[Samba] Active Directory authentication very slow (winbind/PAM)
Weber, Charles (NIH/NIA/IRP)
WeberC at grc.nia.nih.gov
Tue Jun 14 14:49:08 GMT 2005
We had issues with auth times until the AD structure was fixed here. It
involved configuring AD sites to make sure that our auth requests went to
local AD servers.
I continuously track auth times with
Time wbinfo -a username%password
Just to have an idea when there are problems.
Our local AD structure that we have some control of normally takes:
Real .031s
User .019s
Sys .000s
Our enterprise AD with all the real user accounts that we have no control
of:
Real .04 to .1 s
User .018s
Sys .002s
This is after it being fixed. Before we saw real times of .04s to 20s. If
you constantly get 20s times, it is basically unusable.
I found native AD to be slower so am using domain membership on FC2, samba
3.14a.
My guess is that the difference between user + sys and real is the wait for
the reply back from AD.
I found no difference in using AD DNS or local bind dns in my case.
I didn't even ask about the AD added attributes but use openldap to store
the SID to UID mappings.
When I use wbinfo to test UID to SID resolution time, it is very quick, so I
think most of my latency right now is in AD.
Chuck
More information about the samba
mailing list