[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Rowland Penny
rpenny at samba.org
Tue Jul 20 07:47:21 UTC 2021
On Tue, 2021-07-20 at 09:35 +0200, Stefan Bauer via samba wrote:
> I have a plain UCS4.4-8 (latest) with kopano inside correct. Joined
> it
> initially to a server 2012 windows DC.
>
> Later migrated that windows 2012 domain to a UCS domain. Kopano is
> still
> a member-server.
>
> /etc/kopano/ldap.conf contains:
>
> ldap_uri = ldap://kopano01.procorp.local:7389/
>
> (this is a the local ldap on kopano server)
>
> As the local ldap seems to do not get passwords synced UCS-master to
> local LDAP. Due to this the system is doing huge amount of
> kerberos-connections to the UCS Samba-DC to validate the user
> credentials all the time (25k/minute)
>
> 09:28:55.718262 IP kopano01.procorp.local.42559 >
> adm-ucs0.procorp.local.kerberos: v5
> 09:28:55.723467 IP adm-ucs0.procorp.local.kerberos >
> kopano01.procorp.local.59107:
> 09:28:55.726673 IP kopano01.procorp.local.33144 >
> adm-ucs0.procorp.local.kerberos: Flags [S], seq 1850537116, win
> 29200,
> options [mss 1460,sackOK,TS val 279012852 ecr 0,nop,wscale 7], length
> 0
>
> Due to this, the authentication time is very bad:
>
> root at kopano01:~# kopano-stats --system | grep ldap_avg_auth
> ldap_avg_auth Average duration (µs) of authentication
> made
> to LDAP server 276250
>
> (connection to local ldap -> kerberos request to UCS-master and
> return)
>
> I'm running:
>
> Webapp 5.1.0.0+167.1
> Kopano core 8.7.20
>
I have come to the conclusion that UCS can best be described as a mess,
but that is just my opinion, others may and probably will differ.
Can you try using a plain Samba set up (I am sure Louis will advise
here), this will rule UCS in or out.
Rowland
More information about the samba
mailing list