[Samba] Active Directory authentication very slow (winbind/PAM)

Weber, Charles (NIH/NIA/IRP) WeberC at grc.nia.nih.gov
Tue Jun 14 14:49:08 GMT 2005

We had issues with auth times until the AD structure was fixed here. It
involved configuring AD sites to make sure that our auth requests went to
local AD servers.
I continuously track auth times with
Time wbinfo -a username%password
Just to have an idea when there are problems.
Our local AD structure that we have some control of normally takes:

Real	.031s
User	.019s
Sys	.000s

Our enterprise AD with all the real user accounts that we have no control

Real	.04 to .1 s
User	.018s
Sys	.002s

This is after it being fixed. Before we saw real times of .04s to 20s. If
you constantly get 20s times, it is basically unusable. 

I found native AD to be slower so am using domain membership on FC2, samba
My guess is that the difference between user + sys and real is the wait for
the reply back from AD.
I found no difference in using AD DNS or local bind dns in my case.
I didn't even ask about the AD added attributes but use openldap to store
the SID to UID mappings.
When I use wbinfo to test UID to SID resolution time, it is very quick, so I
think most of my latency right now is in AD.


More information about the samba mailing list