[Samba] winbind - frequent high CPU utilization

L.P.H. van Belle belle at bazuin.nl
Tue Aug 13 10:21:04 UTC 2019


Hai, 

This is how i run my squid + winbind for auth.
It's a very stable setup, i suggest have a good look and test it. 

First, strip you smb.conf: 

[global]
    # Auth-Only setup with winbind. ( no Shares )

    workgroup = NTDOM
    security = ADS
    realm = YOUR.REALM
    netbios name = HOSTNAME

    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes

    # change eth0 to your interface name (route -n|grep UG|awk {'print $NF'})
    interfaces = eth0 lo
    bind interfaces only = yes

    log level = 1

    # Add and Update TLS Key ( own certs use not the by samba generated.) 
    # ! I published my own Root CA with GPO for SSO (kerberos) works with SQUID. 
    tls enabled = yes
    tls keyfile = /etc/ssl/private/hostname.key.pem
    tls certfile = /etc/ssl/certs/hostdname.cert.pem
    tls cafile = /etc/ssl/certs/company-ca.crt

    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999

    ## Enable one of these 2. ( RID or AD ) 
    # Backend RID setup
    idmap config NTDOM : backend = rid
    idmap config NTDOM : range = 10000-3999999

    ## Backend AD setup. 
    ## map ids from the domain and (*) the range may not overlap !
    ##idmap config NTDOM : backend = ad
    ##idmap config NTDOM : schema_mode = rfc2307
    ##idmap config NTDOM : range = 10000-3999999

    ## 4.6+ ( get primary group from AD )
    ## idmap config NTDOM : unix_nss_info = yes
    ## 4.6+ ( get primary group from unix primary group )
    ## idmap config NTDOM : unix_primary_group = yes

###########

    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

    # We strip the domain (NTDOM\username) to username
    # ! Normaly not adviced
    winbind use default domain = yes

    # use:  getent passwd username to check.
    # enabled slows down you samba.
    winbind enum users  = no
    winbind enum groups = no

    # enable offline logins
    #winbind offline logon = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating
    usershare path =

    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # For ACL support on member servers with shares
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

######## NO SHARE DEFINITIONS ################


###############################################################
For squid auth, ( tested from squid 4.1 upto 4.8 ) I use : 

# Keytab creation: export KRB5_KTNAME=FILE:/etc/squid/HTTP-squid.keytab
# kinit Administrator
# net ads keytab CREATE
# net ads keytab ADD HTTP/$(hostname -f)
# net ads keytab ADD HTTP/SOMEALIAS  ( only if needed.) 
# Verify the new keytab : klist -ke /etc/squid/HTTP-squid.keytab
# unset KRB5_KTNAME
# chgrp proxy /etc/squid/HTTP-squid.keytab
# chmod g+r /etc/squid/HTTP-squid.keytab
# ! Server must have A and PTR record for a correct kerberos auth to work. 
# If your not able to set a correct A and PTR, use 

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth \
	-k /etc/squid/HTTP-squid.keytab \
      -s HTTP/hostname.your.dnsdomain.tld at YOUR.REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on

# Optional 
# If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn.
# If you serve multiple Kerberos realms add a HTTP/fqdn [at] REALM service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.

### pure ntlm authentication 
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM
#auth_param ntlm children 10
#auth_param ntlm keep_alive on

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 -b "dc=your,dc=dnsdomain,dc=tld" \
  -D ldap-bind at your.dnsdomain.tld -W /etc/squid/user-pass -f sAMAccountName=%s \
  -H ldaps://dc1.your.dnsdomain.tld \
  -H ldaps://dc2.your.dnsdomain.tld

auth_param basic children 5 startup=1 idle=1
auth_param basic children 10
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 1 hours

authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED

# you acls. Etc.. 

# setup a caching + forwardig DNS. 
# Optional: force to use the ipv4 to resolve dns first.
dns_v4_first on
dns_nameservers 127.0.0.1


## BIND 
# add the forwarding forward zone to for "internal.dnsdomain.tld" to you ad-dc's 
# add a forwarding reverse zone to you internal in-arpa zone. 

# add the proxy user the the winbind_priv group. 
gpasswd -a proxy winbindd_priv

Test the setup. 

Still slow. 

Try upgrading you samba AND squid  ;-) 

wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian buster-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian buster-squid48 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

My squid packages are as compatible as the normal debian squid packages. 
You can install them, test them, if you dont like them, remove the repo line and reinstall offcial again. 
I only enabled ssl also in my packages, i wanted to test the ssl bumping. 
Works great :-) 


You dont need NMBD to run.


My timings: 
 time getent group "domain users"
domain users:x:10000:

real    0m0.005s
user    0m0.002s
sys     0m0.000s

time getent passwd username
username:*:10002:10000:L.P.H. van Belle:/home/users/username:/bin/bash

real    0m0.006s
user    0m0.000s
sys     0m0.003s

time nslookup $(hostname -d)
Server:         127.0.0.1
Address:        127.0.0.1#53
.. 
real    0m0.016s
user    0m0.010s
sys     0m0.005s

time nslookup dc1.your.dnsdomain.tld
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   dc1.your.dnsdomain.tld
Address: 192.168.249.211

real    0m0.014s
user    0m0.005s
sys     0m0.009s

time wbinfo -r username 
... GID'S HERE 
.... 
real    0m0.021s
user    0m0.013s
sys     0m0.004s

So as far i can see, im at almost every point twice as fast as your setup. 
Im running in VM: 
model name      : AMD Opteron(tm) Processor 4386
With 4GB ram 4 vCPU's assigned for this server. 



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Zbynek via samba
> Verzonden: dinsdag 13 augustus 2019 10:25
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] winbind - frequent high CPU utilization
> 
> 
> Hi.
> 
> I use winbind + squid on Debian Buster to authenticate users 
> + authorize 
> them based on groups they are in. It all works, well, good, 
> but winbind's 
> CPU utilization peaks can reach up to 100%. The same solution 
> ran OK on 
> Debian Jessie with up to 20% CPU utilization at most.
> 
> 
> The configuration of Buster must have been updated based on the samba 
> version leap/shift compared to Jessie.
> 
> On Buster I encountered this error: https://serverfault.com/questions/
> 789532/winbindd-gss-init-sec-context-failed-with-unspecified-g
ss-failure
> 
> Thus, I set "winbind rpc only = yes". May this info serve you 
> as a hints.
> 
> 
> 
> 
> 
> Current config:
> 
> Debian 10 (Buster), 2CPU, 4GB RAM, 64bit
> 
> winbind - 4.9.5+dfsg-5
> 
> 
> samba - 4.9.5+dfsg-5
> 
> Connection information for squid (4.6):
>         Number of clients accessing cache:      443
> 
> 
> 
> 
> Additional info is here:  https://pastebin.com/U5idtgsv
> 
> 
> 
> 
> Thank you for hints.
> 
> Zbynek
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list