[Samba] Linux Workstation x SMB4 DC

Jefferson B. Limeira jbl at internexxus.com.br
Wed Aug 5 18:55:25 UTC 2015 

Em 2015-08-05 13:38, Rowland Penny escreveu:
> On 05/08/15 17:18, Jefferson B. Limeira wrote:
>> Em 2015-08-05 11:45, Rowland Penny escreveu:
>>> On 05/08/15 15:36, Jefferson B. Limeira wrote:
>>>> An example of how slow is...
>>>> 
>>>> [root at CTA1PAPAN001645 ~]# time id teste
>>>> uid=16777232(teste) gid=16777216(domain users) 
>>>> grupos=16777216(domain 
>>>> users),16777220(operacao),16777222(BUILTIN\users)
>>>> 
>>>> real    1m15.981s
>>>> user    0m0.005s
>>>> sys    0m0.007s
>>>> 
>>>> According this documentation, if I want use File Sharing without AD 
>>>> modifications only option is Winbind (idmap_rid).
>>>> 
>>>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf 
>>>> Em 2015-07-31 13:19, John Yocum escreveu:
>>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:
>>>>>> What is the best way to authenticate users in SMB4 DC on Linux 
>>>>>> workstation?
>>>>>> I'm using pam_winbind, but sometimes its very slow...
>>>>>> 
>>>>> 
>>>>> How slow is "very slow"?
>>>>> 
>>>>> That said, nslcd with LDAP over SSL works, and it's fast in my
>>>>> experience. You could combine nslcd with Kerberos, which also works 
>>>>> very
>>>>> well. Of course both of these methods require you to have unix
>>>>> attributes stored in AD for your users.
>>>>> 
>>>>> -- John Yocum, Systems Administrator, DEOHS
>>>> 
>>> 
>>> You seem to have a serious problem there:
>>> 
>>> rowland at ThinkPad ~/ $ time id rowland
>>> uid=10000(rowland) gid=10000(domain_users)
>>> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) 
>>> real    0m0.614s
>>> user    0m0.002s
>>> sys    0m0.003s
>>> 
>>> Just how many users do you have ?
>>> 
>>> Can we see your smb.conf ?
>>> 
>>> This could be a network problem, have you investigated this 
>>> possibility ?
>>> 
>>> Rowland
>> 
>> Around 4700 users...
>> 
>> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf
>> [global]
>>    workgroup = BP
>>    realm = BP.NET
>>    security = ads
>>    idmap uid = 10000-99999
>>    idmap gid = 10000-99999
>>    idmap config BP:backend = rid
>>    idmap config BP:range = 10000000-19999999
>>    winbind enum users = no
>>    winbind enum groups = no
>>    winbind use default domain = yes
>>    template homedir = /home/BP/%U
>>    template shell = /bin/bash
>>    hosts allow = 192.168.
>>    valid users = %U
>>    interfaces = eth0
>>    bind interfaces only = yes
>> 
>> [root at CTA1PAPAN001645 ~]# net ads info
>> LDAP server: 192.168.200.80
>> LDAP server name: srvsmb4-pdc.bp.net
>> Realm: BP.NET
>> Bind Path: dc=BP,dc=NET
>> LDAP port: 389
>> Server time: Qua, 05 Ago 2015 13:08:16 BRT
>> KDC server: 192.168.200.80
>> Server time offset: 0
>> 
>> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80
>> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data.
>> .
>> --- 192.168.200.80 ping statistics ---
>> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms
>> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma 
>> 0.473/0.377 ms
>> 
>> 
>> Is normal id command take 20~30s, 1m15s is an extreme case.
>> 
> 
> I don't know what OS you are using, but you are using the 'rid'
> backend and seem to be mixing up the old way of setting ranges with
> the new way:
> 
>   idmap uid = 10000-99999
>   idmap gid = 10000-99999
>   idmap config BP:backend = rid
>   idmap config BP:range = 10000000-19999999
> 
> I would expect something like this:
> 
>   idmap config * : backend = tdb
>   idmap config * : range = 10000-99999
>   idmap config BP : backend = rid
>   idmap config BP : range = 10000000-19999999
> 
> I do not know if this will speed things up, but it is worth trying. I
> would also remove the 'valid users' line, there doesn't seem any point
> to it, as it seems to allow all users.
> 
> Rowland

I'm using CentOS 6.5 in all computers, workstations and servers. Samba 
4.2.3, compiled last night.

I wrote a script that connect at some workstations and run 'time id 
teste', the result:

# ./exec.sh  |grep ^real
real	0m1.944s
real	0m0.051s
real	0m1.843s
real	0m1.798s
real	0m18.236s
real	0m1.756s
real	0m1.769s
real	0m2.092s
real	0m1.952s
real	0m1.954s
real	0m17.588s
real	0m4.841s
real	1m48.618s
real	1m38.985s
real	2m1.186s
real	1m17.514s
real	1m43.024s
real	1m27.757s
real	1m29.072s

 From a certain moment, all workstation have increased response time. At 
this moment, you believe in a problem on workstation configuration?

I set log level = 9 in smb.conf and restart winbind.
A great time gap occurred after 'getpwnan teste' between 15:40:27 and 
15:41:02

[2015/08/05 15:40:27.870746,  3] 
winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam teste
[2015/08/05 15:41:02.906043,  6] winbindd/winbindd.c:822(new_connection)
   accepted socket 22
[2015/08/05 15:41:02.906169,  3] 
winbindd/winbindd_misc.c:384(winbindd_interface_version)
   [ 2321]: request interface version
[2015/08/05 15:41:02.906332,  3] 
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
   [ 2321]: request location of privileged pipe
[2015/08/05 15:41:02.906529,  6] winbindd/winbindd.c:822(new_connection)
   accepted socket 28
[2015/08/05 15:41:02.906628,  6] 
winbindd/winbindd.c:870(winbind_client_request_read)
   closing socket 22, client exited
[2015/08/05 15:41:02.906702,  3] 
winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam teste
[2015/08/05 15:41:19.232330,  5] 
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
   Could not convert sid S-1-5-21-3802641769-3585385758-3926675344-500: 
NT_STATUS_SERVER_DISABLED

Sorry for my English.

-- 
[]'s Jefferson B. Limeira
jbl at internexxus.com.br
https://br.linkedin.com/in/jlimeira
(41) 9928-8628

More information about the samba mailing list