Em 2015-08-05 13:38, Rowland Penny escreveu:> On 05/08/15 17:18, Jefferson B. Limeira wrote: >> Em 2015-08-05 11:45, Rowland Penny escreveu: >>> On 05/08/15 15:36, Jefferson B. Limeira wrote: >>>> An example of how slow is... >>>> >>>> [root at CTA1PAPAN001645 ~]# time id teste >>>> uid=16777232(teste) gid=16777216(domain users) >>>> grupos=16777216(domain >>>> users),16777220(operacao),16777222(BUILTIN\users) >>>> >>>> real 1m15.981s >>>> user 0m0.005s >>>> sys 0m0.007s >>>> >>>> According this documentation, if I want use File Sharing without AD >>>> modifications only option is Winbind (idmap_rid). >>>> >>>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf >>>> Em 2015-07-31 13:19, John Yocum escreveu: >>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote: >>>>>> What is the best way to authenticate users in SMB4 DC on Linux >>>>>> workstation? >>>>>> I'm using pam_winbind, but sometimes its very slow... >>>>>> >>>>> >>>>> How slow is "very slow"? >>>>> >>>>> That said, nslcd with LDAP over SSL works, and it's fast in my >>>>> experience. You could combine nslcd with Kerberos, which also works >>>>> very >>>>> well. Of course both of these methods require you to have unix >>>>> attributes stored in AD for your users. >>>>> >>>>> -- John Yocum, Systems Administrator, DEOHS >>>> >>> >>> You seem to have a serious problem there: >>> >>> rowland at ThinkPad ~/ $ time id rowland >>> uid=10000(rowland) gid=10000(domain_users) >>> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) >>> real 0m0.614s >>> user 0m0.002s >>> sys 0m0.003s >>> >>> Just how many users do you have ? >>> >>> Can we see your smb.conf ? >>> >>> This could be a network problem, have you investigated this >>> possibility ? >>> >>> Rowland >> >> Around 4700 users... >> >> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf >> [global] >> workgroup = BP >> realm = BP.NET >> security = ads >> idmap uid = 10000-99999 >> idmap gid = 10000-99999 >> idmap config BP:backend = rid >> idmap config BP:range = 10000000-19999999 >> winbind enum users = no >> winbind enum groups = no >> winbind use default domain = yes >> template homedir = /home/BP/%U >> template shell = /bin/bash >> hosts allow = 192.168. >> valid users = %U >> interfaces = eth0 >> bind interfaces only = yes >> >> [root at CTA1PAPAN001645 ~]# net ads info >> LDAP server: 192.168.200.80 >> LDAP server name: srvsmb4-pdc.bp.net >> Realm: BP.NET >> Bind Path: dc=BP,dc=NET >> LDAP port: 389 >> Server time: Qua, 05 Ago 2015 13:08:16 BRT >> KDC server: 192.168.200.80 >> Server time offset: 0 >> >> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80 >> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data. >> . >> --- 192.168.200.80 ping statistics --- >> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms >> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma >> 0.473/0.377 ms >> >> >> Is normal id command take 20~30s, 1m15s is an extreme case. >> > > I don't know what OS you are using, but you are using the 'rid' > backend and seem to be mixing up the old way of setting ranges with > the new way: > > idmap uid = 10000-99999 > idmap gid = 10000-99999 > idmap config BP:backend = rid > idmap config BP:range = 10000000-19999999 > > I would expect something like this: > > idmap config * : backend = tdb > idmap config * : range = 10000-99999 > idmap config BP : backend = rid > idmap config BP : range = 10000000-19999999 > > I do not know if this will speed things up, but it is worth trying. I > would also remove the 'valid users' line, there doesn't seem any point > to it, as it seems to allow all users. > > RowlandI'm using CentOS 6.5 in all computers, workstations and servers. Samba 4.2.3, compiled last night. I wrote a script that connect at some workstations and run 'time id teste', the result: # ./exec.sh |grep ^real real 0m1.944s real 0m0.051s real 0m1.843s real 0m1.798s real 0m18.236s real 0m1.756s real 0m1.769s real 0m2.092s real 0m1.952s real 0m1.954s real 0m17.588s real 0m4.841s real 1m48.618s real 1m38.985s real 2m1.186s real 1m17.514s real 1m43.024s real 1m27.757s real 1m29.072s From a certain moment, all workstation have increased response time. At this moment, you believe in a problem on workstation configuration? I set log level = 9 in smb.conf and restart winbind. A great time gap occurred after 'getpwnan teste' between 15:40:27 and 15:41:02 [2015/08/05 15:40:27.870746, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam teste [2015/08/05 15:41:02.906043, 6] winbindd/winbindd.c:822(new_connection) accepted socket 22 [2015/08/05 15:41:02.906169, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2321]: request interface version [2015/08/05 15:41:02.906332, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2321]: request location of privileged pipe [2015/08/05 15:41:02.906529, 6] winbindd/winbindd.c:822(new_connection) accepted socket 28 [2015/08/05 15:41:02.906628, 6] winbindd/winbindd.c:870(winbind_client_request_read) closing socket 22, client exited [2015/08/05 15:41:02.906702, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam teste [2015/08/05 15:41:19.232330, 5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-3802641769-3585385758-3926675344-500: NT_STATUS_SERVER_DISABLED Sorry for my English. -- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628
On 05/08/15 19:55, Jefferson B. Limeira wrote:> Em 2015-08-05 13:38, Rowland Penny escreveu: >> On 05/08/15 17:18, Jefferson B. Limeira wrote: >>> Em 2015-08-05 11:45, Rowland Penny escreveu: >>>> On 05/08/15 15:36, Jefferson B. Limeira wrote: >>>>> An example of how slow is... >>>>> >>>>> [root at CTA1PAPAN001645 ~]# time id teste >>>>> uid=16777232(teste) gid=16777216(domain users) >>>>> grupos=16777216(domain >>>>> users),16777220(operacao),16777222(BUILTIN\users) >>>>> >>>>> real 1m15.981s >>>>> user 0m0.005s >>>>> sys 0m0.007s >>>>> >>>>> According this documentation, if I want use File Sharing without >>>>> AD modifications only option is Winbind (idmap_rid). >>>>> >>>>> https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf >>>>> Em 2015-07-31 13:19, John Yocum escreveu: >>>>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote: >>>>>>> What is the best way to authenticate users in SMB4 DC on Linux >>>>>>> workstation? >>>>>>> I'm using pam_winbind, but sometimes its very slow... >>>>>>> >>>>>> >>>>>> How slow is "very slow"? >>>>>> >>>>>> That said, nslcd with LDAP over SSL works, and it's fast in my >>>>>> experience. You could combine nslcd with Kerberos, which also >>>>>> works very >>>>>> well. Of course both of these methods require you to have unix >>>>>> attributes stored in AD for your users. >>>>>> >>>>>> -- John Yocum, Systems Administrator, DEOHS >>>>> >>>> >>>> You seem to have a serious problem there: >>>> >>>> rowland at ThinkPad ~/ $ time id rowland >>>> uid=10000(rowland) gid=10000(domain_users) >>>> groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators) >>>> real 0m0.614s >>>> user 0m0.002s >>>> sys 0m0.003s >>>> >>>> Just how many users do you have ? >>>> >>>> Can we see your smb.conf ? >>>> >>>> This could be a network problem, have you investigated this >>>> possibility ? >>>> >>>> Rowland >>> >>> Around 4700 users... >>> >>> [root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf >>> [global] >>> workgroup = BP >>> realm = BP.NET >>> security = ads >>> idmap uid = 10000-99999 >>> idmap gid = 10000-99999 >>> idmap config BP:backend = rid >>> idmap config BP:range = 10000000-19999999 >>> winbind enum users = no >>> winbind enum groups = no >>> winbind use default domain = yes >>> template homedir = /home/BP/%U >>> template shell = /bin/bash >>> hosts allow = 192.168. >>> valid users = %U >>> interfaces = eth0 >>> bind interfaces only = yes >>> >>> [root at CTA1PAPAN001645 ~]# net ads info >>> LDAP server: 192.168.200.80 >>> LDAP server name: srvsmb4-pdc.bp.net >>> Realm: BP.NET >>> Bind Path: dc=BP,dc=NET >>> LDAP port: 389 >>> Server time: Qua, 05 Ago 2015 13:08:16 BRT >>> KDC server: 192.168.200.80 >>> Server time offset: 0 >>> >>> [root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80 >>> PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data. >>> . >>> --- 192.168.200.80 ping statistics --- >>> 10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms >>> rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma >>> 0.473/0.377 ms >>> >>> >>> Is normal id command take 20~30s, 1m15s is an extreme case. >>> >> >> I don't know what OS you are using, but you are using the 'rid' >> backend and seem to be mixing up the old way of setting ranges with >> the new way: >> >> idmap uid = 10000-99999 >> idmap gid = 10000-99999 >> idmap config BP:backend = rid >> idmap config BP:range = 10000000-19999999 >> >> I would expect something like this: >> >> idmap config * : backend = tdb >> idmap config * : range = 10000-99999 >> idmap config BP : backend = rid >> idmap config BP : range = 10000000-19999999 >> >> I do not know if this will speed things up, but it is worth trying. I >> would also remove the 'valid users' line, there doesn't seem any point >> to it, as it seems to allow all users. >> >> Rowland > > I'm using CentOS 6.5 in all computers, workstations and servers. Samba > 4.2.3, compiled last night. > > I wrote a script that connect at some workstations and run 'time id > teste', the result: > > # ./exec.sh |grep ^real > real 0m1.944s > real 0m0.051s > real 0m1.843s > real 0m1.798s > real 0m18.236s > real 0m1.756s > real 0m1.769s > real 0m2.092s > real 0m1.952s > real 0m1.954s > real 0m17.588s > real 0m4.841s > real 1m48.618s > real 1m38.985s > real 2m1.186s > real 1m17.514s > real 1m43.024s > real 1m27.757s > real 1m29.072s >That is not slow, it is glacial :-)> From a certain moment, all workstation have increased response time. > At this moment, you believe in a problem on workstation configuration? >There is something definitely wrong, but what ?> I set log level = 9 in smb.conf and restart winbind. > A great time gap occurred after 'getpwnan teste' between 15:40:27 and > 15:41:02 > > [2015/08/05 15:40:27.870746, 3] > winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam teste > [2015/08/05 15:41:02.906043, 6] winbindd/winbindd.c:822(new_connection) > accepted socket 22 > [2015/08/05 15:41:02.906169, 3] > winbindd/winbindd_misc.c:384(winbindd_interface_version) > [ 2321]: request interface version > [2015/08/05 15:41:02.906332, 3] > winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) > [ 2321]: request location of privileged pipe > [2015/08/05 15:41:02.906529, 6] winbindd/winbindd.c:822(new_connection) > accepted socket 28 > [2015/08/05 15:41:02.906628, 6] > winbindd/winbindd.c:870(winbind_client_request_read) > closing socket 22, client exited > [2015/08/05 15:41:02.906702, 3] > winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam teste > [2015/08/05 15:41:19.232330, 5] > winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid S-1-5-21-3802641769-3585385758-3926675344-500: > NT_STATUS_SERVER_DISABLED >Hmm, 'S-1-5-21-3802641769-3585385758-3926675344-500' is the SID-RID for 'Administrator' and 'NT_STATUS_SERVER_DISABLED' probably means what it says. OK, how did you compile samba? Why did you compile samba 4.2.3, it is available from Sernet. How are you starting samba on the various machines ? Can you post the smb.conf from the DCs and the servers etc ? Can you check that the following daemons are running: DC: samba, smbd, winbindd workstation or member server: smbd, nmbd, winbindd> Sorry for my English. >Never apologise for your English, as a native English speaking person, I am honoured that you have taken the time to learn my language, I, on the other hand, do not speak any other languages. Rowland
On Wed, Aug 05, 2015 at 08:13:52PM +0100, Rowland Penny wrote:> ># ./exec.sh |grep ^real > >real 0m1.944s > >real 0m0.051s > >real 0m1.843s > >real 0m1.798s > >real 0m18.236s > >real 0m1.756s > >real 0m1.769s > >real 0m2.092s > >real 0m1.952s > >real 0m1.954s > >real 0m17.588s > >real 0m4.841s > >real 1m48.618s > >real 1m38.985s > >real 2m1.186s > >real 1m17.514s > >real 1m43.024s > >real 1m27.757s > >real 1m29.072s > > > > That is not slow, it is glacial :-) > > >From a certain moment, all workstation have increased response > >time. At this moment, you believe in a problem on workstation > >configuration? > > > > There is something definitely wrong, but what ?I've seen "id <username>" enumerate all groups in certain circumstances. Just matching the /etc/group model of group memberships, for the /etc/group *file* you have to scan the whole thing to find the memberships. There are nss API calls to improve this for other backends, but you should make sure you're not running into that for your case. By the way, "id <username>" is not reliable to list group memberships and can't ever be. Windows AD just does not allow winbind to list this. The *only* reliable way to figure out group memberships is to successfully log into your AD account, either with Kerberos or with NTLM. For this successfully logged in account the group memberships are precise. Nothing else will work. I've had many discussions over this, too many. Here I'd very boldly say to "just trust me on this". Volker> > >I set log level = 9 in smb.conf and restart winbind. > >A great time gap occurred after 'getpwnan teste' between 15:40:27 > >and 15:41:02 > > > >[2015/08/05 15:40:27.870746, 3] > >winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > > getpwnam teste > >[2015/08/05 15:41:02.906043, 6] winbindd/winbindd.c:822(new_connection) > > accepted socket 22 > >[2015/08/05 15:41:02.906169, 3] > >winbindd/winbindd_misc.c:384(winbindd_interface_version) > > [ 2321]: request interface version > >[2015/08/05 15:41:02.906332, 3] > >winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) > > [ 2321]: request location of privileged pipe > >[2015/08/05 15:41:02.906529, 6] winbindd/winbindd.c:822(new_connection) > > accepted socket 28 > >[2015/08/05 15:41:02.906628, 6] > >winbindd/winbindd.c:870(winbind_client_request_read) > > closing socket 22, client exited > >[2015/08/05 15:41:02.906702, 3] > >winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > > getpwnam teste > >[2015/08/05 15:41:19.232330, 5] > >winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > > Could not convert sid > >S-1-5-21-3802641769-3585385758-3926675344-500: > >NT_STATUS_SERVER_DISABLED > > > > Hmm, 'S-1-5-21-3802641769-3585385758-3926675344-500' is the SID-RID > for 'Administrator' and 'NT_STATUS_SERVER_DISABLED' probably means > what it says. > > OK, how did you compile samba? > Why did you compile samba 4.2.3, it is available from Sernet. > > How are you starting samba on the various machines ? > Can you post the smb.conf from the DCs and the servers etc ? > > Can you check that the following daemons are running: > > DC: samba, smbd, winbindd > workstation or member server: smbd, nmbd, winbindd > >Sorry for my English. > > > > Never apologise for your English, as a native English speaking > person, I am honoured that you have taken the time to learn my > language, I, on the other hand, do not speak any other languages. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Em 2015-08-05 16:13, Rowland Penny escreveu:> On 05/08/15 19:55, Jefferson B. Limeira wrote: >> >> I'm using CentOS 6.5 in all computers, workstations and servers. Samba >> 4.2.3, compiled last night. >> >> I wrote a script that connect at some workstations and run 'time id >> teste', the result: >> >> # ./exec.sh |grep ^real >> real 0m1.944s >> real 0m0.051s >> real 0m1.843s >> real 0m1.798s >> real 0m18.236s >> real 0m1.756s >> real 0m1.769s >> real 0m2.092s >> real 0m1.952s >> real 0m1.954s >> real 0m17.588s >> real 0m4.841s >> real 1m48.618s >> real 1m38.985s >> real 2m1.186s >> real 1m17.514s >> real 1m43.024s >> real 1m27.757s >> real 1m29.072s >> > > That is not slow, it is glacial :-) > >> From a certain moment, all workstation have increased response time. >> At this moment, you believe in a problem on workstation configuration? >> > > There is something definitely wrong, but what ? > >> I set log level = 9 in smb.conf and restart winbind. >> A great time gap occurred after 'getpwnan teste' between 15:40:27 and >> 15:41:02 >> >> [2015/08/05 15:40:27.870746, 3] >> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) >> getpwnam teste >> [2015/08/05 15:41:02.906043, 6] >> winbindd/winbindd.c:822(new_connection) >> accepted socket 22 >> [2015/08/05 15:41:02.906169, 3] >> winbindd/winbindd_misc.c:384(winbindd_interface_version) >> [ 2321]: request interface version >> [2015/08/05 15:41:02.906332, 3] >> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) >> [ 2321]: request location of privileged pipe >> [2015/08/05 15:41:02.906529, 6] >> winbindd/winbindd.c:822(new_connection) >> accepted socket 28 >> [2015/08/05 15:41:02.906628, 6] >> winbindd/winbindd.c:870(winbind_client_request_read) >> closing socket 22, client exited >> [2015/08/05 15:41:02.906702, 3] >> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) >> getpwnam teste >> [2015/08/05 15:41:19.232330, 5] >> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) >> Could not convert sid S-1-5-21-3802641769-3585385758-3926675344-500: >> NT_STATUS_SERVER_DISABLED >> > > Hmm, 'S-1-5-21-3802641769-3585385758-3926675344-500' is the SID-RID > for 'Administrator' and 'NT_STATUS_SERVER_DISABLED' probably means > what it says. > > OK, how did you compile samba? > Why did you compile samba 4.2.3, it is available from Sernet. > > How are you starting samba on the various machines ? > Can you post the smb.conf from the DCs and the servers etc ? > > Can you check that the following daemons are running: > > DC: samba, smbd, winbindd > workstation or member server: smbd, nmbd, winbindd >> Sorry for my English. >> > > Never apologise for your English, as a native English speaking person, > I am honoured that you have taken the time to learn my language, I, on > the other hand, do not speak any other languages. > > RowlandI will try Sernet packages, its possible use/import my actual ldap database? Servers means DCs, ok? I actually have two DCs. Here is my smb.conf on a DC: $ cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = BP realm = BP.NET netbios name = SRVSMB4-PDC server role = active directory domain controller dns forwarder = 192.168.200.1 idmap_ldb:use rfc2307 = yes log level = 3 [netlogon] path = /usr/local/samba/var/locks/sysvol/bp.net/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No But on workstations I only have started winbind. -- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628