[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed

Stefan Bauer stefan.bauer at cubewerk.de
Fri Jul 16 11:18:10 UTC 2021 

Hi,



thanks a lot for all that input.


Almost all requests are kerberos traffic (88). I don't think that a ldap 
proxy can help here.


Index seems to be active for all the mandatory fields (attached below)



dbcheck only reports a few duplidates, but could not fix it:


# samba-tool dbcheck --fix
Checking 4351 objects
Not checking for missing forward links because the db has the 
sortedLinks feature
ERROR: Duplicate forward link values for attribute 'member' in 
'CN=domänen-admins,CN=Users,DC=procorp,DC=local'
Duplicate link 
'<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=130898974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SID=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administrator_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
Correct   link 
'<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=130898974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SID=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administrator_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
Duplicate link 
'<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=129887105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SID=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
Correct   link 
'<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=129887105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SID=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute 
'member' in 'CN=domänen-admins,CN=Users,DC=procorp,DC=local'
Commit fixes for (missing/duplicate) forward links in attribute 'member' 
[y/N/all/none] all
Failed to fix duplicate links in attribute 'member' : (68, 'samldb: 
member 
CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local 
already set via primaryGroupID 512')
Checked 4351 objects (2 errors)



# samba-tool dbcheck --reindex
Re-indexing...
../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in 
CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local 
for index on servicePrincipalName, duplicate of objectGUID 
0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME 
<INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER
../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in 
CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local 
for index on servicePrincipalName, duplicate of objectGUID 
e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME 
<INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1
completed re-index OK



Thanks. Stefan


--------------------------------------------------------------------




# ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF 
}')/sam.ldb"  -s base -b @INDEXLIST
# record 1
dn: @INDEXLIST
@IDX_DN_GUID: GUID
@IDXGUID: objectGUID
@IDXONE: 1
@SAMBA_FEATURES_SUPPORTED: 1
@SAMDB_INDEXING_VERSION: 2
@IDXATTR: msDS-DeviceID
@IDXATTR: msDS-DevicePhysicalIDs
@IDXATTR: msDS-DeviceOSType
@IDXATTR: msDS-SyncServerUrl
@IDXATTR: msDS-CloudIsManaged
@IDXATTR: msDS-IsManaged
@IDXATTR: msDS-DeviceObjectVersion
@IDXATTR: msDS-ApproximateLastLogonTimeStamp
@IDXATTR: msDS-RegisteredUsers
@IDXATTR: msDS-RegisteredOwner
@IDXATTR: msDS-cloudExtensionAttribute20
@IDXATTR: msDS-cloudExtensionAttribute19
@IDXATTR: msDS-cloudExtensionAttribute18
@IDXATTR: msDS-cloudExtensionAttribute17
@IDXATTR: msDS-cloudExtensionAttribute16
@IDXATTR: msDS-cloudExtensionAttribute15
@IDXATTR: msDS-cloudExtensionAttribute14
@IDXATTR: msDS-cloudExtensionAttribute13
@IDXATTR: msDS-cloudExtensionAttribute12
@IDXATTR: msDS-cloudExtensionAttribute11
@IDXATTR: msDS-cloudExtensionAttribute10
@IDXATTR: msDS-cloudExtensionAttribute9
@IDXATTR: msDS-cloudExtensionAttribute8
@IDXATTR: msDS-cloudExtensionAttribute7
@IDXATTR: msDS-cloudExtensionAttribute6
@IDXATTR: msDS-cloudExtensionAttribute5
@IDXATTR: msDS-cloudExtensionAttribute4
@IDXATTR: msDS-cloudExtensionAttribute3
@IDXATTR: msDS-cloudExtensionAttribute2
@IDXATTR: msDS-cloudExtensionAttribute1
@IDXATTR: netbootDUID
@IDXATTR: msDS-GeoCoordinatesLongitude
@IDXATTR: msDS-GeoCoordinatesLatitude
@IDXATTR: msDS-GeoCoordinatesAltitude
@IDXATTR: msDS-PrimaryComputer
@IDXATTR: msTPM-SrkPubThumbprint
@IDXATTR: msSPP-KMSIds
@IDXATTR: msExchMailboxAuditEnable
@IDXATTR: msExchBypassAudit
@IDXATTR: msExchExtensionCustomAttribute5
@IDXATTR: msExchExtensionCustomAttribute4
@IDXATTR: msExchExtensionCustomAttribute3
@IDXATTR: msExchExtensionCustomAttribute2
@IDXATTR: msExchExtensionCustomAttribute1
@IDXATTR: msExchExtensionAttribute45
@IDXATTR: msExchExtensionAttribute44
@IDXATTR: msExchExtensionAttribute43
@IDXATTR: msExchExtensionAttribute42
@IDXATTR: msExchExtensionAttribute41
@IDXATTR: msExchExtensionAttribute40
@IDXATTR: msExchExtensionAttribute39
@IDXATTR: msExchExtensionAttribute38
@IDXATTR: msExchExtensionAttribute37
@IDXATTR: msExchExtensionAttribute36
@IDXATTR: msExchExtensionAttribute35
@IDXATTR: msExchExtensionAttribute34
@IDXATTR: msExchExtensionAttribute33
@IDXATTR: msExchExtensionAttribute32
@IDXATTR: msExchExtensionAttribute31
@IDXATTR: msExchExtensionAttribute30
@IDXATTR: msExchExtensionAttribute29
@IDXATTR: msExchExtensionAttribute28
@IDXATTR: msExchExtensionAttribute27
@IDXATTR: msExchExtensionAttribute26
@IDXATTR: msExchExtensionAttribute25
@IDXATTR: msExchExtensionAttribute24
@IDXATTR: msExchExtensionAttribute23
@IDXATTR: msExchExtensionAttribute22
@IDXATTR: msExchExtensionAttribute21
@IDXATTR: msExchExtensionAttribute20
@IDXATTR: msExchExtensionAttribute19
@IDXATTR: msExchExtensionAttribute18
@IDXATTR: msExchExtensionAttribute17
@IDXATTR: msExchExtensionAttribute16
@IDXATTR: msExchUsageLocation
@IDXATTR: msExchDisabledArchiveGUID
@IDXATTR: msOrg-GroupSubtypeName
@IDXATTR: msOrg-OtherDisplayNames
@IDXATTR: msExchCalculatedTargetAddress
@IDXATTR: msExchReseller
@IDXATTR: msExchExternalDirectoryOrganizationId
@IDXATTR: msExchMailboxAuditLastExternalAccess
@IDXATTR: msExchMailboxAuditLastDelegateAccess
@IDXATTR: msExchMailboxAuditLastAdminAccess
@IDXATTR: msExchSetupStatus
@IDXATTR: msExchMailboxMoveTargetArchiveMDBBL
@IDXATTR: msExchMailboxMoveTargetArchiveMDBLink
@IDXATTR: msExchMailboxMoveSourceArchiveMDBBL
@IDXATTR: msExchMailboxMoveSourceArchiveMDBLink
@IDXATTR: msExchOnPremiseObjectGuid
@IDXATTR: msExchMRSRequestType
@IDXATTR: msExchIntendedServicePlan
@IDXATTR: msExchExternalDirectoryObjectId
@IDXATTR: msExchUMSourceForestPolicyNames
@IDXATTR: msExchSharedConfigServicePlanTag
@IDXATTR: msExchPartnerGroupID
@IDXATTR: msExchUCVoiceMailSettings
@IDXATTR: msExchRemoteRecipientType
@IDXATTR: msExchMailboxMoveRequestGuid
@IDXATTR: msExchCapabilityIdentifiers
@IDXATTR: msExchArchiveStatus
@IDXATTR: msExchArchiveAddress
@IDXATTR: altSecurityIdentities
@IDXATTR: lastLogonTimestamp
@IDXATTR: msFVE-VolumeGuid
@IDXATTR: msFVE-RecoveryGuid
@IDXATTR: msDS-PhoneticCompanyName
@IDXATTR: msDS-PhoneticDisplayName
@IDXATTR: msDS-PhoneticDepartment
@IDXATTR: msDS-PhoneticFirstName
@IDXATTR: msDS-PhoneticLastName
@IDXATTR: msDS-HABSeniorityIndex
@IDXATTR: msDS-Entry-Time-To-Die
@IDXATTR: trustPartner
@IDXATTR: st
@IDXATTR: objectClass
@IDXATTR: department
@IDXATTR: company
@IDXATTR: msExchVoiceMailboxID
@IDXATTR: msExchUserAccountControl
@IDXATTR: msExchUnmergedAttsPt
@IDXATTR: unmergedAtts
@IDXATTR: targetAddress
@IDXATTR: msExchResourceGUID
@IDXATTR: msExchPreviousAccountSid
@IDXATTR: msExchMasterAccountSid
@IDXATTR: msExchMailboxGuid
@IDXATTR: mailNickname
@IDXATTR: importedFrom
@IDXATTR: msExchIMVirtualServer
@IDXATTR: msExchIMPhysicalURL
@IDXATTR: msExchIMMetaPhysicalURL
@IDXATTR: msExchIMAddress
@IDXATTR: msExchFBURL
@IDXATTR: extensionAttribute9
@IDXATTR: extensionAttribute8
@IDXATTR: extensionAttribute7
@IDXATTR: extensionAttribute6
@IDXATTR: extensionAttribute5
@IDXATTR: extensionAttribute4
@IDXATTR: extensionAttribute3
@IDXATTR: extensionAttribute2
@IDXATTR: extensionAttribute15
@IDXATTR: extensionAttribute14
@IDXATTR: extensionAttribute13
@IDXATTR: extensionAttribute12
@IDXATTR: extensionAttribute11
@IDXATTR: extensionAttribute10
@IDXATTR: extensionAttribute1
@IDXATTR: expirationTime
@IDXATTR: msExchADCGlobalNames
@IDXATTR: msExchHomeServerName
@IDXATTR: msExchObjectID
@IDXATTR: msExchLicenseToken
@IDXATTR: msExchMailboxMoveBatchName
@IDXATTR: msExchForeignGroupSID
@IDXATTR: msExchArchiveGUID
@IDXATTR: msExchRoleType
@IDXATTR: msExchRoleEntriesExt
@IDXATTR: msExchMailboxMoveStatus
@IDXATTR: msExchMailboxMoveRemoteHostName
@IDXATTR: msExchUMDialPlanDialedNumbers
@IDXATTR: msExchUMAddresses
@IDXATTR: msExchAlternateMailboxes
@IDXATTR: msExchServicePlan
@IDXATTR: msExchThrottlingPolicyDN
@IDXATTR: msExchThrottlingIsDefaultPolicy
@IDXATTR: msExchUMCallingLineIDs
@IDXATTR: msExchImmutableId
@IDXATTR: msExchWindowsLiveID
@IDXATTR: msExchSignupAddresses
@IDXATTR: msExchEdgeSyncSourceGuid
@IDXATTR: msExchDeviceID
@IDXATTR: msExchArbitrationMailbox
@IDXATTR: msExchRoleLink
@IDXATTR: msExchScopeFlags
@IDXATTR: msExchRoleFlags
@IDXATTR: msExchRoleEntries
@IDXATTR: msExchRoleAssignmentFlags
@IDXATTR: msExchOURoot
@IDXATTR: msExchRecipientTypeDetails
@IDXATTR: msExchRecipientDisplayType
@IDXATTR: msExchMasterAccountHistory
@IDXATTR: msExchAvailabilityForeignConnectorType
@IDXATTR: msExchUMIPGatewayAddress
@IDXATTR: msExchUMDtmfMap
@IDXATTR: msExchUMAutoAttendantDialedNumbers
@IDXATTR: msExchResourceSearchProperties
@IDXATTR: msPKI-Cert-Template-OID
@IDXATTR: msTSExpireDate
@IDXATTR: uSNCreated
@IDXATTR: uSNChanged
@IDXATTR: userPrincipalName
@IDXATTR: userAccountControl
@IDXATTR: sn
@IDXATTR: sIDHistory
@IDXATTR: showInAdvancedViewOnly
@IDXATTR: servicePrincipalName
@IDXATTR: sAMAccountType
@IDXATTR: sAMAccountName
@IDXATTR: name
@IDXATTR: proxyAddresses
@IDXATTR: primaryGroupID
@IDXATTR: ou
@IDXATTR: objectSid
@IDXATTR: objectGUID
@IDXATTR: objectCategory
@IDXATTR: nETBIOSName
@IDXATTR: mSMQOwnerID
@IDXATTR: msDS-SecondaryKrbTgtNumber
@IDXATTR: msDS-Site-Affinity
@IDXATTR: mS-DS-CreatorSID
@IDXATTR: msDS-Cached-Membership-Time-Stamp
@IDXATTR: msDS-AdditionalSamAccountName
@IDXATTR: l
@IDXATTR: legacyExchangeDN
@IDXATTR: lDAPDisplayName
@IDXATTR: keywords
@IDXATTR: invocationId
@IDXATTR: groupType
@IDXATTR: givenName
@IDXATTR: fSMORoleOwner
@IDXATTR: fromServer
@IDXATTR: flatName
@IDXATTR: dnsRoot
@IDXATTR: displayName
@IDXATTR: cn
@IDXATTR: msTSLicenseVersion4
@IDXATTR: msTSLicenseVersion3
@IDXATTR: msTSLicenseVersion2
@IDXATTR: msTSLSProperty02
@IDXATTR: msTSLSProperty01
@IDXATTR: msTSExpireDate4
@IDXATTR: msTSExpireDate3
@IDXATTR: msTSExpireDate2
@IDXATTR: msTSManagingLS4
@IDXATTR: msTSManagingLS3
@IDXATTR: msTSManagingLS2
@IDXATTR: terminalServer
@IDXATTR: msTSManagingLS
@IDXATTR: msTSLicenseVersion
@IDXATTR: msTSProperty02
@IDXATTR: msTSProperty01
@IDXATTR: msDS-AzObjectGuid
@IDXATTR: msDFSR-ReplicationGroupGuid
@IDXATTR: msDFSR-DfsPath
@IDXATTR: uidNumber
@IDXATTR: gidNumber
@IDXATTR: msSFU30IsValidContainer
@IDXATTR: msSFU30NetgroupUserAtDomain
@IDXATTR: msSFU30NetgroupHostAtDomain
@IDXATTR: msSFU30MaxUidNumber
@IDXATTR: msSFU30MaxGidNumber
@IDXATTR: msSFU30YpServers
@IDXATTR: msSFU30Domains
@IDXATTR: msSFU30NisDomain
@IDXATTR: msSFU30BootFile
@IDXATTR: msSFU30NisMapEntry
@IDXATTR: msSFU30NisMapName
@IDXATTR: msSFU30MemberUid
@IDXATTR: msSFU30MacAddress
@IDXATTR: msSFU30IpHostNumber
@IDXATTR: msSFU30OncRpcNumber
@IDXATTR: msSFU30IpNetmaskNumber
@IDXATTR: msSFU30IpNetworkNumber
@IDXATTR: msSFU30IpProtocolNumber
@IDXATTR: msSFU30GidNumber
@IDXATTR: msSFU30UidNumber
@IDXATTR: msSFU30Name
@IDXATTR: msSFU30OrderNumber
@IDXATTR: msSFU30MasterServerName
@IDXATTR: textEncodedORAddress
@IDXATTR: msExchHomeRoutingGroup
@IDXATTR: msExchRoutingGroupMembersDN
@IDXATTR: mail
@IDXATTR: msExchIMServerName
@IDXATTR: physicalDeliveryOfficeName
@IDXATTR: volTableIdxGUID
@IDXATTR: USNIntersite
@IDXATTR: uNCName
@IDXATTR: timeVolChange
@IDXATTR: serviceClassName
@IDXATTR: rpcNsTransferSyntax
@IDXATTR: rpcNsObjectID
@IDXATTR: rpcNsInterfaceID
@IDXATTR: requiredCategories
@IDXATTR: physicalLocationObject
@IDXATTR: packageFlags
@IDXATTR: oMTIndxGuid
@IDXATTR: netbootGUID
@IDXATTR: mSMQQueueType
@IDXATTR: mSMQLabelEx
@IDXATTR: mSMQLabel
@IDXATTR: mSMQDigests
@IDXATTR: mS-SQL-Alias
@IDXATTR: mS-SQL-Database
@IDXATTR: mS-SQL-Version
@IDXATTR: mS-SQL-Name
@IDXATTR: location
@IDXATTR: implementedCategories
@IDXATTR: groupAttributes
@IDXATTR: fileExtPriority
@IDXATTR: dNSTombstoned
@IDXATTR: dhcpType
@IDXATTR: cOMClassID
@IDXATTR: birthLocation
distinguishedName: @INDEXLIST



On 16.07.21 11:56, L.P.H. van Belle via samba wrote:
> I would start here.
> https://docs.software-univention.de/performance-guide-4.1.html
>
> And run :
> ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF }')/sam.ldb"  -s base -b @INDEXLIST
> That shows what is index at this moment.
>
> You can add ldap proxy on the webserver to offload samba.
> Also samba is Version 4.10.18-Univention newer version has better performace.
> There is/was a change as of 4.11
>
> On all AD-DC's run :
> samba-tool dbcheck
> samba-tool dbcheck --reindex
> Might help a bit also.
>

More information about the samba mailing list