facing very slow authentication responses from samba4, urget help needed
mat at samba.org
Sat May 12 02:21:50 MDT 2012
> Hello Matthieu,
> thanks for the fat reply.
> We have about the same user number.I have migrated our old win2000 AD to
> samba4 and raised forest and domain level to 2008r2. In my test (esx)
> environment I have only tested with some clients (WinXP, WinVista, 2k8
> server) and it seemed to work well, at least authentication, GPOs and
> sripts did work like before. I did not recognize such delays in my
> testing environment. Unfortunately I did not test the LDAP stuff.
> Any idea how to find out where the delay is generated ? What I have
> observed is that sometimes the samba processes use up a lot of CPU.
Ok, the reason might be indexing because I doubt you upgraded the schema
so it's not a true forest raise to 2008r2 (my guess).
Related to search that should exploit indexes that should have been
present you can also have unindexed search.
You can try to debug it by activating the warnings on unindexed search,
to do so you have to set LDB_WARN_UNINDEXED to 1. For instance you could
start samba this way (log level has to be 2 or more ...)
sudo -c sh "LDB_WARN_UNINDEXED=1 ./bin/samba -d 2"
Then any unindexed search will produce the following output:
ldb: ldb FULL SEARCH: (&(!(isDeleted=TRUE))(msds-intid=*)) SCOPE: sub
In this example I'm doing a search on msds-intid which is not an indexed
attribute so it's expected that I'll have a full scan.
You can test also indexed search directly on the command line with ldb
by querying the database directly:
LDB_WARN_UNINDEXED=1 ./bin/ldbsearch -H
~/workspace/samba/rodc_mat/private/sam.ldb --cross-ncs '(msds-intid=*)'
If you don't yield interesting results, you can start to trace the ldap
traffic with wireshark and see how long LDAP requests take. If the
request takes more than 0.1 second you should have a look (if the
request is frequently executed). With wireshark and adapted
keytab/certificates you'll be able to get the clear text of the query.
Once you have it you can trace it with callgrind:
sudo valgrind --tool=callgrind ./bin/ldbsearch -H path_to_your_sam.ldb
-U user%password '(my_slow_ldap_query)'
kcachegrind will help you to analyze it.
Here are two pointers for capturing packets:
More information about the samba-technical