Em 2015-08-05 11:45, Rowland Penny escreveu:> On 05/08/15 15:36, Jefferson B. Limeira wrote: >> An example of how slow is... >> >> [root at CTA1PAPAN001645 ~]# time id teste >> uid=16777232(teste) gid=16777216(domain users) grupos=16777216(domain >> users),16777220(operacao),16777222(BUILTIN\users) >> >> real 1m15.981s >> user 0m0.005s >> sys 0m0.007s >> >> According this documentation, if I want use File Sharing without AD >> modifications only option is Winbind (idmap_rid). >> >> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf >> Em 2015-07-31 13:19, John Yocum escreveu: >>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote: >>>> What is the best way to authenticate users in SMB4 DC on Linux >>>> workstation? >>>> I'm using pam_winbind, but sometimes its very slow... >>>> >>> >>> How slow is "very slow"? >>> >>> That said, nslcd with LDAP over SSL works, and it's fast in my >>> experience. You could combine nslcd with Kerberos, which also works >>> very >>> well. Of course both of these methods require you to have unix >>> attributes stored in AD for your users. >>> >>> -- John Yocum, Systems Administrator, DEOHS >> > > You seem to have a serious problem there: > > rowland at ThinkPad ~/ $ time id rowland > uid=10000(rowland) gid=10000(domain_users) > groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) > > real 0m0.614s > user 0m0.002s > sys 0m0.003s > > Just how many users do you have ? > > Can we see your smb.conf ? > > This could be a network problem, have you investigated this possibility > ? > > RowlandAround 4700 users... [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf [global] workgroup = BP realm = BP.NET security = ads idmap uid = 10000-99999 idmap gid = 10000-99999 idmap config BP:backend = rid idmap config BP:range = 10000000-19999999 winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/BP/%U template shell = /bin/bash hosts allow = 192.168. valid users = %U interfaces = eth0 bind interfaces only = yes [root at CTA1PAPAN001645 ~]# net ads info LDAP server: 192.168.200.80 LDAP server name: srvsmb4-pdc.bp.net Realm: BP.NET Bind Path: dc=BP,dc=NET LDAP port: 389 Server time: Qua, 05 Ago 2015 13:08:16 BRT KDC server: 192.168.200.80 Server time offset: 0 [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80 PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data. . --- 192.168.200.80 ping statistics --- 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma 0.473/0.377 ms Is normal id command take 20~30s, 1m15s is an extreme case. -- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628
On 05/08/15 17:18, Jefferson B. Limeira wrote:> Em 2015-08-05 11:45, Rowland Penny escreveu: >> On 05/08/15 15:36, Jefferson B. Limeira wrote: >>> An example of how slow is... >>> >>> [root at CTA1PAPAN001645 ~]# time id teste >>> uid=16777232(teste) gid=16777216(domain users) >>> grupos=16777216(domain >>> users),16777220(operacao),16777222(BUILTIN\users) >>> >>> real 1m15.981s >>> user 0m0.005s >>> sys 0m0.007s >>> >>> According this documentation, if I want use File Sharing without AD >>> modifications only option is Winbind (idmap_rid). >>> >>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf >>> Em 2015-07-31 13:19, John Yocum escreveu: >>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote: >>>>> What is the best way to authenticate users in SMB4 DC on Linux >>>>> workstation? >>>>> I'm using pam_winbind, but sometimes its very slow... >>>>> >>>> >>>> How slow is "very slow"? >>>> >>>> That said, nslcd with LDAP over SSL works, and it's fast in my >>>> experience. You could combine nslcd with Kerberos, which also works >>>> very >>>> well. Of course both of these methods require you to have unix >>>> attributes stored in AD for your users. >>>> >>>> -- John Yocum, Systems Administrator, DEOHS >>> >> >> You seem to have a serious problem there: >> >> rowland at ThinkPad ~/ $ time id rowland >> uid=10000(rowland) gid=10000(domain_users) >> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) >> >> >> real 0m0.614s >> user 0m0.002s >> sys 0m0.003s >> >> Just how many users do you have ? >> >> Can we see your smb.conf ? >> >> This could be a network problem, have you investigated this >> possibility ? >> >> Rowland > > Around 4700 users... > > [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf > [global] > workgroup = BP > realm = BP.NET > security = ads > idmap uid = 10000-99999 > idmap gid = 10000-99999 > idmap config BP:backend = rid > idmap config BP:range = 10000000-19999999 > winbind enum users = no > winbind enum groups = no > winbind use default domain = yes > template homedir = /home/BP/%U > template shell = /bin/bash > hosts allow = 192.168. > valid users = %U > interfaces = eth0 > bind interfaces only = yes > > [root at CTA1PAPAN001645 ~]# net ads info > LDAP server: 192.168.200.80 > LDAP server name: srvsmb4-pdc.bp.net > Realm: BP.NET > Bind Path: dc=BP,dc=NET > LDAP port: 389 > Server time: Qua, 05 Ago 2015 13:08:16 BRT > KDC server: 192.168.200.80 > Server time offset: 0 > > [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80 > PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data. > . > --- 192.168.200.80 ping statistics --- > 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms > rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma > 0.473/0.377 ms > > > Is normal id command take 20~30s, 1m15s is an extreme case. >I don't know what OS you are using, but you are using the 'rid' backend and seem to be mixing up the old way of setting ranges with the new way: idmap uid = 10000-99999 idmap gid = 10000-99999 idmap config BP:backend = rid idmap config BP:range = 10000000-19999999 I would expect something like this: idmap config * : backend = tdb idmap config * : range = 10000-99999 idmap config BP : backend = rid idmap config BP : range = 10000000-19999999 I do not know if this will speed things up, but it is worth trying. I would also remove the 'valid users' line, there doesn't seem any point to it, as it seems to allow all users. Rowland
Em 2015-08-05 13:38, Rowland Penny escreveu:> On 05/08/15 17:18, Jefferson B. Limeira wrote: >> Em 2015-08-05 11:45, Rowland Penny escreveu: >>> On 05/08/15 15:36, Jefferson B. Limeira wrote: >>>> An example of how slow is... >>>> >>>> [root at CTA1PAPAN001645 ~]# time id teste >>>> uid=16777232(teste) gid=16777216(domain users) >>>> grupos=16777216(domain >>>> users),16777220(operacao),16777222(BUILTIN\users) >>>> >>>> real 1m15.981s >>>> user 0m0.005s >>>> sys 0m0.007s >>>> >>>> According this documentation, if I want use File Sharing without AD >>>> modifications only option is Winbind (idmap_rid). >>>> >>>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf >>>> Em 2015-07-31 13:19, John Yocum escreveu: >>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote: >>>>>> What is the best way to authenticate users in SMB4 DC on Linux >>>>>> workstation? >>>>>> I'm using pam_winbind, but sometimes its very slow... >>>>>> >>>>> >>>>> How slow is "very slow"? >>>>> >>>>> That said, nslcd with LDAP over SSL works, and it's fast in my >>>>> experience. You could combine nslcd with Kerberos, which also works >>>>> very >>>>> well. Of course both of these methods require you to have unix >>>>> attributes stored in AD for your users. >>>>> >>>>> -- John Yocum, Systems Administrator, DEOHS >>>> >>> >>> You seem to have a serious problem there: >>> >>> rowland at ThinkPad ~/ $ time id rowland >>> uid=10000(rowland) gid=10000(domain_users) >>> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) >>> real 0m0.614s >>> user 0m0.002s >>> sys 0m0.003s >>> >>> Just how many users do you have ? >>> >>> Can we see your smb.conf ? >>> >>> This could be a network problem, have you investigated this >>> possibility ? >>> >>> Rowland >> >> Around 4700 users... >> >> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf >> [global] >> workgroup = BP >> realm = BP.NET >> security = ads >> idmap uid = 10000-99999 >> idmap gid = 10000-99999 >> idmap config BP:backend = rid >> idmap config BP:range = 10000000-19999999 >> winbind enum users = no >> winbind enum groups = no >> winbind use default domain = yes >> template homedir = /home/BP/%U >> template shell = /bin/bash >> hosts allow = 192.168. >> valid users = %U >> interfaces = eth0 >> bind interfaces only = yes >> >> [root at CTA1PAPAN001645 ~]# net ads info >> LDAP server: 192.168.200.80 >> LDAP server name: srvsmb4-pdc.bp.net >> Realm: BP.NET >> Bind Path: dc=BP,dc=NET >> LDAP port: 389 >> Server time: Qua, 05 Ago 2015 13:08:16 BRT >> KDC server: 192.168.200.80 >> Server time offset: 0 >> >> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80 >> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data. >> . >> --- 192.168.200.80 ping statistics --- >> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms >> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma >> 0.473/0.377 ms >> >> >> Is normal id command take 20~30s, 1m15s is an extreme case. >> > > I don't know what OS you are using, but you are using the 'rid' > backend and seem to be mixing up the old way of setting ranges with > the new way: > > idmap uid = 10000-99999 > idmap gid = 10000-99999 > idmap config BP:backend = rid > idmap config BP:range = 10000000-19999999 > > I would expect something like this: > > idmap config * : backend = tdb > idmap config * : range = 10000-99999 > idmap config BP : backend = rid > idmap config BP : range = 10000000-19999999 > > I do not know if this will speed things up, but it is worth trying. I > would also remove the 'valid users' line, there doesn't seem any point > to it, as it seems to allow all users. > > RowlandI'm using CentOS 6.5 in all computers, workstations and servers. Samba 4.2.3, compiled last night. I wrote a script that connect at some workstations and run 'time id teste', the result: # ./exec.sh |grep ^real real 0m1.944s real 0m0.051s real 0m1.843s real 0m1.798s real 0m18.236s real 0m1.756s real 0m1.769s real 0m2.092s real 0m1.952s real 0m1.954s real 0m17.588s real 0m4.841s real 1m48.618s real 1m38.985s real 2m1.186s real 1m17.514s real 1m43.024s real 1m27.757s real 1m29.072s From a certain moment, all workstation have increased response time. At this moment, you believe in a problem on workstation configuration? I set log level = 9 in smb.conf and restart winbind. A great time gap occurred after 'getpwnan teste' between 15:40:27 and 15:41:02 [2015/08/05 15:40:27.870746, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam teste [2015/08/05 15:41:02.906043, 6] winbindd/winbindd.c:822(new_connection) accepted socket 22 [2015/08/05 15:41:02.906169, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2321]: request interface version [2015/08/05 15:41:02.906332, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2321]: request location of privileged pipe [2015/08/05 15:41:02.906529, 6] winbindd/winbindd.c:822(new_connection) accepted socket 28 [2015/08/05 15:41:02.906628, 6] winbindd/winbindd.c:870(winbind_client_request_read) closing socket 22, client exited [2015/08/05 15:41:02.906702, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam teste [2015/08/05 15:41:19.232330, 5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-3802641769-3585385758-3926675344-500: NT_STATUS_SERVER_DISABLED Sorry for my English. -- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628