[Samba] Linux Workstation x SMB4 DC

Jefferson B. Limeira jbl at internexxus.com.br
Wed Aug 5 16:18:54 UTC 2015 

Em 2015-08-05 11:45, Rowland Penny escreveu:
> On 05/08/15 15:36, Jefferson B. Limeira wrote:
>> An example of how slow is...
>> 
>> [root at CTA1PAPAN001645 ~]# time id teste
>> uid=16777232(teste) gid=16777216(domain users) grupos=16777216(domain 
>> users),16777220(operacao),16777222(BUILTIN\users)
>> 
>> real    1m15.981s
>> user    0m0.005s
>> sys    0m0.007s
>> 
>> According this documentation, if I want use File Sharing without AD 
>> modifications only option is Winbind (idmap_rid).
>> 
>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf 
>> Em 2015-07-31 13:19, John Yocum escreveu:
>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:
>>>> What is the best way to authenticate users in SMB4 DC on Linux 
>>>> workstation?
>>>> I'm using pam_winbind, but sometimes its very slow...
>>>> 
>>> 
>>> How slow is "very slow"?
>>> 
>>> That said, nslcd with LDAP over SSL works, and it's fast in my
>>> experience. You could combine nslcd with Kerberos, which also works 
>>> very
>>> well. Of course both of these methods require you to have unix
>>> attributes stored in AD for your users.
>>> 
>>> -- John Yocum, Systems Administrator, DEOHS
>> 
> 
> You seem to have a serious problem there:
> 
> rowland at ThinkPad ~/ $ time id rowland
> uid=10000(rowland) gid=10000(domain_users)
> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators)
> 
> real    0m0.614s
> user    0m0.002s
> sys    0m0.003s
> 
> Just how many users do you have ?
> 
> Can we see your smb.conf ?
> 
> This could be a network problem, have you investigated this possibility 
> ?
> 
> Rowland

Around 4700 users...

[root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf
[global]
    workgroup = BP
    realm = BP.NET
    security = ads
    idmap uid = 10000-99999
    idmap gid = 10000-99999
    idmap config BP:backend = rid
    idmap config BP:range = 10000000-19999999
    winbind enum users = no
    winbind enum groups = no
    winbind use default domain = yes
    template homedir = /home/BP/%U
    template shell = /bin/bash
    hosts allow = 192.168.
    valid users = %U
    interfaces = eth0
    bind interfaces only = yes

[root at CTA1PAPAN001645 ~]# net ads info
LDAP server: 192.168.200.80
LDAP server name: srvsmb4-pdc.bp.net
Realm: BP.NET
Bind Path: dc=BP,dc=NET
LDAP port: 389
Server time: Qua, 05 Ago 2015 13:08:16 BRT
KDC server: 192.168.200.80
Server time offset: 0

[root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80
PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data.
.
--- 192.168.200.80 ping statistics ---
10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms
rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma 0.473/0.377 
ms


Is normal id command take 20~30s, 1m15s is an extreme case.

-- 
[]'s Jefferson B. Limeira
jbl at internexxus.com.br
https://br.linkedin.com/in/jlimeira
(41) 9928-8628

More information about the samba mailing list