[Samba] Linux Workstation x SMB4 DC
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Aug 5 16:38:47 UTC 2015
On 05/08/15 17:18, Jefferson B. Limeira wrote:
> Em 2015-08-05 11:45, Rowland Penny escreveu:
>> On 05/08/15 15:36, Jefferson B. Limeira wrote:
>>> An example of how slow is...
>>>
>>> [root at CTA1PAPAN001645 ~]# time id teste
>>> uid=16777232(teste) gid=16777216(domain users)
>>> grupos=16777216(domain
>>> users),16777220(operacao),16777222(BUILTIN\users)
>>>
>>> real 1m15.981s
>>> user 0m0.005s
>>> sys 0m0.007s
>>>
>>> According this documentation, if I want use File Sharing without AD
>>> modifications only option is Winbind (idmap_rid).
>>>
>>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf
>>> Em 2015-07-31 13:19, John Yocum escreveu:
>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:
>>>>> What is the best way to authenticate users in SMB4 DC on Linux
>>>>> workstation?
>>>>> I'm using pam_winbind, but sometimes its very slow...
>>>>>
>>>>
>>>> How slow is "very slow"?
>>>>
>>>> That said, nslcd with LDAP over SSL works, and it's fast in my
>>>> experience. You could combine nslcd with Kerberos, which also works
>>>> very
>>>> well. Of course both of these methods require you to have unix
>>>> attributes stored in AD for your users.
>>>>
>>>> -- John Yocum, Systems Administrator, DEOHS
>>>
>>
>> You seem to have a serious problem there:
>>
>> rowland at ThinkPad ~/ $ time id rowland
>> uid=10000(rowland) gid=10000(domain_users)
>> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators)
>>
>>
>> real 0m0.614s
>> user 0m0.002s
>> sys 0m0.003s
>>
>> Just how many users do you have ?
>>
>> Can we see your smb.conf ?
>>
>> This could be a network problem, have you investigated this
>> possibility ?
>>
>> Rowland
>
> Around 4700 users...
>
> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf
> [global]
> workgroup = BP
> realm = BP.NET
> security = ads
> idmap uid = 10000-99999
> idmap gid = 10000-99999
> idmap config BP:backend = rid
> idmap config BP:range = 10000000-19999999
> winbind enum users = no
> winbind enum groups = no
> winbind use default domain = yes
> template homedir = /home/BP/%U
> template shell = /bin/bash
> hosts allow = 192.168.
> valid users = %U
> interfaces = eth0
> bind interfaces only = yes
>
> [root at CTA1PAPAN001645 ~]# net ads info
> LDAP server: 192.168.200.80
> LDAP server name: srvsmb4-pdc.bp.net
> Realm: BP.NET
> Bind Path: dc=BP,dc=NET
> LDAP port: 389
> Server time: Qua, 05 Ago 2015 13:08:16 BRT
> KDC server: 192.168.200.80
> Server time offset: 0
>
> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80
> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data.
> .
> --- 192.168.200.80 ping statistics ---
> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms
> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma
> 0.473/0.377 ms
>
>
> Is normal id command take 20~30s, 1m15s is an extreme case.
>
I don't know what OS you are using, but you are using the 'rid' backend
and seem to be mixing up the old way of setting ranges with the new way:
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config BP:backend = rid
idmap config BP:range = 10000000-19999999
I would expect something like this:
idmap config * : backend = tdb
idmap config * : range = 10000-99999
idmap config BP : backend = rid
idmap config BP : range = 10000000-19999999
I do not know if this will speed things up, but it is worth trying. I
would also remove the 'valid users' line, there doesn't seem any point
to it, as it seems to allow all users.
Rowland
More information about the samba
mailing list