[Samba] winbind trouble under load?
Andrew Bartlett
abartlet at samba.org
Wed Oct 2 08:14:01 GMT 2002
"J. Rönnblom" wrote:
>
> I forgot to mention that I "connect" winbind to the W2K DC not as an
> anonymous
> account but with a normal user account. I use the
>
> wbinfo -A user%password
>
> abartlet at samba.org skriver:
> >testparm now (2.2.6pre2) has an option to only display non-default
> >values. That makes it easier to figure out what you have actually
> >changed...
>
> [global]
> workgroup = SKOLA
> server string = Trustix Samba Server
> interfaces = br0
> security = DOMAIN
> encrypt passwords = Yes
> password server = *
> log level = 0
> log file = /var/log/samba/log.%I
> name resolve order = wins host lmhosts bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> os level = 32
> preferred master = True
> domain master = False
> wins server = 193.180.x.y
> winbind uid = 10000-40000
> winbind gid = 10000-40000
> template homedir = /dev/null
> winbind enum users = No
> winbind enum groups = No
> printer admin = @"SKOLA\Support",@"SKOLA\Administrators"
This all looks pretty sane. However, why not give people 'real' home
direcories and put their profiles in there?
> >I would avoid the exec on open, just becouse I see Win2k doing a *lot*
> >of tree connects/disconnects. I would instead suggest using
> >pam_mkhomdir (or a modified varient) becouse they occour per session,
> >not per tree.
>
> It is only for testing so I don't give much about speed now, on to get it
> working. I'll look into the pam_mkhomedir later.
> >
> >> -------------------
> >>
> >> Error on W2K DC
> >>
> >> Event Type: Error
> >> Event Source: Srv
> >> Event Category: None
> >> Event ID: 2006
> >> Date: 2002-09-30
> >> Time: 12:28:58
> >> User: N/A
> >> Computer: DC01
> >> Description:
> >> The server received an incorrectly formatted request from \\193.180.x.y
> >> Data:
> >> 0000: 00 00 34 00 02 00 7c 00 ..4...|.
> >> 0008: 00 00 00 00 d6 07 00 c0 ....Ö..À
> >> 0010: 00 00 00 00 01 20 98 c0 ..... ?À
> >> 0018: 00 00 00 00 00 00 00 00 ........
> >> 0020: 00 00 00 00 00 00 00 00 ........
> >> 0028: b3 06 00 00 ff 53 4d 42 ³...ÿSMB
> >> 0030: 25 00 00 00 00 08 01 c0 %......À
> >> 0038: 00 00 00 00 00 00 00 00 ........
> >> 0040: 00 00 00 00 00 d0 6d 38 .....Ðm8
> >> 0048: 02 50 01 00 10 00 00 48 .P.....H
> >> 0050: 00 00 00 48 00 00 00 00 ...H....
> >> 0058: 00 00 00 00 ....
> >
> >Now *this* is interesting. I've only heard of it once, and it was not
> >reproducable. Can you reproduce this error, and try to get a packet
> >sniff of it? I would be interested to see what it actually is.
>
> Can't reproduce it. I have a few of these every week in my log files,
> both from this server (2.2.6cvs) and the other samba servers (2.2.5).
>
> I'll examine the logs and see if I can find anything that happend at the
> same time.
Thanks - I'll be interested to see what this is..
> >>
> >> [2002/10/01 13:21:50, 0] smbd/sec_ctx.c:initialise_groups(244)
> >> Unable to initgroups. Error was Input/output error
> >>
> >> The logs are full of those message. However I think the are due to
> >> the fact that I have winbind enum groups = no in /etc/samba/smb.conf
> >
> >That should not be. That error is probably somthing else...
>
> Yes, could it be this:
>
> [print$]
> path = /samba/printers
> write list = @"SKOLA\Support" @"SKOLA\Administrators"
>
> guest ok = Yes
>
> root at xx-proxy /var/log/samba# testparm | grep guest
> map to guest = Never
> domain guest group =
> guest account = nobody
> guest only = No
> guest ok = No
> guest ok = Yes
>
> When the computer/user tries to connect to the share as a guest it fails
> since the guest account (nobody) is not allowed to use samba?
>
> OR could the fact that im using a normal account to connect to w2k
> account for the errors? (wbinfo -A user%pass)
I don't think this is what's causing that...
> >In any case, one course of action might be (assuming you are running an
> >Active Directory setup) to move to Samba 3.0. If the Win2k clients get
> >kerberos credentials, then Samba doesn't need to contact the DC at all
> >for authenticaion. (It might need to contact it for other things
> >however, but these can be cached too) Also, Samba 3.0 uses an LDAP
> >client on AD, which I suspect will cope much better with 10000 users.
> >
> >Samba 3.0 also has a 'dual deamon' mode where it can opearate out of
> >it's cache while waiting for new answers from the DC, which might help
> >avoid a blocking winbind call backloging the entire system.
> >
> >Finally, Samba 3.0 has *much* better error reporting, so you might get a
> >meaningful error message too!
>
> But isn't samba 3.0 in alpha or beta? Is it really recommended/safe to run
> it in production?
I use it in production, but that's also becouse I can respond quickly
if/when it breaks :-). I find it quite stable, the reason it's still
alpha is becouse we have not rounded off the feature set etc, not due to
stabiliy. Naturally, it also needs a lot more testing before we move to
release.
If you are having problems with the 'thundering hurd', then I think it's
worth chasing down, becouse connecting to the DC for every user just
isn't pretty...
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list