[Samba] Long time before user shows up on member server
Harald Hannelius
harald+samba at arcada.fi
Wed Feb 10 11:35:56 UTC 2021
On Wed, 10 Feb 2021, L.P.H. van Belle wrote:
> Something in the DNS resolving is off.
You seem to be correct. I seem to have the fqdn for the AD-DCs set in the
top-level domain.
> Can you run the following script on all the AD-DCs.
> and the problem Member server.
> If you anonymize it, keep the setup structure the same.
> Like netbios name = HOSTNAME_CAPS_OR_NOT
> or if realm = internal.domain.tld , use INT.REALM.TLD
> we need exact as it.
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
AD DC number1:
Collected config --- 2021-02-10-13:27 -----------
Hostname: sad1
DNS Domain: arcada.fi
FQDN: sad1.arcada.fi
ipaddress: 193.167.33.91 2001:708:170:33::91
-----------
Kerberos SRV _kerberos._tcp.arcada.fi record verified ok, sample output:
Server: 2001:708:170:33::91
Address: 2001:708:170:33::91#53
Non-authoritative answer:
*** Can't find _kerberos._tcp.arcada.fi: No answer
Authoritative answers can be found from:
arcada.fi
origin = inet-server.arcada.fi
mail addr = hostmaster.arcada.fi
serial = 2021020800
refresh = 7200
retry = 3600
expire = 2419200
minimum = 86400
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.7 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 50:6b:8d:b9:dc:72 brd ff:ff:ff:ff:ff:ff
inet 193.167.33.91/24 brd 193.167.33.255 scope global ens3
inet6 2001:708:170:33::91/64 scope global
inet6 fe80::526b:8dff:feb9:dc72/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
193.167.33.91 sad1.arcada.fi sad1 sad1.sad.arcada.fi
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search sad.arcada.fi arcada.fi
nameserver 2001:708:170:33::91
#nameserver 2001:708:170:33::246
#nameserver 193.167.33.232
#nameserver 193.167.33.246
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAD.ARCADA.FI
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
#log level = 3 passdb:5 auth:10 winbind:3
#log level = 5
dns forwarder = 2001:708:170:33::232
netbios name = SAD1
realm = SAD.ARCADA.FI
server role = active directory domain controller
workgroup = SAD
idmap_ldb:use rfc2307 = yes
logging = syslog
syslog = 1
log level = 1 auth_audit:3 auth_json_audit:3
#log level = 3 auth_audit:5 auth_json_audit:5
[netlogon]
path = /var/lib/samba/sysvol/sad.arcada.fi/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list - utilities
ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - Support library
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba winbind client library
ii python-pylibacl 0.5.3-2 amd64 module for manipulating POSIX.1e ACLs
ii python-pyxattr 0.6.1-1 amd64 module for manipulating filesystem extended attributes
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve user and group information from Windows NT servers
-----------
AD DC number2:
Collected config --- 2021-02-10-13:31 -----------
Hostname: sad2
DNS Domain: sad.arcada.fi
FQDN: sad2.sad.arcada.fi
ipaddress: 193.167.33.92 2001:708:170:33::92
-----------
Kerberos SRV _kerberos._tcp.sad.arcada.fi record verified ok, sample output:
Server: 2001:708:170:33::91
Address: 2001:708:170:33::91#53
_kerberos._tcp.sad.arcada.fi service = 0 100 88 sad1.sad.arcada.fi.
_kerberos._tcp.sad.arcada.fi service = 0 100 88 sad2.sad.arcada.fi.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.7 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 50:6b:8d:29:93:87 brd ff:ff:ff:ff:ff:ff
inet 193.167.33.92/24 brd 193.167.33.255 scope global ens3
inet6 2001:708:170:33::92/64 scope global
inet6 fe80::526b:8dff:fe29:9387/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
193.167.33.91 sad1.arcada.fi sad1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search sad.arcada.fi arcada.fi
nameserver 2001:708:170:33::91
#nameserver 2001:708:170:33::246
#nameserver 193.167.33.232
#nameserver 193.167.33.246
-----------
Checking file: /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = SAD.ARCADA.FI
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = SAD2
realm = SAD.ARCADA.FI
server role = active directory domain controller
workgroup = SAD
logging = syslog
syslog = 1
log level = 1 auth_audit:3 auth_json_audit:3
[netlogon]
path = /var/lib/samba/sysvol/sad.arcada.fi/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list - utilities
ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2+deb10u1 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba winbind client library
ii python-pylibacl 0.5.3-2 amd64 module for manipulating POSIX.1e ACLs
ii python-pyxattr 0.6.1-1 amd64 module for manipulating filesystem extended attributes
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve user and group information from Windows NT servers
-----------
Member server:
Collected config --- 2021-02-10-13:32 -----------
Hostname: domus
DNS Domain: sad.arcada.fi
FQDN: domus.sad.arcada.fi
ipaddress: 193.167.33.3 2001:708:170:33::3
-----------
Kerberos SRV _kerberos._tcp.sad.arcada.fi record verified ok, sample output:
Server: 2001:708:170:33::232
Address: 2001:708:170:33::232#53
Non-authoritative answer:
_kerberos._tcp.sad.arcada.fi service = 0 100 88 sad2.sad.arcada.fi.
_kerberos._tcp.sad.arcada.fi service = 0 100 88 sad1.sad.arcada.fi.
Authoritative answers can be found from:
sad.arcada.fi nameserver = sad2.sad.arcada.fi.
sad.arcada.fi nameserver = sad1.sad.arcada.fi.
sad2.sad.arcada.fi has AAAA address 2001:708:170:33::92
sad1.sad.arcada.fi internet address = 193.167.33.91
sad2.sad.arcada.fi internet address = 193.167.33.92
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.7 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 50:6b:8d:c9:4f:64 brd ff:ff:ff:ff:ff:ff
inet 193.167.33.3/24 brd 193.167.33.255 scope global ens3
inet6 2001:708:170:33::3/64 scope global
inet6 fe80::526b:8dff:fec9:4f64/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
193.167.33.91 sad1.arcada.fi sad1
193.167.33.3 domus.sad.arcada.fi domus
2001:708:170:33:3 domus.sad.arcada.fi domus
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain sad.arcada.fi
search sad.arcada.fi arcada.fi
nameserver 2001:708:170:33::232
nameserver 2001:708:170:33::246
nameserver 193.167.33.232
nameserver 193.167.33.246
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAD.ARCADA.FI
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind
group: files winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
log level = 0
log file = /var/log/samba/log.%m
utmp = yes
workgroup = SAD
security = ADS
realm = SAD.ARCADA.FI
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# getent passwd, works without. Remove in prod
winbind enum users = yes
winbind enum groups = yes
# To disable printers completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
#idmap config * : range = 3000-7999
idmap config * : range = 5000000-9000000
# - You must set a DOMAIN backend configuration
# idmap config for the SAD domain
idmap config SAD:backend = ad
idmap config SAD:schema_mode = rfc2307
#idmap config SAD:range = 10000-999999
idmap config SAD:range = 500-4000000
idmap config SAD:unix_nss_info = yes
# To use the primary group from getent passwd/ gidNumber on AD LDAP:
idmap config SAD:unix_primary_group = yes
username map = /etc/samba/user.map
[homes]
comment = Home Directories
invalid users = root altiuser
browseable = no
read only = no
create mode = 0604
directory mode = 0705
force directory mode = 0705
guest ok = no
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/user.map
!root = SAD\Administrator
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list - utilities
ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2+deb10u1 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba winbind client library
ii python-pylibacl 0.5.3-2 amd64 module for manipulating POSIX.1e ACLs
ii python-pyxattr 0.6.1-1 amd64 module for manipulating filesystem extended attributes
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve user and group information from Windows NT servers
-----------
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Harald Hannelius
>> via samba
>> Verzonden: woensdag 10 februari 2021 9:30
>> Aan: Rowland penny; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Long time before user shows up on member server
>>
>>
>> On Tue, 9 Feb 2021, Harald Hannelius via samba wrote:
>>>
>>> On Mon, 8 Feb 2021, Rowland penny via samba wrote:
>>>
>>>> On 08/02/2021 12:31, Harald Hannelius via samba wrote:
>>>>>
>>>>> I have two Samba-servers acting as ROLE_ACTIVE_DIRECTORY_DC. When
>> creating
>>>>> a new user I found out that it takes over 220 seconds before the user
>>>>> shows up using 'getent' in a member-server.
>>>>>
>>>>> Is there a way to speed this up a bit?
>>>>
>>>> Just because 'getent' doesn't immediately show a user on a Unix domain
>>>> member doesn't mean it isn't available, but if you want to speed things
>> up,
>>>> run 'net cache flush' before running getent.
>>>
>>> Thanks, this helped a bit. The wait time for the user dropped to 116
>> seconds.
>>> This might be just luck, I have to wait for some more samples to drop
>> in.
>>>
>>> No nscd running on the member-server.
>>
>> Nope, didn't help. I got one user who appeared without looping and another
>> that the script waited 299 seconds for it to appear.
>>
>> Should I maybe run 'net cache flush' withing the loop, what if I run it
>> once
>> a second?
>>
>> --
>>
>> Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
--
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
More information about the samba
mailing list