[Samba] Linux Workstation x SMB4 DC

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 5 19:13:52 UTC 2015 

On 05/08/15 19:55, Jefferson B. Limeira wrote:
> Em 2015-08-05 13:38, Rowland Penny escreveu:
>> On 05/08/15 17:18, Jefferson B. Limeira wrote:
>>> Em 2015-08-05 11:45, Rowland Penny escreveu:
>>>> On 05/08/15 15:36, Jefferson B. Limeira wrote:
>>>>> An example of how slow is...
>>>>>
>>>>> [root at CTA1PAPAN001645 ~]# time id teste
>>>>> uid=16777232(teste) gid=16777216(domain users) 
>>>>> grupos=16777216(domain 
>>>>> users),16777220(operacao),16777222(BUILTIN\users)
>>>>>
>>>>> real    1m15.981s
>>>>> user    0m0.005s
>>>>> sys    0m0.007s
>>>>>
>>>>> According this documentation, if I want use File Sharing without 
>>>>> AD modifications only option is Winbind (idmap_rid).
>>>>>
>>>>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf 
>>>>> Em 2015-07-31 13:19, John Yocum escreveu:
>>>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:
>>>>>>> What is the best way to authenticate users in SMB4 DC on Linux 
>>>>>>> workstation?
>>>>>>> I'm using pam_winbind, but sometimes its very slow...
>>>>>>>
>>>>>>
>>>>>> How slow is "very slow"?
>>>>>>
>>>>>> That said, nslcd with LDAP over SSL works, and it's fast in my
>>>>>> experience. You could combine nslcd with Kerberos, which also 
>>>>>> works very
>>>>>> well. Of course both of these methods require you to have unix
>>>>>> attributes stored in AD for your users.
>>>>>>
>>>>>> -- John Yocum, Systems Administrator, DEOHS
>>>>>
>>>>
>>>> You seem to have a serious problem there:
>>>>
>>>> rowland at ThinkPad ~/ $ time id rowland
>>>> uid=10000(rowland) gid=10000(domain_users)
>>>> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) 
>>>> real    0m0.614s
>>>> user    0m0.002s
>>>> sys    0m0.003s
>>>>
>>>> Just how many users do you have ?
>>>>
>>>> Can we see your smb.conf ?
>>>>
>>>> This could be a network problem, have you investigated this 
>>>> possibility ?
>>>>
>>>> Rowland
>>>
>>> Around 4700 users...
>>>
>>> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf
>>> [global]
>>>    workgroup = BP
>>>    realm = BP.NET
>>>    security = ads
>>>    idmap uid = 10000-99999
>>>    idmap gid = 10000-99999
>>>    idmap config BP:backend = rid
>>>    idmap config BP:range = 10000000-19999999
>>>    winbind enum users = no
>>>    winbind enum groups = no
>>>    winbind use default domain = yes
>>>    template homedir = /home/BP/%U
>>>    template shell = /bin/bash
>>>    hosts allow = 192.168.
>>>    valid users = %U
>>>    interfaces = eth0
>>>    bind interfaces only = yes
>>>
>>> [root at CTA1PAPAN001645 ~]# net ads info
>>> LDAP server: 192.168.200.80
>>> LDAP server name: srvsmb4-pdc.bp.net
>>> Realm: BP.NET
>>> Bind Path: dc=BP,dc=NET
>>> LDAP port: 389
>>> Server time: Qua, 05 Ago 2015 13:08:16 BRT
>>> KDC server: 192.168.200.80
>>> Server time offset: 0
>>>
>>> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80
>>> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data.
>>> .
>>> --- 192.168.200.80 ping statistics ---
>>> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms
>>> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma 
>>> 0.473/0.377 ms
>>>
>>>
>>> Is normal id command take 20~30s, 1m15s is an extreme case.
>>>
>>
>> I don't know what OS you are using, but you are using the 'rid'
>> backend and seem to be mixing up the old way of setting ranges with
>> the new way:
>>
>>   idmap uid = 10000-99999
>>   idmap gid = 10000-99999
>>   idmap config BP:backend = rid
>>   idmap config BP:range = 10000000-19999999
>>
>> I would expect something like this:
>>
>>   idmap config * : backend = tdb
>>   idmap config * : range = 10000-99999
>>   idmap config BP : backend = rid
>>   idmap config BP : range = 10000000-19999999
>>
>> I do not know if this will speed things up, but it is worth trying. I
>> would also remove the 'valid users' line, there doesn't seem any point
>> to it, as it seems to allow all users.
>>
>> Rowland
>
> I'm using CentOS 6.5 in all computers, workstations and servers. Samba 
> 4.2.3, compiled last night.
>
> I wrote a script that connect at some workstations and run 'time id 
> teste', the result:
>
> # ./exec.sh  |grep ^real
> real    0m1.944s
> real    0m0.051s
> real    0m1.843s
> real    0m1.798s
> real    0m18.236s
> real    0m1.756s
> real    0m1.769s
> real    0m2.092s
> real    0m1.952s
> real    0m1.954s
> real    0m17.588s
> real    0m4.841s
> real    1m48.618s
> real    1m38.985s
> real    2m1.186s
> real    1m17.514s
> real    1m43.024s
> real    1m27.757s
> real    1m29.072s
>

That is not slow, it is glacial :-)

> From a certain moment, all workstation have increased response time. 
> At this moment, you believe in a problem on workstation configuration?
>

There is something definitely wrong, but what ?

> I set log level = 9 in smb.conf and restart winbind.
> A great time gap occurred after 'getpwnan teste' between 15:40:27 and 
> 15:41:02
>
> [2015/08/05 15:40:27.870746,  3] 
> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam teste
> [2015/08/05 15:41:02.906043,  6] winbindd/winbindd.c:822(new_connection)
>   accepted socket 22
> [2015/08/05 15:41:02.906169,  3] 
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
>   [ 2321]: request interface version
> [2015/08/05 15:41:02.906332,  3] 
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>   [ 2321]: request location of privileged pipe
> [2015/08/05 15:41:02.906529,  6] winbindd/winbindd.c:822(new_connection)
>   accepted socket 28
> [2015/08/05 15:41:02.906628,  6] 
> winbindd/winbindd.c:870(winbind_client_request_read)
>   closing socket 22, client exited
> [2015/08/05 15:41:02.906702,  3] 
> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam teste
> [2015/08/05 15:41:19.232330,  5] 
> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>   Could not convert sid S-1-5-21-3802641769-3585385758-3926675344-500: 
> NT_STATUS_SERVER_DISABLED
>

Hmm, 'S-1-5-21-3802641769-3585385758-3926675344-500' is the SID-RID for 
'Administrator' and 'NT_STATUS_SERVER_DISABLED' probably means what it says.

OK, how did you compile samba?
Why did you compile samba 4.2.3, it is available from Sernet.

How are you starting samba on the various machines ?
Can you post the smb.conf from the DCs and the servers etc ?

Can you check that the following daemons are running:

DC: samba, smbd, winbindd
workstation or member server: smbd, nmbd, winbindd
> Sorry for my English.
>

Never apologise for your English, as a native English speaking person, I 
am honoured that you have taken the time to learn my language, I, on the 
other hand, do not speak any other languages.

Rowland

More information about the samba mailing list