[Samba] winbind trouble under load?

Andrew Bartlett abartlet at samba.org
Wed Oct 2 08:14:01 GMT 2002 

"J. Rönnblom" wrote:
> 
> I forgot to mention that I "connect" winbind to the W2K DC not as an
> anonymous
> account but with a normal user account. I use the
> 
> wbinfo -A user%password
> 
> abartlet at samba.org skriver:
> >testparm now (2.2.6pre2) has an option to only display non-default
> >values.  That makes it easier to figure out what you have actually
> >changed...
> 
> [global]
>         workgroup = SKOLA
>         server string = Trustix Samba Server
>         interfaces = br0
>         security = DOMAIN
>         encrypt passwords = Yes
>         password server = *
>         log level = 0
>         log file = /var/log/samba/log.%I
>         name resolve order = wins host lmhosts bcast
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         load printers = No
>         os level = 32
>         preferred master = True
>         domain master = False
>         wins server = 193.180.x.y
>         winbind uid = 10000-40000
>         winbind gid = 10000-40000
>         template homedir = /dev/null
>         winbind enum users = No
>         winbind enum groups = No
>         printer admin = @"SKOLA\Support",@"SKOLA\Administrators"

This all looks pretty sane.  However, why not give people 'real' home
direcories and put their profiles in there? 

> >I would avoid the exec on open, just becouse I see Win2k doing a *lot*
> >of tree connects/disconnects.  I would instead suggest using
> >pam_mkhomdir (or a modified varient) becouse they occour per session,
> >not per tree.
> 
> It is only for testing so I don't give much about speed now, on to get it
> working. I'll look into the pam_mkhomedir later.
> >
> >> -------------------
> >>
> >> Error on W2K DC
> >>
> >> Event Type:     Error
> >> Event Source:   Srv
> >> Event Category: None
> >> Event ID:       2006
> >> Date:           2002-09-30
> >> Time:           12:28:58
> >> User:           N/A
> >> Computer:       DC01
> >> Description:
> >> The server received an incorrectly formatted request from \\193.180.x.y
> >> Data:
> >> 0000: 00 00 34 00 02 00 7c 00   ..4...|.
> >> 0008: 00 00 00 00 d6 07 00 c0   ....Ö..À
> >> 0010: 00 00 00 00 01 20 98 c0   ..... ?À
> >> 0018: 00 00 00 00 00 00 00 00   ........
> >> 0020: 00 00 00 00 00 00 00 00   ........
> >> 0028: b3 06 00 00 ff 53 4d 42   ³...ÿSMB
> >> 0030: 25 00 00 00 00 08 01 c0   %......À
> >> 0038: 00 00 00 00 00 00 00 00   ........
> >> 0040: 00 00 00 00 00 d0 6d 38   .....Ðm8
> >> 0048: 02 50 01 00 10 00 00 48   .P.....H
> >> 0050: 00 00 00 48 00 00 00 00   ...H....
> >> 0058: 00 00 00 00               ....
> >
> >Now *this* is interesting.  I've only heard of it once, and it was not
> >reproducable.  Can you reproduce this error, and try to get a packet
> >sniff of it?  I would be interested to see what it actually is.
> 
> Can't reproduce it. I have a few of these every week in my log files,
> both from this server (2.2.6cvs) and the other samba servers (2.2.5).
> 
> I'll examine the logs and see if I can find anything that happend at the
> same time.

Thanks - I'll be interested to see what this is..

> >>
> >> [2002/10/01 13:21:50, 0] smbd/sec_ctx.c:initialise_groups(244)
> >>   Unable to initgroups. Error was Input/output error
> >>
> >> The logs are full of those message. However I think the are due to
> >> the fact that I have winbind enum groups = no in /etc/samba/smb.conf
> >
> >That should not be.  That error is probably somthing else...
> 
> Yes, could it be this:
> 
> [print$]
>         path = /samba/printers
>         write list = @"SKOLA\Support" @"SKOLA\Administrators"
>
>         guest ok = Yes
> 
> root at xx-proxy /var/log/samba# testparm | grep guest
>         map to guest = Never
>         domain guest group =
>         guest account = nobody
>         guest only = No
>         guest ok = No
>         guest ok = Yes
> 
> When the computer/user tries to connect to the share as a guest it fails
> since the guest account (nobody) is not allowed to use samba?
> 
> OR could the fact that im using a normal account to connect to w2k
> account for the errors? (wbinfo -A user%pass)

I don't think this is what's causing that...

> >In any case, one course of action might be (assuming you are running an
> >Active Directory setup) to move to Samba 3.0.  If the Win2k clients get
> >kerberos credentials, then Samba doesn't need to contact the DC at all
> >for authenticaion.  (It might need to contact it for other things
> >however, but these can be cached too)  Also, Samba 3.0 uses an LDAP
> >client on AD, which I suspect will cope much better with 10000 users.
> >
> >Samba 3.0 also has a 'dual deamon' mode where it can opearate out of
> >it's cache while waiting for new answers from the DC, which might help
> >avoid a blocking winbind call backloging the entire system.
> >
> >Finally, Samba 3.0 has *much* better error reporting, so you might get a
> >meaningful error message too!
> 
> But isn't samba 3.0 in alpha or beta? Is it really recommended/safe to run
> it in production?

I use it in production, but that's also becouse I can respond quickly
if/when it breaks :-).  I find it quite stable, the reason it's still
alpha is becouse we have not rounded off the feature set etc, not due to
stabiliy.  Naturally, it also needs a lot more testing before we move to
release.

If you are having problems with the 'thundering hurd', then I think it's
worth chasing down, becouse connecting to the DC for every user just
isn't pretty...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list