[Samba] winbind trouble under load?
abartlet at samba.org
Wed Oct 2 08:14:01 GMT 2002
"J. Rönnblom" wrote:
> I forgot to mention that I "connect" winbind to the W2K DC not as an
> account but with a normal user account. I use the
> wbinfo -A user%password
> abartlet at samba.org skriver:
> >testparm now (2.2.6pre2) has an option to only display non-default
> >values. That makes it easier to figure out what you have actually
> workgroup = SKOLA
> server string = Trustix Samba Server
> interfaces = br0
> security = DOMAIN
> encrypt passwords = Yes
> password server = *
> log level = 0
> log file = /var/log/samba/log.%I
> name resolve order = wins host lmhosts bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> os level = 32
> preferred master = True
> domain master = False
> wins server = 193.180.x.y
> winbind uid = 10000-40000
> winbind gid = 10000-40000
> template homedir = /dev/null
> winbind enum users = No
> winbind enum groups = No
> printer admin = @"SKOLA\Support",@"SKOLA\Administrators"
This all looks pretty sane. However, why not give people 'real' home
direcories and put their profiles in there?
> >I would avoid the exec on open, just becouse I see Win2k doing a *lot*
> >of tree connects/disconnects. I would instead suggest using
> >pam_mkhomdir (or a modified varient) becouse they occour per session,
> >not per tree.
> It is only for testing so I don't give much about speed now, on to get it
> working. I'll look into the pam_mkhomedir later.
> >> -------------------
> >> Error on W2K DC
> >> Event Type: Error
> >> Event Source: Srv
> >> Event Category: None
> >> Event ID: 2006
> >> Date: 2002-09-30
> >> Time: 12:28:58
> >> User: N/A
> >> Computer: DC01
> >> Description:
> >> The server received an incorrectly formatted request from \\193.180.x.y
> >> Data:
> >> 0000: 00 00 34 00 02 00 7c 00 ..4...|.
> >> 0008: 00 00 00 00 d6 07 00 c0 ....Ö..À
> >> 0010: 00 00 00 00 01 20 98 c0 ..... ?À
> >> 0018: 00 00 00 00 00 00 00 00 ........
> >> 0020: 00 00 00 00 00 00 00 00 ........
> >> 0028: b3 06 00 00 ff 53 4d 42 ³...ÿSMB
> >> 0030: 25 00 00 00 00 08 01 c0 %......À
> >> 0038: 00 00 00 00 00 00 00 00 ........
> >> 0040: 00 00 00 00 00 d0 6d 38 .....Ðm8
> >> 0048: 02 50 01 00 10 00 00 48 .P.....H
> >> 0050: 00 00 00 48 00 00 00 00 ...H....
> >> 0058: 00 00 00 00 ....
> >Now *this* is interesting. I've only heard of it once, and it was not
> >reproducable. Can you reproduce this error, and try to get a packet
> >sniff of it? I would be interested to see what it actually is.
> Can't reproduce it. I have a few of these every week in my log files,
> both from this server (2.2.6cvs) and the other samba servers (2.2.5).
> I'll examine the logs and see if I can find anything that happend at the
> same time.
Thanks - I'll be interested to see what this is..
> >> [2002/10/01 13:21:50, 0] smbd/sec_ctx.c:initialise_groups(244)
> >> Unable to initgroups. Error was Input/output error
> >> The logs are full of those message. However I think the are due to
> >> the fact that I have winbind enum groups = no in /etc/samba/smb.conf
> >That should not be. That error is probably somthing else...
> Yes, could it be this:
> path = /samba/printers
> write list = @"SKOLA\Support" @"SKOLA\Administrators"
> guest ok = Yes
> root at xx-proxy /var/log/samba# testparm | grep guest
> map to guest = Never
> domain guest group =
> guest account = nobody
> guest only = No
> guest ok = No
> guest ok = Yes
> When the computer/user tries to connect to the share as a guest it fails
> since the guest account (nobody) is not allowed to use samba?
> OR could the fact that im using a normal account to connect to w2k
> account for the errors? (wbinfo -A user%pass)
I don't think this is what's causing that...
> >In any case, one course of action might be (assuming you are running an
> >Active Directory setup) to move to Samba 3.0. If the Win2k clients get
> >kerberos credentials, then Samba doesn't need to contact the DC at all
> >for authenticaion. (It might need to contact it for other things
> >however, but these can be cached too) Also, Samba 3.0 uses an LDAP
> >client on AD, which I suspect will cope much better with 10000 users.
> >Samba 3.0 also has a 'dual deamon' mode where it can opearate out of
> >it's cache while waiting for new answers from the DC, which might help
> >avoid a blocking winbind call backloging the entire system.
> >Finally, Samba 3.0 has *much* better error reporting, so you might get a
> >meaningful error message too!
> But isn't samba 3.0 in alpha or beta? Is it really recommended/safe to run
> it in production?
I use it in production, but that's also becouse I can respond quickly
if/when it breaks :-). I find it quite stable, the reason it's still
alpha is becouse we have not rounded off the feature set etc, not due to
stabiliy. Naturally, it also needs a lot more testing before we move to
If you are having problems with the 'thundering hurd', then I think it's
worth chasing down, becouse connecting to the DC for every user just
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba