[Samba] samba not using nearest ADS server
Tobias Hennerich
Tobias at Hennerich.de
Tue Mar 24 19:22:54 GMT 2009
Hello Mark,
thank you for your reply!
> First, I am assuming from your message that this network trace was from
> one ssh attempt, is that correct?
Yes, that is one login. It doesn't matter if we use ssh or another
process who needs information about a user. I think we get the same
result if we just switch to a user from root via "su - user".
> I also gather you are in the germany site?
Yes, the login was a german user to the german server. That user is in
some universal ADS groups, which are located in germany, too.
> So it looks like the auth attempts went to UK and US first before
> using your local DC? Please correct me if this is not right.
That is correct, the samba connected first to UK and US, then to the
german AD.
> Also, I'm not quite up to speed with ADS topologies... so is this a
> single domain with various sites set up with "AD Sites and Services"? or
> is it multiple domains that trust?
Each site has it's own ADS domain which trust each other.
> or perhaps one domain in a default
> site just with routers/mpls handling the jump between subnets?
I didn't understand that part of your question completly :-( Each site
has an class-b network, (germany: 10.49.0.0/16, uk: 10.44.0.0/16 ...) and
the machines have a default route to the next local MPLS-router (more
or less).
Best regards Tobias
On Tue, Mar 24, 2009 at 01:33:23PM -0500, Mark Casey wrote:
> Tobias Hennerich wrote:
> > Hello,
> >
> > up to now no response to this mail :-(
> >
> > Is no one using samba in a wide area network or has no one ever noticed
> > such a problem as we are doing?
> >
> > Tobias
> >
> >
> > On Thu, Mar 19, 2009 at 05:40:46PM +0100, Tobias Hennerich wrote:
> >
> >> Hello,
> >>
> >> we integrated an samba v3.2.8 into a bigger ADS environment which is
> >> connected via MPLS world wide. Everything works as expected, but the login
> >> via SSH is slow:
> >>
> >> After entering the login name in ssh we can see via tcpdump network
> >> traffic to different ADS controllers:
> >>
> >> First a connection from Germany to UK:
> >>
> >> 17:16:43.867219 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.092774 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.092785 IP 10.49.x.y.37722 > 10.44.x.y.389: .
> >> 17:16:44.093054 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.265776 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.265987 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.647671 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.693567 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.693840 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.922527 IP 10.44.x.y.389 > 10.49.x.y.37722: .
> >> 17:16:44.997865 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.998074 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.314621 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.314831 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.577894 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.578100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.791494 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.791702 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.982034 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.982240 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.189828 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.190037 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.365426 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.365633 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.596653 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.596900 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.802280 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.802487 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.006571 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.006783 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.325662 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.325868 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.577930 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.578140 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.775371 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.775577 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.971495 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.971704 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:48.186311 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:48.186521 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:48.430837 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:48.431043 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:48.622070 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:48.622274 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:48.816862 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:48.817100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:49.061838 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:49.062951 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:49.268437 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:49.268634 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:49.426980 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:49.466643 IP 10.49.x.y.37722 > 10.44.x.y.389: .
> >>
> >> then a connection from Germany to the United States:
> >>
> >> 17:16:49.547138 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:49.693649 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:49.693662 IP 10.49.x.y.37731 > 10.3.x.y.389: .
> >> 17:16:49.693849 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:49.843729 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:49.843918 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:49.992361 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:49.992553 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:50.129522 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:50.129715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:50.298217 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:50.298406 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:50.447220 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:50.447408 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:50.589299 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:50.589487 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:50.748952 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:50.749139 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:50.902596 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:50.902787 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:51.048477 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:51.048669 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:51.199996 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:51.200183 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:51.343439 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:51.343626 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:51.509961 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:51.510146 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:51.666507 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:51.666696 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:51.809460 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:51.809759 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:51.950416 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:51.950732 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:52.097813 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:52.098022 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:52.251134 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:52.251322 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:52.395415 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:52.395605 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:52.545824 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:52.546011 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:52.695653 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:52.695839 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:52.840056 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:52.840244 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:52.985499 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:52.985715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> >> 17:16:53.145538 IP 10.3.x.y.389 > 10.49.x.y.37731: .
> >> 17:16:53.149114 IP 10.3.x.y.389 > 10.49.x.y.37731: .
> >> 17:16:53.149121 IP 10.49.x.y.37731 > 10.3.x.y.389: .
> >> 17:16:53.149125 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> >> 17:16:53.188624 IP 10.49.x.y.37731 > 10.3.x.y.389: .
> >>
> >> and then, after 10 seconds (in this case) a connection to a local active
> >> directory controller:
> >>
> >> 17:16:53.301943 IP 10.49.x.y.37718 > 10.49.a.b.389: P
> >> 17:16:53.302727 IP 10.49.a.b.389 > 10.49.x.y.37718: P
> >> 17:16:53.302734 IP 10.49.x.y.37718 > 10.49.a.b.389: .
> >>
> >> After these 3 packets, the password prompt appears.
> >>
> >> Any idea why samba doesn't try to use the local ADS server first?
> >>
> >> Our configuration:
> >>
> >> [global]
> >> workgroup = DE
> >> realm = de.XY.com
> >> security = ADS
> >> encrypt passwords = yes
> >> preferred master = no
> >> password server = dead01.de.xy.com
> >>
> >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
> >> SO_SNDBUF=8192
> >>
> >> idmap uid = 10000-50000
> >> idmap gid = 10000-50000
> >>
> >> winbind use default domain = yes
> >> template shell = /bin/bash
> >> winbind refresh tickets = true
> >> client use spnego = yes
> >> winbind expand groups = 3
> >> winbind cache time = 1800
> >> winbind separator = +
> >>
> >> use kerberos keytab = true
> >>
> >> Log Level = 3
> >> log file = /var/log/samba/log.%m
> >>
> >> dos filemode = yes
> >>
> >> local master = yes
> >> wins support = no
> >>
> >> Any help how to debug this in more detail appreciated!
> >>
> >> Best regards Tobias
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
> Tobias,
>
> I a have native ads domain in the US split between two sites in
> different states. Each site has a DC and a samba server, among other
> pieces. Their local subnets are linked via routed openvpn, so I would
> consider it a similar setup to yours. I'm not exactly an expert, but ssh
> is working without the problem you are describing so perhaps I can be
> helpful (if nothing else, to compare configs).
>
> First, I am assuming from your message that this network trace was from
> one ssh attempt, is that correct? I also gather you are in the germany
> site? So it looks like the auth attempts went to UK and US first before
> using your local DC? Please correct me if this is not right.
>
> Also, I'm not quite up to speed with ADS topologies... so is this a
> single domain with various sites set up with "AD Sites and Services"? or
> is it multiple domains that trust? or perhaps one domain in a default
> site just with routers/mpls handling the jump between subnets?
>
> Thank you,
> Mark
More information about the samba
mailing list