[Samba] winbind - frequent high CPU utilization
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 13 10:21:04 UTC 2019
Hai,
This is how i run my squid + winbind for auth.
It's a very stable setup, i suggest have a good look and test it.
First, strip you smb.conf:
[global]
# Auth-Only setup with winbind. ( no Shares )
workgroup = NTDOM
security = ADS
realm = YOUR.REALM
netbios name = HOSTNAME
preferred master = no
domain master = no
host msdfs = no
dns proxy = yes
# change eth0 to your interface name (route -n|grep UG|awk {'print $NF'})
interfaces = eth0 lo
bind interfaces only = yes
log level = 1
# Add and Update TLS Key ( own certs use not the by samba generated.)
# ! I published my own Root CA with GPO for SSO (kerberos) works with SQUID.
tls enabled = yes
tls keyfile = /etc/ssl/private/hostname.key.pem
tls certfile = /etc/ssl/certs/hostdname.cert.pem
tls cafile = /etc/ssl/certs/company-ca.crt
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 2000-9999
## Enable one of these 2. ( RID or AD )
# Backend RID setup
idmap config NTDOM : backend = rid
idmap config NTDOM : range = 10000-3999999
## Backend AD setup.
## map ids from the domain and (*) the range may not overlap !
##idmap config NTDOM : backend = ad
##idmap config NTDOM : schema_mode = rfc2307
##idmap config NTDOM : range = 10000-3999999
## 4.6+ ( get primary group from AD )
## idmap config NTDOM : unix_nss_info = yes
## 4.6+ ( get primary group from unix primary group )
## idmap config NTDOM : unix_primary_group = yes
###########
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# We strip the domain (NTDOM\username) to username
# ! Normaly not adviced
winbind use default domain = yes
# use: getent passwd username to check.
# enabled slows down you samba.
winbind enum users = no
winbind enum groups = no
# enable offline logins
#winbind offline logon = no
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For ACL support on member servers with shares
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
######## NO SHARE DEFINITIONS ################
###############################################################
For squid auth, ( tested from squid 4.1 upto 4.8 ) I use :
# Keytab creation: export KRB5_KTNAME=FILE:/etc/squid/HTTP-squid.keytab
# kinit Administrator
# net ads keytab CREATE
# net ads keytab ADD HTTP/$(hostname -f)
# net ads keytab ADD HTTP/SOMEALIAS ( only if needed.)
# Verify the new keytab : klist -ke /etc/squid/HTTP-squid.keytab
# unset KRB5_KTNAME
# chgrp proxy /etc/squid/HTTP-squid.keytab
# chmod g+r /etc/squid/HTTP-squid.keytab
# ! Server must have A and PTR record for a correct kerberos auth to work.
# If your not able to set a correct A and PTR, use
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth \
-k /etc/squid/HTTP-squid.keytab \
-s HTTP/hostname.your.dnsdomain.tld at YOUR.REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on
# Optional
# If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn.
# If you serve multiple Kerberos realms add a HTTP/fqdn [at] REALM service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.
### pure ntlm authentication
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM
#auth_param ntlm children 10
#auth_param ntlm keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 -b "dc=your,dc=dnsdomain,dc=tld" \
-D ldap-bind at your.dnsdomain.tld -W /etc/squid/user-pass -f sAMAccountName=%s \
-H ldaps://dc1.your.dnsdomain.tld \
-H ldaps://dc2.your.dnsdomain.tld
auth_param basic children 5 startup=1 idle=1
auth_param basic children 10
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 1 hours
authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
# you acls. Etc..
# setup a caching + forwardig DNS.
# Optional: force to use the ipv4 to resolve dns first.
dns_v4_first on
dns_nameservers 127.0.0.1
## BIND
# add the forwarding forward zone to for "internal.dnsdomain.tld" to you ad-dc's
# add a forwarding reverse zone to you internal in-arpa zone.
# add the proxy user the the winbind_priv group.
gpasswd -a proxy winbindd_priv
Test the setup.
Still slow.
Try upgrading you samba AND squid ;-)
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian buster-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian buster-squid48 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
My squid packages are as compatible as the normal debian squid packages.
You can install them, test them, if you dont like them, remove the repo line and reinstall offcial again.
I only enabled ssl also in my packages, i wanted to test the ssl bumping.
Works great :-)
You dont need NMBD to run.
My timings:
time getent group "domain users"
domain users:x:10000:
real 0m0.005s
user 0m0.002s
sys 0m0.000s
time getent passwd username
username:*:10002:10000:L.P.H. van Belle:/home/users/username:/bin/bash
real 0m0.006s
user 0m0.000s
sys 0m0.003s
time nslookup $(hostname -d)
Server: 127.0.0.1
Address: 127.0.0.1#53
..
real 0m0.016s
user 0m0.010s
sys 0m0.005s
time nslookup dc1.your.dnsdomain.tld
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: dc1.your.dnsdomain.tld
Address: 192.168.249.211
real 0m0.014s
user 0m0.005s
sys 0m0.009s
time wbinfo -r username
... GID'S HERE
....
real 0m0.021s
user 0m0.013s
sys 0m0.004s
So as far i can see, im at almost every point twice as fast as your setup.
Im running in VM:
model name : AMD Opteron(tm) Processor 4386
With 4GB ram 4 vCPU's assigned for this server.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Zbynek via samba
> Verzonden: dinsdag 13 augustus 2019 10:25
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] winbind - frequent high CPU utilization
>
>
> Hi.
>
> I use winbind + squid on Debian Buster to authenticate users
> + authorize
> them based on groups they are in. It all works, well, good,
> but winbind's
> CPU utilization peaks can reach up to 100%. The same solution
> ran OK on
> Debian Jessie with up to 20% CPU utilization at most.
>
>
> The configuration of Buster must have been updated based on the samba
> version leap/shift compared to Jessie.
>
> On Buster I encountered this error: https://serverfault.com/questions/
> 789532/winbindd-gss-init-sec-context-failed-with-unspecified-g
ss-failure
>
> Thus, I set "winbind rpc only = yes". May this info serve you
> as a hints.
>
>
>
>
>
> Current config:
>
> Debian 10 (Buster), 2CPU, 4GB RAM, 64bit
>
> winbind - 4.9.5+dfsg-5
>
>
> samba - 4.9.5+dfsg-5
>
> Connection information for squid (4.6):
> Number of clients accessing cache: 443
>
>
>
>
> Additional info is here: https://pastebin.com/U5idtgsv
>
>
>
>
> Thank you for hints.
>
> Zbynek
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list