[Samba] Linux Workstation x SMB4 DC
Jefferson B. Limeira
jbl at internexxus.com.br
Wed Aug 5 18:55:25 UTC 2015
Em 2015-08-05 13:38, Rowland Penny escreveu:
> On 05/08/15 17:18, Jefferson B. Limeira wrote:
>> Em 2015-08-05 11:45, Rowland Penny escreveu:
>>> On 05/08/15 15:36, Jefferson B. Limeira wrote:
>>>> An example of how slow is...
>>>> [root at CTA1PAPAN001645 ~]# time id teste
>>>> uid=16777232(teste) gid=16777216(domain users)
>>>> real 1m15.981s
>>>> user 0m0.005s
>>>> sys 0m0.007s
>>>> According this documentation, if I want use File Sharing without AD
>>>> modifications only option is Winbind (idmap_rid).
>>>> Em 2015-07-31 13:19, John Yocum escreveu:
>>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:
>>>>>> What is the best way to authenticate users in SMB4 DC on Linux
>>>>>> I'm using pam_winbind, but sometimes its very slow...
>>>>> How slow is "very slow"?
>>>>> That said, nslcd with LDAP over SSL works, and it's fast in my
>>>>> experience. You could combine nslcd with Kerberos, which also works
>>>>> well. Of course both of these methods require you to have unix
>>>>> attributes stored in AD for your users.
>>>>> -- John Yocum, Systems Administrator, DEOHS
>>> You seem to have a serious problem there:
>>> rowland at ThinkPad ~/ $ time id rowland
>>> uid=10000(rowland) gid=10000(domain_users)
>>> real 0m0.614s
>>> user 0m0.002s
>>> sys 0m0.003s
>>> Just how many users do you have ?
>>> Can we see your smb.conf ?
>>> This could be a network problem, have you investigated this
>>> possibility ?
>> Around 4700 users...
>> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf
>> workgroup = BP
>> realm = BP.NET
>> security = ads
>> idmap uid = 10000-99999
>> idmap gid = 10000-99999
>> idmap config BP:backend = rid
>> idmap config BP:range = 10000000-19999999
>> winbind enum users = no
>> winbind enum groups = no
>> winbind use default domain = yes
>> template homedir = /home/BP/%U
>> template shell = /bin/bash
>> hosts allow = 192.168.
>> valid users = %U
>> interfaces = eth0
>> bind interfaces only = yes
>> [root at CTA1PAPAN001645 ~]# net ads info
>> LDAP server: 192.168.200.80
>> LDAP server name: srvsmb4-pdc.bp.net
>> Realm: BP.NET
>> Bind Path: dc=BP,dc=NET
>> LDAP port: 389
>> Server time: Qua, 05 Ago 2015 13:08:16 BRT
>> KDC server: 192.168.200.80
>> Server time offset: 0
>> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80
>> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data.
>> --- 192.168.200.80 ping statistics ---
>> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms
>> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma
>> 0.473/0.377 ms
>> Is normal id command take 20~30s, 1m15s is an extreme case.
> I don't know what OS you are using, but you are using the 'rid'
> backend and seem to be mixing up the old way of setting ranges with
> the new way:
> idmap uid = 10000-99999
> idmap gid = 10000-99999
> idmap config BP:backend = rid
> idmap config BP:range = 10000000-19999999
> I would expect something like this:
> idmap config * : backend = tdb
> idmap config * : range = 10000-99999
> idmap config BP : backend = rid
> idmap config BP : range = 10000000-19999999
> I do not know if this will speed things up, but it is worth trying. I
> would also remove the 'valid users' line, there doesn't seem any point
> to it, as it seems to allow all users.
I'm using CentOS 6.5 in all computers, workstations and servers. Samba
4.2.3, compiled last night.
I wrote a script that connect at some workstations and run 'time id
teste', the result:
# ./exec.sh |grep ^real
From a certain moment, all workstation have increased response time. At
this moment, you believe in a problem on workstation configuration?
I set log level = 9 in smb.conf and restart winbind.
A great time gap occurred after 'getpwnan teste' between 15:40:27 and
[2015/08/05 15:40:27.870746, 3]
[2015/08/05 15:41:02.906043, 6] winbindd/winbindd.c:822(new_connection)
accepted socket 22
[2015/08/05 15:41:02.906169, 3]
[ 2321]: request interface version
[2015/08/05 15:41:02.906332, 3]
[ 2321]: request location of privileged pipe
[2015/08/05 15:41:02.906529, 6] winbindd/winbindd.c:822(new_connection)
accepted socket 28
[2015/08/05 15:41:02.906628, 6]
closing socket 22, client exited
[2015/08/05 15:41:02.906702, 3]
[2015/08/05 15:41:19.232330, 5]
Could not convert sid S-1-5-21-3802641769-3585385758-3926675344-500:
Sorry for my English.
's Jefferson B. Limeira
jbl at internexxus.com.br
More information about the samba