[Samba] Samba Auth: NETLOGON vs. lsarpc

Matt Vlasach mattv at pacificswell.com
Thu Aug 18 18:35:04 GMT 2005 

All,

So, I have a OS X Server 10.3.9 box running Samba 3.0.10.  File  
sharing is fast and cannot as for much more in the department.

Only slow thing: authentication.  We are using the OS X box as the  
PDC, and running authentication of all workstations against the PDC.   
This works good, but takes 15-30 seconds to take place, which is not  
great.

I did a debug level 3 of the samba file server, and took a peek at  
the log after trying to log in a user.  Now know I am no expert with  
Samba authentication, but this is how I think things are going down:

Essentially, there are 2 logon attempts. The first fails (although it  
does not report so), waits for about 20 seconds, then the second one  
succeeds. Timing wise, the first one fails within a second, and the  
second one works with in a second... there is just a stack wait  
function that makes the user wait for something like 20 seconds.

SO... at a log level 3 debug, I poured through it and found that both  
authentication methods first identify the user as "unknown" as  
specified in the smb.conf file, probably because user credientials  
haven't been validated yet. Next it identifies the computer by way of  
the SID. Both authentication methods get this far.

Now, this is the code where something is different between the  
successful authentication and the unsuccessful one:

- Unsuccessful: nt_open_pipe: Known pipe NETLOGON opening.
  - Successful: nt_open_pipe: Known pipe lsarpc opening.

 From this point, the NETLOGON one essentially does some pushing and  
poping, frees the pipe, tries "api_rpcTNP: RPC command: NET_AUTH2,  
the a few lines later does:
setting_sec_ctx(0,0) - sec_ctx_stack_ndx = 1
then 20 seconds later
pop_sec_ctx(99,99) - sec_ctx_stack_ndx = 0

Now, it redoes everything it had done before (authentcating as guest  
and checking the SID). Now it says the "open_pipe: Known pipe lsarpc  
opening.", does the exact same stuff as the NETLOGON method until the  
line:

api_rpcTNP: RPC command: LSA_OPENPOLICY2
Then it goes on to authenticate the user within a second.

So, moral of the story: it looks like it is using some NETLOGON  
method, then is using LDAP and the LSA_OPENPOLICY2 associated with  
'lsarpc'.

My question: how do i skip the NETLOGON method and/or change the  
order of authentication here? This would undoubldy fix the problem  
and authentication would only take 1 second.

I would like to believe this is something in the opendirectorysam  
auth method, not really in Samba. But, I am not sure.  Any ideas or  
suggestions would be greatly greatly appreciated.

Thank you and have a great day!

More information about the samba mailing list