[Samba] slowness in samba4 AD
Marcos Ariel Negrini
mnegrini at afip.gob.ar
Wed May 19 19:35:15 UTC 2021
El 19/05/2021 a las 12:20, Rowland penny via samba escribió:
> On 19/05/2021 16:11, Marcos Ariel Negrini via samba wrote:
>> Hello:
>> I have installed a Samba4 AD in version 4.13.07,
>
>
> Yes but on which OS ?
samba is installed on centos 8 from the samba.tar.gz and the group
policy management from a windows 10.
>
> and what is inyour smb.conf ?
# Global parameters
[global]
bind interfaces only = Yes
dns forwarder = 192.168.10.10
interfaces = lo ens192
netbios name = server01
realm = dominio.prueba
server role = active directory domain controller
workgroup = dominio
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samba.afip.gob.ar/scripts
read only = No
>
>> I have a main controller and two replicas.
>
>
> No, you have three DC's and one of them holds all the FSMO roles.
correct
>
>> In general the performance is very good(authentication for example),
>> but I started to detect that sometimes some administration
>> operations(Rsat or Group Policy Management) become very slow. For
>> example opening a gpo from the Group Policy Management interface
>> takes more than a minute. I have been following the samba logs, but I
>> can't find any error. Could you guide me on what to look at or
>> configure to solve this?
>> As information every night I run a dbcheck in two ways (I am not sure
>> if one includes the other, just in case I leave both), "samba-tool
>> dbcheck --reindex --yes --fix" and "samba-tool dbcheck --yes
>> --cross-ncs --fix".
>
>
> This sounds like a possible dns problem, are you using the internal
> dns server or Bind9 ?
internal dns
>
>
> if bind9, please post your named.conf files.
We are using the network dns (bind) publishing the srv records that we
understood that it needed to do the AD operations, it copies the records
that we are publishing in that dns, the pc's do not use the Samba AD dns:
$ORIGIN dominio.prueba.
server01 IN A 192.168.12.1
server02 IN A 192.168.12.2
server03 IN A 192.168.12.3
_ldap._tcp SRV 0 100 389 server01
_ldap._tcp SRV 0 100 389 server02
_ldap._tcp SRV 0 100 389 server03
_gc._tcp SRV 0 100 3268 server01
_gc._tcp SRV 0 100 3268 server02
_gc._tcp SRV 0 100 3268 server03
_kerberos._tcp SRV 0 100 88 server01
_kerberos._tcp SRV 0 100 88 server02
_kerberos._tcp SRV 0 100 88 server03
_kpasswd._tcp SRV 0 100 464 server01
_kpasswd._tcp SRV 0 100 464 server02
_kpasswd._tcp SRV 0 100 464 server03
_kerberos._udp SRV 0 100 88 server01
_kerberos._udp SRV 0 100 88 server02
_kerberos._udp SRV 0 100 88 server03
_kpasswd._udp SRV 0 100 464 server01
_kpasswd._udp SRV 0 100 464 server02
_kpasswd._udp SRV 0 100 464 server03
_ldap._tcp.dc._msdcs SRV 0 100 389 server01
_ldap._tcp.dc._msdcs SRV 0 100 389 server02
_ldap._tcp.dc._msdcs SRV 0 100 389 server03
maybe we are missing some srv records
regards
--
Marcos Ariel Negrini
AFIP - División Seguridad de Activos
Dirección de Seguridad de la Información
Paseo Colon 635 PB - CP 1063 - CABA
More information about the samba
mailing list