[Samba] Samba slow AD authentication eventually succeed

Andrea Cucciarre' acucciarre at cloudian.com
Mon Mar 2 08:08:00 UTC 2020 

Hello,

I have a customer that complains about slow AD authentication when 
accessing the share, eventually succeed (Samba is a DC memer)
In the logs I can see the following errors:

[2020/02/24 14:11:16.775884,  1] 
../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
   Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
[2020/02/24 14:11:16.775902,  3] 
../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
   Reopening ads connection to realm 'PFIN.CH' after error Time limit 
exceeded

[2020/02/25 09:01:20.292903,  3] 
../source3/libads/ldap.c:1001(ads_do_paged_search_args)
   ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) 
-> Time limit exceeded
[2020/02/25 09:01:20.292930,  3] 
../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
   Reopening ads connection to realm 'PFIN.CH' after error Time limit 
exceeded

So I'm wondering what Samba exactly is doing when the error is logged 
and if it could be related to my customer issue.
Hereafter the smb.conf:

[global]
allow trusted domains = yes
client ldap sasl wrapping = plain
dedicated keytab file = /etc/krb5.keytab
disable spoolss = yes
host msdfs = no
idmap config * : backend = tdb
idmap config * : range = 30000-40000
idmap config * : schema_mode = rfc2307
idmap config PFIN : backend = rid
idmap config PFIN : range = 1000000-3000000
idmap config PFIN : schema_mode = rfc2307
idmap config POST : backend = rid
idmap config POST : range = 3000001-5000000
idmap config POST : schema_mode = rfc2307
kerberos method = secrets and keytab
load printers = no
local master = no
log file = /opt/samba/log/%m.log
log level = 3
map acl inherit = Yes
map to guest = bad user
netbios name = H002N7
os level = 3
preferred master = no
realm = PFIN.ch
security = ads
server string = Data %h
store dos attributes = Yes
vfs objects = zfsacl
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 4
winbind normalize names = no
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind use default domain = no
workgroup = PFIN

[hyperfile_test$]
available = yes
browsable = yes
hf:volume = t_hyperfile_01
nfs4: acedup = merge
nfs4: mode = special
path = /t_hyperfile_01
read only = no
vfs objects = hf_vss hf_offline zfsacl


Thanks
Andrea

More information about the samba mailing list