facing very slow authentication responses from samba4, urget help needed
Andreas Oster
aoster at novanetwork.de
Mon May 21 23:23:55 MDT 2012
Hello Matthieu,
I have managed to improve responsiveness of the mail clients by
reducing the LDAP queries from Postfix. Actually there had been
an error in my config which resulted in a lot of useless querries.
But even with the reduced amount of queries it is not fast, compared
to the Windows server and I can see high CPU utilization by the
samba process whenever a LDAP query is done.
I did some debugging and found out that my postfix/LDAP setup seems to
be wrong. When sending a mail for example from a test mail account
test at novanetwork.de to test at hotmail.com the following LDAP queries are
sent to the domain controller(LDAP):
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=test at novanetwork.de)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@novanetwork.de)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(|(mail=test at novanetwork.de)(otherMailbox=test at novanetwork.de))))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=test at hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=test at hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=test at hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(|(mail=hotmail.com)(otherMailbox=hotmail.com))))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
This is a log before the change. As you can see not only the sender was
verified but also the
recipient. You can imagine that this took quite log when you had more
than one recipient.
Do you any other logging from the samba server ?
Thank you for your kind help
best regards
Andreas
Am 21.05.2012 19:25, schrieb Matthieu Patou:
> Hello Andreas,
>>>>
>>> Hello Matthieu,
>>>
>>> with your help I was able to find one cause of the problem. It seems
>>> that my postfix configuration is faulty. When sending a mail several
>>> different ldap queries are sent to the samba server. This has not been
>>> an issue when using the Windows DC as it could handle the requests much
>>> faster than the samba4 server. These queries seem to put a lot of
>>> stress
>>> to the samba processes, as the CPU utilization gets about 100% in those
>>> situations (2cores>3Ghz).
>> Well part of the reason is that the LDAP is only done by one process
>> at most so you can only saturate 1 core, where I suppose that MS AD
>> DC are able to split in multiple threads.
>> Please also note that we have plans to improve the speed of Samba we
>> definitely know that we are not very good in some area in the AD
>> database.
>>
>> I would be interested if you could share the query that were faulty
>> in the long run it can be instructive to see what we can do to solve
>> this.
>>> I will try to fix my postfix configuration to
>>> remove the useless LDAP queries.
>> Matthieu.
>>
> I'm still interested about this, I would be really interested to have
> exemple of slow query in real production environment.
>
> If you are concerned about privacy, please email me directly.
>
> Matthieu.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120522/3d1fb7f3/attachment.pgp>
More information about the samba-technical
mailing list