[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
L.P.H. van Belle
belle at bazuin.nl
Fri Jul 16 13:34:18 UTC 2021
Verify if you are using Credential cache for kerberos also.
Did you give "Domain Admins" and/or Administrator an UID/GID?
Because : already set via primaryGroupID 512')
And i know we start with ID's "normaly" above 10000.
For the error below. Try : samba-tool dbcheck --cross-ncs --fix
I compaired the "bad and "good" link..
Both are exacly the same.
And if you can, upgrade to at least 4.13 of 4.14
And remove the GID from Domain Admins.
Reboot the server, check the other dc's after its up again.
Test.
Report back.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan Bauer via samba
> Verzonden: vrijdag 16 juli 2021 13:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k
> requests per minute - help needed
>
> Hi,
>
> ???
>
> thanks a lot for all that input.
>
>
> Almost all requests are kerberos traffic (88). I don't think
> that a ldap
> proxy can help here.
>
>
> Index seems to be active for all the mandatory fields (attached below)
>
>
>
> dbcheck only reports a few duplidates, but could not fix it:
>
>
> # samba-tool dbcheck --fix
> Checking 4351 objects
> Not checking for missing forward links because the db has the
> sortedLinks feature
> ERROR: Duplicate forward link values for attribute 'member' in
> 'CN=domänen-admins,CN=Users,DC=procorp,DC=local'
> Duplicate link
> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308
> 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS
> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI
> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra
> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
> Correct link
> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308
> 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS
> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
> CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI
> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra
> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
> Duplicate link
> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298
> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS
> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI
> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,
> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco
> rp,DC=local'
> Correct link
> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298
> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS
> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI
> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,
> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco
> rp,DC=local'
> RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute
> 'member' in 'CN=domänen-admins,CN=Users,DC=procorp,DC=local'
> Commit fixes for (missing/duplicate) forward links in
> attribute 'member'
> [y/N/all/none] all
> Failed to fix duplicate links in attribute 'member' : (68, 'samldb:
> member
> CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor
> p,DC=local
> already set via primaryGroupID 512')
> Checked 4351 objects (2 errors)
>
>
>
> # samba-tool dbcheck --reindex
> Re-indexing...
> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
> CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local
> for index on servicePrincipalName, duplicate of objectGUID
> 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME
> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER
> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
> CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local
> for index on servicePrincipalName, duplicate of objectGUID
> e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME
> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1
> completed re-index OK
>
>
>
> Thanks. Stefan
>
>
> --------------------------------------------------------------------
>
>
>
>
> # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
> }')/sam.ldb" -s base -b @INDEXLIST
> # record 1
> dn: @INDEXLIST
> @IDX_DN_GUID: GUID
> @IDXGUID: objectGUID
> @IDXONE: 1
> @SAMBA_FEATURES_SUPPORTED: 1
> @SAMDB_INDEXING_VERSION: 2
> @IDXATTR: msDS-DeviceID
> @IDXATTR: msDS-DevicePhysicalIDs
> @IDXATTR: msDS-DeviceOSType
> @IDXATTR: msDS-SyncServerUrl
> @IDXATTR: msDS-CloudIsManaged
> @IDXATTR: msDS-IsManaged
> @IDXATTR: msDS-DeviceObjectVersion
> @IDXATTR: msDS-ApproximateLastLogonTimeStamp
> @IDXATTR: msDS-RegisteredUsers
> @IDXATTR: msDS-RegisteredOwner
> @IDXATTR: msDS-cloudExtensionAttribute20
> @IDXATTR: msDS-cloudExtensionAttribute19
> @IDXATTR: msDS-cloudExtensionAttribute18
> @IDXATTR: msDS-cloudExtensionAttribute17
> @IDXATTR: msDS-cloudExtensionAttribute16
> @IDXATTR: msDS-cloudExtensionAttribute15
> @IDXATTR: msDS-cloudExtensionAttribute14
> @IDXATTR: msDS-cloudExtensionAttribute13
> @IDXATTR: msDS-cloudExtensionAttribute12
> @IDXATTR: msDS-cloudExtensionAttribute11
> @IDXATTR: msDS-cloudExtensionAttribute10
> @IDXATTR: msDS-cloudExtensionAttribute9
> @IDXATTR: msDS-cloudExtensionAttribute8
> @IDXATTR: msDS-cloudExtensionAttribute7
> @IDXATTR: msDS-cloudExtensionAttribute6
> @IDXATTR: msDS-cloudExtensionAttribute5
> @IDXATTR: msDS-cloudExtensionAttribute4
> @IDXATTR: msDS-cloudExtensionAttribute3
> @IDXATTR: msDS-cloudExtensionAttribute2
> @IDXATTR: msDS-cloudExtensionAttribute1
> @IDXATTR: netbootDUID
> @IDXATTR: msDS-GeoCoordinatesLongitude
> @IDXATTR: msDS-GeoCoordinatesLatitude
> @IDXATTR: msDS-GeoCoordinatesAltitude
> @IDXATTR: msDS-PrimaryComputer
> @IDXATTR: msTPM-SrkPubThumbprint
> @IDXATTR: msSPP-KMSIds
> @IDXATTR: msExchMailboxAuditEnable
> @IDXATTR: msExchBypassAudit
> @IDXATTR: msExchExtensionCustomAttribute5
> @IDXATTR: msExchExtensionCustomAttribute4
> @IDXATTR: msExchExtensionCustomAttribute3
> @IDXATTR: msExchExtensionCustomAttribute2
> @IDXATTR: msExchExtensionCustomAttribute1
> @IDXATTR: msExchExtensionAttribute45
> @IDXATTR: msExchExtensionAttribute44
> @IDXATTR: msExchExtensionAttribute43
> @IDXATTR: msExchExtensionAttribute42
> @IDXATTR: msExchExtensionAttribute41
> @IDXATTR: msExchExtensionAttribute40
> @IDXATTR: msExchExtensionAttribute39
> @IDXATTR: msExchExtensionAttribute38
> @IDXATTR: msExchExtensionAttribute37
> @IDXATTR: msExchExtensionAttribute36
> @IDXATTR: msExchExtensionAttribute35
> @IDXATTR: msExchExtensionAttribute34
> @IDXATTR: msExchExtensionAttribute33
> @IDXATTR: msExchExtensionAttribute32
> @IDXATTR: msExchExtensionAttribute31
> @IDXATTR: msExchExtensionAttribute30
> @IDXATTR: msExchExtensionAttribute29
> @IDXATTR: msExchExtensionAttribute28
> @IDXATTR: msExchExtensionAttribute27
> @IDXATTR: msExchExtensionAttribute26
> @IDXATTR: msExchExtensionAttribute25
> @IDXATTR: msExchExtensionAttribute24
> @IDXATTR: msExchExtensionAttribute23
> @IDXATTR: msExchExtensionAttribute22
> @IDXATTR: msExchExtensionAttribute21
> @IDXATTR: msExchExtensionAttribute20
> @IDXATTR: msExchExtensionAttribute19
> @IDXATTR: msExchExtensionAttribute18
> @IDXATTR: msExchExtensionAttribute17
> @IDXATTR: msExchExtensionAttribute16
> @IDXATTR: msExchUsageLocation
> @IDXATTR: msExchDisabledArchiveGUID
> @IDXATTR: msOrg-GroupSubtypeName
> @IDXATTR: msOrg-OtherDisplayNames
> @IDXATTR: msExchCalculatedTargetAddress
> @IDXATTR: msExchReseller
> @IDXATTR: msExchExternalDirectoryOrganizationId
> @IDXATTR: msExchMailboxAuditLastExternalAccess
> @IDXATTR: msExchMailboxAuditLastDelegateAccess
> @IDXATTR: msExchMailboxAuditLastAdminAccess
> @IDXATTR: msExchSetupStatus
> @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL
> @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink
> @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL
> @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink
> @IDXATTR: msExchOnPremiseObjectGuid
> @IDXATTR: msExchMRSRequestType
> @IDXATTR: msExchIntendedServicePlan
> @IDXATTR: msExchExternalDirectoryObjectId
> @IDXATTR: msExchUMSourceForestPolicyNames
> @IDXATTR: msExchSharedConfigServicePlanTag
> @IDXATTR: msExchPartnerGroupID
> @IDXATTR: msExchUCVoiceMailSettings
> @IDXATTR: msExchRemoteRecipientType
> @IDXATTR: msExchMailboxMoveRequestGuid
> @IDXATTR: msExchCapabilityIdentifiers
> @IDXATTR: msExchArchiveStatus
> @IDXATTR: msExchArchiveAddress
> @IDXATTR: altSecurityIdentities
> @IDXATTR: lastLogonTimestamp
> @IDXATTR: msFVE-VolumeGuid
> @IDXATTR: msFVE-RecoveryGuid
> @IDXATTR: msDS-PhoneticCompanyName
> @IDXATTR: msDS-PhoneticDisplayName
> @IDXATTR: msDS-PhoneticDepartment
> @IDXATTR: msDS-PhoneticFirstName
> @IDXATTR: msDS-PhoneticLastName
> @IDXATTR: msDS-HABSeniorityIndex
> @IDXATTR: msDS-Entry-Time-To-Die
> @IDXATTR: trustPartner
> @IDXATTR: st
> @IDXATTR: objectClass
> @IDXATTR: department
> @IDXATTR: company
> @IDXATTR: msExchVoiceMailboxID
> @IDXATTR: msExchUserAccountControl
> @IDXATTR: msExchUnmergedAttsPt
> @IDXATTR: unmergedAtts
> @IDXATTR: targetAddress
> @IDXATTR: msExchResourceGUID
> @IDXATTR: msExchPreviousAccountSid
> @IDXATTR: msExchMasterAccountSid
> @IDXATTR: msExchMailboxGuid
> @IDXATTR: mailNickname
> @IDXATTR: importedFrom
> @IDXATTR: msExchIMVirtualServer
> @IDXATTR: msExchIMPhysicalURL
> @IDXATTR: msExchIMMetaPhysicalURL
> @IDXATTR: msExchIMAddress
> @IDXATTR: msExchFBURL
> @IDXATTR: extensionAttribute9
> @IDXATTR: extensionAttribute8
> @IDXATTR: extensionAttribute7
> @IDXATTR: extensionAttribute6
> @IDXATTR: extensionAttribute5
> @IDXATTR: extensionAttribute4
> @IDXATTR: extensionAttribute3
> @IDXATTR: extensionAttribute2
> @IDXATTR: extensionAttribute15
> @IDXATTR: extensionAttribute14
> @IDXATTR: extensionAttribute13
> @IDXATTR: extensionAttribute12
> @IDXATTR: extensionAttribute11
> @IDXATTR: extensionAttribute10
> @IDXATTR: extensionAttribute1
> @IDXATTR: expirationTime
> @IDXATTR: msExchADCGlobalNames
> @IDXATTR: msExchHomeServerName
> @IDXATTR: msExchObjectID
> @IDXATTR: msExchLicenseToken
> @IDXATTR: msExchMailboxMoveBatchName
> @IDXATTR: msExchForeignGroupSID
> @IDXATTR: msExchArchiveGUID
> @IDXATTR: msExchRoleType
> @IDXATTR: msExchRoleEntriesExt
> @IDXATTR: msExchMailboxMoveStatus
> @IDXATTR: msExchMailboxMoveRemoteHostName
> @IDXATTR: msExchUMDialPlanDialedNumbers
> @IDXATTR: msExchUMAddresses
> @IDXATTR: msExchAlternateMailboxes
> @IDXATTR: msExchServicePlan
> @IDXATTR: msExchThrottlingPolicyDN
> @IDXATTR: msExchThrottlingIsDefaultPolicy
> @IDXATTR: msExchUMCallingLineIDs
> @IDXATTR: msExchImmutableId
> @IDXATTR: msExchWindowsLiveID
> @IDXATTR: msExchSignupAddresses
> @IDXATTR: msExchEdgeSyncSourceGuid
> @IDXATTR: msExchDeviceID
> @IDXATTR: msExchArbitrationMailbox
> @IDXATTR: msExchRoleLink
> @IDXATTR: msExchScopeFlags
> @IDXATTR: msExchRoleFlags
> @IDXATTR: msExchRoleEntries
> @IDXATTR: msExchRoleAssignmentFlags
> @IDXATTR: msExchOURoot
> @IDXATTR: msExchRecipientTypeDetails
> @IDXATTR: msExchRecipientDisplayType
> @IDXATTR: msExchMasterAccountHistory
> @IDXATTR: msExchAvailabilityForeignConnectorType
> @IDXATTR: msExchUMIPGatewayAddress
> @IDXATTR: msExchUMDtmfMap
> @IDXATTR: msExchUMAutoAttendantDialedNumbers
> @IDXATTR: msExchResourceSearchProperties
> @IDXATTR: msPKI-Cert-Template-OID
> @IDXATTR: msTSExpireDate
> @IDXATTR: uSNCreated
> @IDXATTR: uSNChanged
> @IDXATTR: userPrincipalName
> @IDXATTR: userAccountControl
> @IDXATTR: sn
> @IDXATTR: sIDHistory
> @IDXATTR: showInAdvancedViewOnly
> @IDXATTR: servicePrincipalName
> @IDXATTR: sAMAccountType
> @IDXATTR: sAMAccountName
> @IDXATTR: name
> @IDXATTR: proxyAddresses
> @IDXATTR: primaryGroupID
> @IDXATTR: ou
> @IDXATTR: objectSid
> @IDXATTR: objectGUID
> @IDXATTR: objectCategory
> @IDXATTR: nETBIOSName
> @IDXATTR: mSMQOwnerID
> @IDXATTR: msDS-SecondaryKrbTgtNumber
> @IDXATTR: msDS-Site-Affinity
> @IDXATTR: mS-DS-CreatorSID
> @IDXATTR: msDS-Cached-Membership-Time-Stamp
> @IDXATTR: msDS-AdditionalSamAccountName
> @IDXATTR: l
> @IDXATTR: legacyExchangeDN
> @IDXATTR: lDAPDisplayName
> @IDXATTR: keywords
> @IDXATTR: invocationId
> @IDXATTR: groupType
> @IDXATTR: givenName
> @IDXATTR: fSMORoleOwner
> @IDXATTR: fromServer
> @IDXATTR: flatName
> @IDXATTR: dnsRoot
> @IDXATTR: displayName
> @IDXATTR: cn
> @IDXATTR: msTSLicenseVersion4
> @IDXATTR: msTSLicenseVersion3
> @IDXATTR: msTSLicenseVersion2
> @IDXATTR: msTSLSProperty02
> @IDXATTR: msTSLSProperty01
> @IDXATTR: msTSExpireDate4
> @IDXATTR: msTSExpireDate3
> @IDXATTR: msTSExpireDate2
> @IDXATTR: msTSManagingLS4
> @IDXATTR: msTSManagingLS3
> @IDXATTR: msTSManagingLS2
> @IDXATTR: terminalServer
> @IDXATTR: msTSManagingLS
> @IDXATTR: msTSLicenseVersion
> @IDXATTR: msTSProperty02
> @IDXATTR: msTSProperty01
> @IDXATTR: msDS-AzObjectGuid
> @IDXATTR: msDFSR-ReplicationGroupGuid
> @IDXATTR: msDFSR-DfsPath
> @IDXATTR: uidNumber
> @IDXATTR: gidNumber
> @IDXATTR: msSFU30IsValidContainer
> @IDXATTR: msSFU30NetgroupUserAtDomain
> @IDXATTR: msSFU30NetgroupHostAtDomain
> @IDXATTR: msSFU30MaxUidNumber
> @IDXATTR: msSFU30MaxGidNumber
> @IDXATTR: msSFU30YpServers
> @IDXATTR: msSFU30Domains
> @IDXATTR: msSFU30NisDomain
> @IDXATTR: msSFU30BootFile
> @IDXATTR: msSFU30NisMapEntry
> @IDXATTR: msSFU30NisMapName
> @IDXATTR: msSFU30MemberUid
> @IDXATTR: msSFU30MacAddress
> @IDXATTR: msSFU30IpHostNumber
> @IDXATTR: msSFU30OncRpcNumber
> @IDXATTR: msSFU30IpNetmaskNumber
> @IDXATTR: msSFU30IpNetworkNumber
> @IDXATTR: msSFU30IpProtocolNumber
> @IDXATTR: msSFU30GidNumber
> @IDXATTR: msSFU30UidNumber
> @IDXATTR: msSFU30Name
> @IDXATTR: msSFU30OrderNumber
> @IDXATTR: msSFU30MasterServerName
> @IDXATTR: textEncodedORAddress
> @IDXATTR: msExchHomeRoutingGroup
> @IDXATTR: msExchRoutingGroupMembersDN
> @IDXATTR: mail
> @IDXATTR: msExchIMServerName
> @IDXATTR: physicalDeliveryOfficeName
> @IDXATTR: volTableIdxGUID
> @IDXATTR: USNIntersite
> @IDXATTR: uNCName
> @IDXATTR: timeVolChange
> @IDXATTR: serviceClassName
> @IDXATTR: rpcNsTransferSyntax
> @IDXATTR: rpcNsObjectID
> @IDXATTR: rpcNsInterfaceID
> @IDXATTR: requiredCategories
> @IDXATTR: physicalLocationObject
> @IDXATTR: packageFlags
> @IDXATTR: oMTIndxGuid
> @IDXATTR: netbootGUID
> @IDXATTR: mSMQQueueType
> @IDXATTR: mSMQLabelEx
> @IDXATTR: mSMQLabel
> @IDXATTR: mSMQDigests
> @IDXATTR: mS-SQL-Alias
> @IDXATTR: mS-SQL-Database
> @IDXATTR: mS-SQL-Version
> @IDXATTR: mS-SQL-Name
> @IDXATTR: location
> @IDXATTR: implementedCategories
> @IDXATTR: groupAttributes
> @IDXATTR: fileExtPriority
> @IDXATTR: dNSTombstoned
> @IDXATTR: dhcpType
> @IDXATTR: cOMClassID
> @IDXATTR: birthLocation
> distinguishedName: @INDEXLIST
>
>
>
> On 16.07.21 11:56, L.P.H. van Belle via samba wrote:
> > I would start here.
> > https://docs.software-univention.de/performance-guide-4.1.html
> >
> > And run :
> > ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
> }')/sam.ldb" -s base -b @INDEXLIST
> > That shows what is index at this moment.
> >
> > You can add ldap proxy on the webserver to offload samba.
> > Also samba is Version 4.10.18-Univention newer version has
> better performace.
> > There is/was a change as of 4.11
> >
> > On all AD-DC's run :
> > samba-tool dbcheck
> > samba-tool dbcheck --reindex
> > Might help a bit also.
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list