[Samba] Linux Workstation x SMB4 DC

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 5 16:38:47 UTC 2015 

On 05/08/15 17:18, Jefferson B. Limeira wrote:
> Em 2015-08-05 11:45, Rowland Penny escreveu:
>> On 05/08/15 15:36, Jefferson B. Limeira wrote:
>>> An example of how slow is...
>>>
>>> [root at CTA1PAPAN001645 ~]# time id teste
>>> uid=16777232(teste) gid=16777216(domain users) 
>>> grupos=16777216(domain 
>>> users),16777220(operacao),16777222(BUILTIN\users)
>>>
>>> real    1m15.981s
>>> user    0m0.005s
>>> sys    0m0.007s
>>>
>>> According this documentation, if I want use File Sharing without AD 
>>> modifications only option is Winbind (idmap_rid).
>>>
>>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf 
>>> Em 2015-07-31 13:19, John Yocum escreveu:
>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:
>>>>> What is the best way to authenticate users in SMB4 DC on Linux 
>>>>> workstation?
>>>>> I'm using pam_winbind, but sometimes its very slow...
>>>>>
>>>>
>>>> How slow is "very slow"?
>>>>
>>>> That said, nslcd with LDAP over SSL works, and it's fast in my
>>>> experience. You could combine nslcd with Kerberos, which also works 
>>>> very
>>>> well. Of course both of these methods require you to have unix
>>>> attributes stored in AD for your users.
>>>>
>>>> -- John Yocum, Systems Administrator, DEOHS
>>>
>>
>> You seem to have a serious problem there:
>>
>> rowland at ThinkPad ~/ $ time id rowland
>> uid=10000(rowland) gid=10000(domain_users)
>> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) 
>>
>>
>> real    0m0.614s
>> user    0m0.002s
>> sys    0m0.003s
>>
>> Just how many users do you have ?
>>
>> Can we see your smb.conf ?
>>
>> This could be a network problem, have you investigated this 
>> possibility ?
>>
>> Rowland
>
> Around 4700 users...
>
> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf
> [global]
>    workgroup = BP
>    realm = BP.NET
>    security = ads
>    idmap uid = 10000-99999
>    idmap gid = 10000-99999
>    idmap config BP:backend = rid
>    idmap config BP:range = 10000000-19999999
>    winbind enum users = no
>    winbind enum groups = no
>    winbind use default domain = yes
>    template homedir = /home/BP/%U
>    template shell = /bin/bash
>    hosts allow = 192.168.
>    valid users = %U
>    interfaces = eth0
>    bind interfaces only = yes
>
> [root at CTA1PAPAN001645 ~]# net ads info
> LDAP server: 192.168.200.80
> LDAP server name: srvsmb4-pdc.bp.net
> Realm: BP.NET
> Bind Path: dc=BP,dc=NET
> LDAP port: 389
> Server time: Qua, 05 Ago 2015 13:08:16 BRT
> KDC server: 192.168.200.80
> Server time offset: 0
>
> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80
> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data.
> .
> --- 192.168.200.80 ping statistics ---
> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms
> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma 
> 0.473/0.377 ms
>
>
> Is normal id command take 20~30s, 1m15s is an extreme case.
>

I don't know what OS you are using, but you are using the 'rid' backend 
and seem to be mixing up the old way of setting ranges with the new way:

   idmap uid = 10000-99999
   idmap gid = 10000-99999
   idmap config BP:backend = rid
   idmap config BP:range = 10000000-19999999

I would expect something like this:

   idmap config * : backend = tdb
   idmap config * : range = 10000-99999
   idmap config BP : backend = rid
   idmap config BP : range = 10000000-19999999

I do not know if this will speed things up, but it is worth trying. I 
would also remove the 'valid users' line, there doesn't seem any point 
to it, as it seems to allow all users.

Rowland

More information about the samba mailing list