facing very slow authentication responses from samba4, urget help needed

Andreas Oster aoster at novanetwork.de
Mon May 14 02:53:21 MDT 2012

Am 12.05.2012 10:21, schrieb Matthieu Patou:
> Hello Andreas
>> Hello Matthieu,
>> thanks for the fat reply.
>> We have about the same user number.I have migrated our old win2000 AD to
>> samba4 and raised forest and domain level to 2008r2. In my test (esx)
>> environment I have only tested with some clients (WinXP, WinVista, 2k8
>> server) and it seemed to work well, at least authentication, GPOs and
>> sripts did work like before. I did not recognize such delays in my
>> testing environment. Unfortunately I did not test the LDAP stuff.
>> Any idea how to find out where the delay is generated ? What I have
>> observed is that sometimes the samba processes use up a lot of CPU.
> Ok, the reason might be indexing because I doubt you upgraded the schema
> so it's not a true forest raise to 2008r2 (my guess).
> Related to search that should exploit indexes that should have been
> present you can also have unindexed search.
> You can try to debug it by activating the warnings on unindexed search,
> to do so you have to set LDB_WARN_UNINDEXED to 1. For instance you could
> start samba this way (log level has to be 2 or more ...)
> sudo -c sh "LDB_WARN_UNINDEXED=1 ./bin/samba -d 2"
> Then any unindexed search will produce the following output:
> ldb: ldb FULL SEARCH: (&(!(isDeleted=TRUE))(msds-intid=*)) SCOPE: sub
> DN: DC=exchange,DC=home,DC=matws,DC=net
> In this example I'm doing a search on msds-intid which is not an indexed
> attribute so it's expected that I'll have a full scan.
> You can test also indexed search directly on the command line with ldb
> by querying the database directly:
> LDB_WARN_UNINDEXED=1 ./bin/ldbsearch -H
> ~/workspace/samba/rodc_mat/private/sam.ldb --cross-ncs '(msds-intid=*)'
> If you don't yield interesting results, you can start to trace the ldap
> traffic with wireshark and see how long LDAP requests take. If the
> request takes more than 0.1 second you should have a look (if the
> request is frequently executed). With wireshark and adapted
> keytab/certificates you'll be able to get the clear text of the query.
> Once you have it you can trace it with callgrind:
> sudo valgrind --tool=callgrind  ./bin/ldbsearch -H path_to_your_sam.ldb
> -U user%password '(my_slow_ldap_query)'
> kcachegrind will help you to analyze it.
> Here are two pointers for capturing packets:
> https://wiki.samba.org/index.php/Capture_Packets
> https://wiki.samba.org/index.php/Analyze_Capture
> Matthieu
Hello Matthieu,

actually I did a domain and forest raise to 2008r2 before migrating to

I have tried with ldbsearch but am not sure if I did it in the correct way:

LDB_WARN_UNINDEXED=1 ./ldbsearch -H ../private/sam.ldb --cross-ncs
'(msds-intid=*)' -Uadministrator

ldb FULL SEARCH: (&(!(isDeleted=TRUE))(msds-intid=*)) SCOPE: UNKNOWN DN:

ldb FULL SEARCH: (&(!(isDeleted=TRUE))(msds-intid=*)) SCOPE: UNKNOWN DN:

ldb FULL SEARCH: (&(!(isDeleted=TRUE))(msds-intid=*)) SCOPE: UNKNOWN DN:

ldb FULL SEARCH: (&(!(isDeleted=TRUE))(msds-intid=*)) SCOPE: UNKNOWN DN:

# returned 0 records
# 0 entries
# 0 referrals

Is "SCOPE: UNKNOWN DN:" an expected output ?

Thank you for your kind help

best regards


More information about the samba-technical mailing list