[Samba] samba not using nearest ADS server

Tobias Hennerich Tobias at Hennerich.de
Thu Mar 19 16:40:46 GMT 2009 

Hello,

we integrated an samba v3.2.8 into a bigger ADS environment which is
connected via MPLS world wide. Everything works as expected, but the login
via SSH is slow:

After entering the login name in ssh we can see via tcpdump network
traffic to different ADS controllers:

First a connection from Germany to UK:

17:16:43.867219 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.092774 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.092785 IP 10.49.x.y.37722 > 10.44.x.y.389: .
17:16:44.093054 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.265776 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.265987 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.647671 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.693567 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.693840 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.922527 IP 10.44.x.y.389 > 10.49.x.y.37722: .
17:16:44.997865 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.998074 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.314621 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.314831 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.577894 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.578100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.791494 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.791702 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.982034 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.982240 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.189828 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.190037 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.365426 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.365633 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.596653 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.596900 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.802280 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.802487 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.006571 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.006783 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.325662 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.325868 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.577930 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.578140 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.775371 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.775577 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.971495 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.971704 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.186311 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.186521 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.430837 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.431043 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.622070 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.622274 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.816862 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.817100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.061838 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.062951 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.268437 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.268634 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.426980 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.466643 IP 10.49.x.y.37722 > 10.44.x.y.389: .

then a connection from Germany to the United States:

17:16:49.547138 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.693649 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.693662 IP 10.49.x.y.37731 > 10.3.x.y.389: .
17:16:49.693849 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.843729 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.843918 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.992361 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.992553 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.129522 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.129715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.298217 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.298406 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.447220 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.447408 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.589299 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.589487 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.748952 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.749139 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.902596 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.902787 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.048477 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.048669 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.199996 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.200183 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.343439 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.343626 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.509961 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.510146 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.666507 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.666696 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.809460 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.809759 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.950416 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.950732 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.097813 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:52.098022 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.251134 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:52.251322 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.395415 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:52.395605 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.545824 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:52.546011 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.695653 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:52.695839 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.840056 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:52.840244 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.985499 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:52.985715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:53.145538 IP 10.3.x.y.389 > 10.49.x.y.37731: .
17:16:53.149114 IP 10.3.x.y.389 > 10.49.x.y.37731: .
17:16:53.149121 IP 10.49.x.y.37731 > 10.3.x.y.389: .
17:16:53.149125 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:53.188624 IP 10.49.x.y.37731 > 10.3.x.y.389: .

and then, after 10 seconds (in this case) a connection to a local active
directory controller:

17:16:53.301943 IP 10.49.x.y.37718 > 10.49.a.b.389: P
17:16:53.302727 IP 10.49.a.b.389 > 10.49.x.y.37718: P
17:16:53.302734 IP 10.49.x.y.37718 > 10.49.a.b.389: .

After these 3 packets, the password prompt appears.

Any idea why samba doesn't try to use the local ADS server first?

Our configuration:

[global]
        workgroup = DE
        realm = de.XY.com
        security = ADS
        encrypt passwords = yes
        preferred master = no
        password server = dead01.de.xy.com

        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192

        idmap uid = 10000-50000
        idmap gid = 10000-50000

        winbind use default domain = yes
        template shell = /bin/bash
        winbind refresh tickets = true
        client use spnego = yes
        winbind expand groups = 3
        winbind cache time = 1800
        winbind separator = +

        use kerberos keytab = true

        Log Level = 3
        log file = /var/log/samba/log.%m

        dos filemode = yes

        local master = yes
        wins support = no

Any help how to debug this in more detail appreciated!

Best regards    Tobias

More information about the samba mailing list