[Samba] Samba slow AD authentication eventually succeed
Andrew Bartlett
abartlet at samba.org
Mon Mar 2 08:14:33 UTC 2020
On Mon, 2020-03-02 at 09:08 +0100, Andrea Cucciarre' via samba wrote:
> Hello,
>
> I have a customer that complains about slow AD authentication when
> accessing the share, eventually succeed (Samba is a DC memer)
> In the logs I can see the following errors:
>
> [2020/02/24 14:11:16.775884, 1]
> ../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
> Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
> [2020/02/24 14:11:16.775902, 3]
> ../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
> Reopening ads connection to realm 'PFIN.CH' after error Time limit
> exceeded
I added the "Reducing LDAP page size" logic to Samba, but it really
should only trigger if Samba is used over a very slow VPN. I had to
put a "sleep" in Samba's AD DC to simulate it for testing!
You have a number of options that would increase traffic to the DC,
like "winbind enum users/groups", which if the DC is very slow would
clog up winbindd pretty well.
If the login is over Kerberos we shouldn't even need to talk to AD
again, but you haven't indicated if that is in use and some of the non-
default options selected will need an active connection.
Try with a more default smb.conf and then add back in only the settings
you need.
I hope this helps!
Andrew Bartlett
> [2020/02/25 09:01:20.292903, 3]
> ../source3/libads/ldap.c:1001(ads_do_paged_search_args)
> ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*))
> -> Time limit exceeded
> [2020/02/25 09:01:20.292930, 3]
> ../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
> Reopening ads connection to realm 'PFIN.CH' after error Time limit
> exceeded
>
> So I'm wondering what Samba exactly is doing when the error is logged
> and if it could be related to my customer issue.
> Hereafter the smb.conf:
>
> [global]
> allow trusted domains = yes
> client ldap sasl wrapping = plain
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = yes
> host msdfs = no
> idmap config * : backend = tdb
> idmap config * : range = 30000-40000
> idmap config * : schema_mode = rfc2307
> idmap config PFIN : backend = rid
> idmap config PFIN : range = 1000000-3000000
> idmap config PFIN : schema_mode = rfc2307
> idmap config POST : backend = rid
> idmap config POST : range = 3000001-5000000
> idmap config POST : schema_mode = rfc2307
> kerberos method = secrets and keytab
> load printers = no
> local master = no
> log file = /opt/samba/log/%m.log
> log level = 3
> map acl inherit = Yes
> map to guest = bad user
> netbios name = H002N7
> os level = 3
> preferred master = no
> realm = PFIN.ch
> security = ads
> server string = Data %h
> store dos attributes = Yes
> vfs objects = zfsacl
> winbind enum groups = yes
> winbind enum users = yes
> winbind expand groups = 4
> winbind normalize names = no
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind use default domain = no
> workgroup = PFIN
>
> [hyperfile_test$]
> available = yes
> browsable = yes
> hf:volume = t_hyperfile_01
> nfs4: acedup = merge
> nfs4: mode = special
> path = /t_hyperfile_01
> read only = no
> vfs objects = hf_vss hf_offline zfsacl
>
>
> Thanks
> Andrea
>
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list