[Samba] samba not using nearest ADS server

Tobias Hennerich Tobias at Hennerich.de
Tue Mar 24 17:17:29 GMT 2009 

Hello,

up to now no response to this mail :-(

Is no one using samba in a wide area network or has no one ever noticed
such a problem as we are doing?

Tobias


On Thu, Mar 19, 2009 at 05:40:46PM +0100, Tobias Hennerich wrote:
> Hello,
> 
> we integrated an samba v3.2.8 into a bigger ADS environment which is
> connected via MPLS world wide. Everything works as expected, but the login
> via SSH is slow:
> 
> After entering the login name in ssh we can see via tcpdump network
> traffic to different ADS controllers:
> 
> First a connection from Germany to UK:
> 
> 17:16:43.867219 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.092774 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.092785 IP 10.49.x.y.37722 > 10.44.x.y.389: .
> 17:16:44.093054 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.265776 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.265987 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.647671 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.693567 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.693840 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.922527 IP 10.44.x.y.389 > 10.49.x.y.37722: .
> 17:16:44.997865 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.998074 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.314621 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.314831 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.577894 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.578100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.791494 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.791702 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.982034 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.982240 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.189828 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.190037 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.365426 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.365633 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.596653 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.596900 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.802280 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.802487 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.006571 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.006783 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.325662 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.325868 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.577930 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.578140 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.775371 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.775577 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.971495 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.971704 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.186311 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.186521 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.430837 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.431043 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.622070 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.622274 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.816862 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.817100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:49.061838 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:49.062951 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:49.268437 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:49.268634 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:49.426980 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:49.466643 IP 10.49.x.y.37722 > 10.44.x.y.389: .
> 
> then a connection from Germany to the United States:
> 
> 17:16:49.547138 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:49.693649 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:49.693662 IP 10.49.x.y.37731 > 10.3.x.y.389: .
> 17:16:49.693849 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:49.843729 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:49.843918 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:49.992361 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:49.992553 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.129522 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.129715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.298217 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.298406 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.447220 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.447408 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.589299 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.589487 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.748952 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.749139 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.902596 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.902787 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:51.048477 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:51.048669 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:51.199996 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:51.200183 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:51.343439 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:51.343626 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:51.509961 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:51.510146 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:51.666507 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:51.666696 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:51.809460 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:51.809759 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:51.950416 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:51.950732 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:52.097813 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:52.098022 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:52.251134 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:52.251322 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:52.395415 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:52.395605 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:52.545824 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:52.546011 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:52.695653 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:52.695839 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:52.840056 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:52.840244 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:52.985499 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:52.985715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:53.145538 IP 10.3.x.y.389 > 10.49.x.y.37731: .
> 17:16:53.149114 IP 10.3.x.y.389 > 10.49.x.y.37731: .
> 17:16:53.149121 IP 10.49.x.y.37731 > 10.3.x.y.389: .
> 17:16:53.149125 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:53.188624 IP 10.49.x.y.37731 > 10.3.x.y.389: .
> 
> and then, after 10 seconds (in this case) a connection to a local active
> directory controller:
> 
> 17:16:53.301943 IP 10.49.x.y.37718 > 10.49.a.b.389: P
> 17:16:53.302727 IP 10.49.a.b.389 > 10.49.x.y.37718: P
> 17:16:53.302734 IP 10.49.x.y.37718 > 10.49.a.b.389: .
> 
> After these 3 packets, the password prompt appears.
> 
> Any idea why samba doesn't try to use the local ADS server first?
> 
> Our configuration:
> 
> [global]
>         workgroup = DE
>         realm = de.XY.com
>         security = ADS
>         encrypt passwords = yes
>         preferred master = no
>         password server = dead01.de.xy.com
> 
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> 
>         idmap uid = 10000-50000
>         idmap gid = 10000-50000
> 
>         winbind use default domain = yes
>         template shell = /bin/bash
>         winbind refresh tickets = true
>         client use spnego = yes
>         winbind expand groups = 3
>         winbind cache time = 1800
>         winbind separator = +
> 
>         use kerberos keytab = true
> 
>         Log Level = 3
>         log file = /var/log/samba/log.%m
> 
>         dos filemode = yes
> 
>         local master = yes
>         wins support = no
> 
> Any help how to debug this in more detail appreciated!
> 
> Best regards    Tobias
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list