[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Stefan Bauer
stefan.bauer at cubewerk.de
Mon Jul 19 09:13:28 UTC 2021
Hi and thank you for your time.
We got now the confirmation that samba 4 is not supported by our
software-vendor.
Hence we will move for now to a plain ldap server.
thank you.
stefan
On 16.07.21 15:34, L.P.H. van Belle via samba wrote:
> Verify if you are using Credential cache for kerberos also.
>
> Did you give "Domain Admins" and/or Administrator an UID/GID?
> Because : already set via primaryGroupID 512')
> And i know we start with ID's "normaly" above 10000.
>
> For the error below. Try : samba-tool dbcheck --cross-ncs --fix
> I compaired the "bad and "good" link..
> Both are exacly the same.
>
> And if you can, upgrade to at least 4.13 of 4.14
> And remove the GID from Domain Admins.
>
> Reboot the server, check the other dc's after its up again.
> Test.
>
> Report back.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Stefan Bauer via samba
>> Verzonden: vrijdag 16 juli 2021 13:18
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k
>> requests per minute - help needed
>>
>> Hi,
>>
>> ???
>>
>> thanks a lot for all that input.
>>
>>
>> Almost all requests are kerberos traffic (88). I don't think
>> that a ldap
>> proxy can help here.
>>
>>
>> Index seems to be active for all the mandatory fields (attached below)
>>
>>
>>
>> dbcheck only reports a few duplidates, but could not fix it:
>>
>>
>> # samba-tool dbcheck --fix
>> Checking 4351 objects
>> Not checking for missing forward links because the db has the
>> sortedLinks feature
>> ERROR: Duplicate forward link values for attribute 'member' in
>> 'CN=domänen-admins,CN=Users,DC=procorp,DC=local'
>> Duplicate link
>> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308
>> 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS
>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
>> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI
>> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra
>> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
>> Correct link
>> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308
>> 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS
>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
>> CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI
>> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra
>> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
>> Duplicate link
>> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298
>> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS
>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
>> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI
>> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,
>> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco
>> rp,DC=local'
>> Correct link
>> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298
>> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS
>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO
>> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI
>> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,
>> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco
>> rp,DC=local'
>> RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute
>> 'member' in 'CN=domänen-admins,CN=Users,DC=procorp,DC=local'
>> Commit fixes for (missing/duplicate) forward links in
>> attribute 'member'
>> [y/N/all/none] all
>> Failed to fix duplicate links in attribute 'member' : (68, 'samldb:
>> member
>> CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor
>> p,DC=local
>> already set via primaryGroupID 512')
>> Checked 4351 objects (2 errors)
>>
>>
>>
>> # samba-tool dbcheck --reindex
>> Re-indexing...
>> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
>> CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local
>> for index on servicePrincipalName, duplicate of objectGUID
>> 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME
>> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER
>> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
>> CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local
>> for index on servicePrincipalName, duplicate of objectGUID
>> e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME
>> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1
>> completed re-index OK
>>
>>
>>
>> Thanks. Stefan
>>
>>
>> --------------------------------------------------------------------
>>
>>
>>
>>
>> # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
>> }')/sam.ldb" -s base -b @INDEXLIST
>> # record 1
>> dn: @INDEXLIST
>> @IDX_DN_GUID: GUID
>> @IDXGUID: objectGUID
>> @IDXONE: 1
>> @SAMBA_FEATURES_SUPPORTED: 1
>> @SAMDB_INDEXING_VERSION: 2
>> @IDXATTR: msDS-DeviceID
>> @IDXATTR: msDS-DevicePhysicalIDs
>> @IDXATTR: msDS-DeviceOSType
>> @IDXATTR: msDS-SyncServerUrl
>> @IDXATTR: msDS-CloudIsManaged
>> @IDXATTR: msDS-IsManaged
>> @IDXATTR: msDS-DeviceObjectVersion
>> @IDXATTR: msDS-ApproximateLastLogonTimeStamp
>> @IDXATTR: msDS-RegisteredUsers
>> @IDXATTR: msDS-RegisteredOwner
>> @IDXATTR: msDS-cloudExtensionAttribute20
>> @IDXATTR: msDS-cloudExtensionAttribute19
>> @IDXATTR: msDS-cloudExtensionAttribute18
>> @IDXATTR: msDS-cloudExtensionAttribute17
>> @IDXATTR: msDS-cloudExtensionAttribute16
>> @IDXATTR: msDS-cloudExtensionAttribute15
>> @IDXATTR: msDS-cloudExtensionAttribute14
>> @IDXATTR: msDS-cloudExtensionAttribute13
>> @IDXATTR: msDS-cloudExtensionAttribute12
>> @IDXATTR: msDS-cloudExtensionAttribute11
>> @IDXATTR: msDS-cloudExtensionAttribute10
>> @IDXATTR: msDS-cloudExtensionAttribute9
>> @IDXATTR: msDS-cloudExtensionAttribute8
>> @IDXATTR: msDS-cloudExtensionAttribute7
>> @IDXATTR: msDS-cloudExtensionAttribute6
>> @IDXATTR: msDS-cloudExtensionAttribute5
>> @IDXATTR: msDS-cloudExtensionAttribute4
>> @IDXATTR: msDS-cloudExtensionAttribute3
>> @IDXATTR: msDS-cloudExtensionAttribute2
>> @IDXATTR: msDS-cloudExtensionAttribute1
>> @IDXATTR: netbootDUID
>> @IDXATTR: msDS-GeoCoordinatesLongitude
>> @IDXATTR: msDS-GeoCoordinatesLatitude
>> @IDXATTR: msDS-GeoCoordinatesAltitude
>> @IDXATTR: msDS-PrimaryComputer
>> @IDXATTR: msTPM-SrkPubThumbprint
>> @IDXATTR: msSPP-KMSIds
>> @IDXATTR: msExchMailboxAuditEnable
>> @IDXATTR: msExchBypassAudit
>> @IDXATTR: msExchExtensionCustomAttribute5
>> @IDXATTR: msExchExtensionCustomAttribute4
>> @IDXATTR: msExchExtensionCustomAttribute3
>> @IDXATTR: msExchExtensionCustomAttribute2
>> @IDXATTR: msExchExtensionCustomAttribute1
>> @IDXATTR: msExchExtensionAttribute45
>> @IDXATTR: msExchExtensionAttribute44
>> @IDXATTR: msExchExtensionAttribute43
>> @IDXATTR: msExchExtensionAttribute42
>> @IDXATTR: msExchExtensionAttribute41
>> @IDXATTR: msExchExtensionAttribute40
>> @IDXATTR: msExchExtensionAttribute39
>> @IDXATTR: msExchExtensionAttribute38
>> @IDXATTR: msExchExtensionAttribute37
>> @IDXATTR: msExchExtensionAttribute36
>> @IDXATTR: msExchExtensionAttribute35
>> @IDXATTR: msExchExtensionAttribute34
>> @IDXATTR: msExchExtensionAttribute33
>> @IDXATTR: msExchExtensionAttribute32
>> @IDXATTR: msExchExtensionAttribute31
>> @IDXATTR: msExchExtensionAttribute30
>> @IDXATTR: msExchExtensionAttribute29
>> @IDXATTR: msExchExtensionAttribute28
>> @IDXATTR: msExchExtensionAttribute27
>> @IDXATTR: msExchExtensionAttribute26
>> @IDXATTR: msExchExtensionAttribute25
>> @IDXATTR: msExchExtensionAttribute24
>> @IDXATTR: msExchExtensionAttribute23
>> @IDXATTR: msExchExtensionAttribute22
>> @IDXATTR: msExchExtensionAttribute21
>> @IDXATTR: msExchExtensionAttribute20
>> @IDXATTR: msExchExtensionAttribute19
>> @IDXATTR: msExchExtensionAttribute18
>> @IDXATTR: msExchExtensionAttribute17
>> @IDXATTR: msExchExtensionAttribute16
>> @IDXATTR: msExchUsageLocation
>> @IDXATTR: msExchDisabledArchiveGUID
>> @IDXATTR: msOrg-GroupSubtypeName
>> @IDXATTR: msOrg-OtherDisplayNames
>> @IDXATTR: msExchCalculatedTargetAddress
>> @IDXATTR: msExchReseller
>> @IDXATTR: msExchExternalDirectoryOrganizationId
>> @IDXATTR: msExchMailboxAuditLastExternalAccess
>> @IDXATTR: msExchMailboxAuditLastDelegateAccess
>> @IDXATTR: msExchMailboxAuditLastAdminAccess
>> @IDXATTR: msExchSetupStatus
>> @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL
>> @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink
>> @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL
>> @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink
>> @IDXATTR: msExchOnPremiseObjectGuid
>> @IDXATTR: msExchMRSRequestType
>> @IDXATTR: msExchIntendedServicePlan
>> @IDXATTR: msExchExternalDirectoryObjectId
>> @IDXATTR: msExchUMSourceForestPolicyNames
>> @IDXATTR: msExchSharedConfigServicePlanTag
>> @IDXATTR: msExchPartnerGroupID
>> @IDXATTR: msExchUCVoiceMailSettings
>> @IDXATTR: msExchRemoteRecipientType
>> @IDXATTR: msExchMailboxMoveRequestGuid
>> @IDXATTR: msExchCapabilityIdentifiers
>> @IDXATTR: msExchArchiveStatus
>> @IDXATTR: msExchArchiveAddress
>> @IDXATTR: altSecurityIdentities
>> @IDXATTR: lastLogonTimestamp
>> @IDXATTR: msFVE-VolumeGuid
>> @IDXATTR: msFVE-RecoveryGuid
>> @IDXATTR: msDS-PhoneticCompanyName
>> @IDXATTR: msDS-PhoneticDisplayName
>> @IDXATTR: msDS-PhoneticDepartment
>> @IDXATTR: msDS-PhoneticFirstName
>> @IDXATTR: msDS-PhoneticLastName
>> @IDXATTR: msDS-HABSeniorityIndex
>> @IDXATTR: msDS-Entry-Time-To-Die
>> @IDXATTR: trustPartner
>> @IDXATTR: st
>> @IDXATTR: objectClass
>> @IDXATTR: department
>> @IDXATTR: company
>> @IDXATTR: msExchVoiceMailboxID
>> @IDXATTR: msExchUserAccountControl
>> @IDXATTR: msExchUnmergedAttsPt
>> @IDXATTR: unmergedAtts
>> @IDXATTR: targetAddress
>> @IDXATTR: msExchResourceGUID
>> @IDXATTR: msExchPreviousAccountSid
>> @IDXATTR: msExchMasterAccountSid
>> @IDXATTR: msExchMailboxGuid
>> @IDXATTR: mailNickname
>> @IDXATTR: importedFrom
>> @IDXATTR: msExchIMVirtualServer
>> @IDXATTR: msExchIMPhysicalURL
>> @IDXATTR: msExchIMMetaPhysicalURL
>> @IDXATTR: msExchIMAddress
>> @IDXATTR: msExchFBURL
>> @IDXATTR: extensionAttribute9
>> @IDXATTR: extensionAttribute8
>> @IDXATTR: extensionAttribute7
>> @IDXATTR: extensionAttribute6
>> @IDXATTR: extensionAttribute5
>> @IDXATTR: extensionAttribute4
>> @IDXATTR: extensionAttribute3
>> @IDXATTR: extensionAttribute2
>> @IDXATTR: extensionAttribute15
>> @IDXATTR: extensionAttribute14
>> @IDXATTR: extensionAttribute13
>> @IDXATTR: extensionAttribute12
>> @IDXATTR: extensionAttribute11
>> @IDXATTR: extensionAttribute10
>> @IDXATTR: extensionAttribute1
>> @IDXATTR: expirationTime
>> @IDXATTR: msExchADCGlobalNames
>> @IDXATTR: msExchHomeServerName
>> @IDXATTR: msExchObjectID
>> @IDXATTR: msExchLicenseToken
>> @IDXATTR: msExchMailboxMoveBatchName
>> @IDXATTR: msExchForeignGroupSID
>> @IDXATTR: msExchArchiveGUID
>> @IDXATTR: msExchRoleType
>> @IDXATTR: msExchRoleEntriesExt
>> @IDXATTR: msExchMailboxMoveStatus
>> @IDXATTR: msExchMailboxMoveRemoteHostName
>> @IDXATTR: msExchUMDialPlanDialedNumbers
>> @IDXATTR: msExchUMAddresses
>> @IDXATTR: msExchAlternateMailboxes
>> @IDXATTR: msExchServicePlan
>> @IDXATTR: msExchThrottlingPolicyDN
>> @IDXATTR: msExchThrottlingIsDefaultPolicy
>> @IDXATTR: msExchUMCallingLineIDs
>> @IDXATTR: msExchImmutableId
>> @IDXATTR: msExchWindowsLiveID
>> @IDXATTR: msExchSignupAddresses
>> @IDXATTR: msExchEdgeSyncSourceGuid
>> @IDXATTR: msExchDeviceID
>> @IDXATTR: msExchArbitrationMailbox
>> @IDXATTR: msExchRoleLink
>> @IDXATTR: msExchScopeFlags
>> @IDXATTR: msExchRoleFlags
>> @IDXATTR: msExchRoleEntries
>> @IDXATTR: msExchRoleAssignmentFlags
>> @IDXATTR: msExchOURoot
>> @IDXATTR: msExchRecipientTypeDetails
>> @IDXATTR: msExchRecipientDisplayType
>> @IDXATTR: msExchMasterAccountHistory
>> @IDXATTR: msExchAvailabilityForeignConnectorType
>> @IDXATTR: msExchUMIPGatewayAddress
>> @IDXATTR: msExchUMDtmfMap
>> @IDXATTR: msExchUMAutoAttendantDialedNumbers
>> @IDXATTR: msExchResourceSearchProperties
>> @IDXATTR: msPKI-Cert-Template-OID
>> @IDXATTR: msTSExpireDate
>> @IDXATTR: uSNCreated
>> @IDXATTR: uSNChanged
>> @IDXATTR: userPrincipalName
>> @IDXATTR: userAccountControl
>> @IDXATTR: sn
>> @IDXATTR: sIDHistory
>> @IDXATTR: showInAdvancedViewOnly
>> @IDXATTR: servicePrincipalName
>> @IDXATTR: sAMAccountType
>> @IDXATTR: sAMAccountName
>> @IDXATTR: name
>> @IDXATTR: proxyAddresses
>> @IDXATTR: primaryGroupID
>> @IDXATTR: ou
>> @IDXATTR: objectSid
>> @IDXATTR: objectGUID
>> @IDXATTR: objectCategory
>> @IDXATTR: nETBIOSName
>> @IDXATTR: mSMQOwnerID
>> @IDXATTR: msDS-SecondaryKrbTgtNumber
>> @IDXATTR: msDS-Site-Affinity
>> @IDXATTR: mS-DS-CreatorSID
>> @IDXATTR: msDS-Cached-Membership-Time-Stamp
>> @IDXATTR: msDS-AdditionalSamAccountName
>> @IDXATTR: l
>> @IDXATTR: legacyExchangeDN
>> @IDXATTR: lDAPDisplayName
>> @IDXATTR: keywords
>> @IDXATTR: invocationId
>> @IDXATTR: groupType
>> @IDXATTR: givenName
>> @IDXATTR: fSMORoleOwner
>> @IDXATTR: fromServer
>> @IDXATTR: flatName
>> @IDXATTR: dnsRoot
>> @IDXATTR: displayName
>> @IDXATTR: cn
>> @IDXATTR: msTSLicenseVersion4
>> @IDXATTR: msTSLicenseVersion3
>> @IDXATTR: msTSLicenseVersion2
>> @IDXATTR: msTSLSProperty02
>> @IDXATTR: msTSLSProperty01
>> @IDXATTR: msTSExpireDate4
>> @IDXATTR: msTSExpireDate3
>> @IDXATTR: msTSExpireDate2
>> @IDXATTR: msTSManagingLS4
>> @IDXATTR: msTSManagingLS3
>> @IDXATTR: msTSManagingLS2
>> @IDXATTR: terminalServer
>> @IDXATTR: msTSManagingLS
>> @IDXATTR: msTSLicenseVersion
>> @IDXATTR: msTSProperty02
>> @IDXATTR: msTSProperty01
>> @IDXATTR: msDS-AzObjectGuid
>> @IDXATTR: msDFSR-ReplicationGroupGuid
>> @IDXATTR: msDFSR-DfsPath
>> @IDXATTR: uidNumber
>> @IDXATTR: gidNumber
>> @IDXATTR: msSFU30IsValidContainer
>> @IDXATTR: msSFU30NetgroupUserAtDomain
>> @IDXATTR: msSFU30NetgroupHostAtDomain
>> @IDXATTR: msSFU30MaxUidNumber
>> @IDXATTR: msSFU30MaxGidNumber
>> @IDXATTR: msSFU30YpServers
>> @IDXATTR: msSFU30Domains
>> @IDXATTR: msSFU30NisDomain
>> @IDXATTR: msSFU30BootFile
>> @IDXATTR: msSFU30NisMapEntry
>> @IDXATTR: msSFU30NisMapName
>> @IDXATTR: msSFU30MemberUid
>> @IDXATTR: msSFU30MacAddress
>> @IDXATTR: msSFU30IpHostNumber
>> @IDXATTR: msSFU30OncRpcNumber
>> @IDXATTR: msSFU30IpNetmaskNumber
>> @IDXATTR: msSFU30IpNetworkNumber
>> @IDXATTR: msSFU30IpProtocolNumber
>> @IDXATTR: msSFU30GidNumber
>> @IDXATTR: msSFU30UidNumber
>> @IDXATTR: msSFU30Name
>> @IDXATTR: msSFU30OrderNumber
>> @IDXATTR: msSFU30MasterServerName
>> @IDXATTR: textEncodedORAddress
>> @IDXATTR: msExchHomeRoutingGroup
>> @IDXATTR: msExchRoutingGroupMembersDN
>> @IDXATTR: mail
>> @IDXATTR: msExchIMServerName
>> @IDXATTR: physicalDeliveryOfficeName
>> @IDXATTR: volTableIdxGUID
>> @IDXATTR: USNIntersite
>> @IDXATTR: uNCName
>> @IDXATTR: timeVolChange
>> @IDXATTR: serviceClassName
>> @IDXATTR: rpcNsTransferSyntax
>> @IDXATTR: rpcNsObjectID
>> @IDXATTR: rpcNsInterfaceID
>> @IDXATTR: requiredCategories
>> @IDXATTR: physicalLocationObject
>> @IDXATTR: packageFlags
>> @IDXATTR: oMTIndxGuid
>> @IDXATTR: netbootGUID
>> @IDXATTR: mSMQQueueType
>> @IDXATTR: mSMQLabelEx
>> @IDXATTR: mSMQLabel
>> @IDXATTR: mSMQDigests
>> @IDXATTR: mS-SQL-Alias
>> @IDXATTR: mS-SQL-Database
>> @IDXATTR: mS-SQL-Version
>> @IDXATTR: mS-SQL-Name
>> @IDXATTR: location
>> @IDXATTR: implementedCategories
>> @IDXATTR: groupAttributes
>> @IDXATTR: fileExtPriority
>> @IDXATTR: dNSTombstoned
>> @IDXATTR: dhcpType
>> @IDXATTR: cOMClassID
>> @IDXATTR: birthLocation
>> distinguishedName: @INDEXLIST
>>
>>
>>
>> On 16.07.21 11:56, L.P.H. van Belle via samba wrote:
>>> I would start here.
>>> https://docs.software-univention.de/performance-guide-4.1.html
>>>
>>> And run :
>>> ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
>> }')/sam.ldb" -s base -b @INDEXLIST
>>> That shows what is index at this moment.
>>>
>>> You can add ldap proxy on the webserver to offload samba.
>>> Also samba is Version 4.10.18-Univention newer version has
>> better performace.
>>> There is/was a change as of 4.11
>>>
>>> On all AD-DC's run :
>>> samba-tool dbcheck
>>> samba-tool dbcheck --reindex
>>> Might help a bit also.
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
More information about the samba
mailing list