[Samba] Linux Workstation x SMB4 DC

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Aug 5 19:40:36 UTC 2015 

On Wed, Aug 05, 2015 at 08:13:52PM +0100, Rowland Penny wrote:
> ># ./exec.sh  |grep ^real
> >real    0m1.944s
> >real    0m0.051s
> >real    0m1.843s
> >real    0m1.798s
> >real    0m18.236s
> >real    0m1.756s
> >real    0m1.769s
> >real    0m2.092s
> >real    0m1.952s
> >real    0m1.954s
> >real    0m17.588s
> >real    0m4.841s
> >real    1m48.618s
> >real    1m38.985s
> >real    2m1.186s
> >real    1m17.514s
> >real    1m43.024s
> >real    1m27.757s
> >real    1m29.072s
> >
> 
> That is not slow, it is glacial :-)
> 
> >From a certain moment, all workstation have increased response
> >time. At this moment, you believe in a problem on workstation
> >configuration?
> >
> 
> There is something definitely wrong, but what ?

I've seen "id <username>" enumerate all groups in certain
circumstances. Just matching the /etc/group model of group memberships,
for the /etc/group *file* you have to scan the whole thing to find the
memberships. There are nss API calls to improve this for other backends,
but you should make sure you're not running into that for your case.

By the way, "id <username>" is not reliable to list group memberships and
can't ever be. Windows AD just does not allow winbind to list this. The
*only* reliable way to figure out group memberships is to successfully
log into your AD account, either with Kerberos or with NTLM.  For this
successfully logged in account the group memberships are precise. Nothing
else will work.

I've had many discussions over this, too many. Here I'd very boldly say to
"just trust me on this".

Volker

> 
> >I set log level = 9 in smb.conf and restart winbind.
> >A great time gap occurred after 'getpwnan teste' between 15:40:27
> >and 15:41:02
> >
> >[2015/08/05 15:40:27.870746,  3]
> >winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> >  getpwnam teste
> >[2015/08/05 15:41:02.906043,  6] winbindd/winbindd.c:822(new_connection)
> >  accepted socket 22
> >[2015/08/05 15:41:02.906169,  3]
> >winbindd/winbindd_misc.c:384(winbindd_interface_version)
> >  [ 2321]: request interface version
> >[2015/08/05 15:41:02.906332,  3]
> >winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
> >  [ 2321]: request location of privileged pipe
> >[2015/08/05 15:41:02.906529,  6] winbindd/winbindd.c:822(new_connection)
> >  accepted socket 28
> >[2015/08/05 15:41:02.906628,  6]
> >winbindd/winbindd.c:870(winbind_client_request_read)
> >  closing socket 22, client exited
> >[2015/08/05 15:41:02.906702,  3]
> >winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> >  getpwnam teste
> >[2015/08/05 15:41:19.232330,  5]
> >winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> >  Could not convert sid
> >S-1-5-21-3802641769-3585385758-3926675344-500:
> >NT_STATUS_SERVER_DISABLED
> >
> 
> Hmm, 'S-1-5-21-3802641769-3585385758-3926675344-500' is the SID-RID
> for 'Administrator' and 'NT_STATUS_SERVER_DISABLED' probably means
> what it says.
> 
> OK, how did you compile samba?
> Why did you compile samba 4.2.3, it is available from Sernet.
> 
> How are you starting samba on the various machines ?
> Can you post the smb.conf from the DCs and the servers etc ?
> 
> Can you check that the following daemons are running:
> 
> DC: samba, smbd, winbindd
> workstation or member server: smbd, nmbd, winbindd
> >Sorry for my English.
> >
> 
> Never apologise for your English, as a native English speaking
> person, I am honoured that you have taken the time to learn my
> language, I, on the other hand, do not speak any other languages.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba mailing list