before authentication is verified.
Meaning, if the SLES server IP is 192.168.100.1 and the AD server is 192.168.200.1, all of those packets are
sequential like this:
No. 30 packet: Source 192.168.100.1 Destination 192.168.200.1 Protocol TLS Info Application Data
No. 31 packet: Source 192.168.200.1 Destination 192.168.100.1 Protocol TLS Info Application Data, Application Data
No. 32 packet: Source 192.168.100.1 Destination 192.168.200.1 Protocol TLS Info Application Data
No. 33 packet: Source 192.168.200.1 Destination 192.168.100.1 Protocol TLS Info Application Data, Application Data
etc., etc.. for about 4000 packets and then finally the credentials are verified (about 40 seconds of this)
Over a WAN link, these small send ACK packets one right after the other seem to be causing the large delays in that
the data should be sent in larger chunks somehow. Also, I see no DNS resolve issues, errors, etc. within the packet trace.
Is there anything I am missing? Meaning, is this how the encryption to/from AD supposed to work? If so, there is no way this will
work in production environment without having local AD servers at *every* location just to decrease this delay.
I am running Samba 2 with OpenLDAP (trying to migrate from it) and it is almost instant verification with remote OpenLDAP servers
in that we don't have local LDAP servers to verify credentials, etc.
Thanks for the help.
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
More information about the samba-technical
mailing list