samba - Jun 2005 - Active Directory authentication very slow (winbind/PAM)

Hello all,

SLES9
Apache 2.0.54
Samba 3.0.9-2.6-SUSE
PAM 0.77

I have been using Linux for a while on the side, and am now taking 
advantage of my position to try to implement a test server.  I am the 
technical product and network lead in my department with a higher MIS 
group that dictates global network access.  They do not want to change 
any of the existing ADS network to accomodate my small Linux setup, so I 
am not able to setup LDAP for authentication (they won't provide the ADS 
LDAP address or attributes).  I am trying to setup a web server to allow 
access to some applications I am hosting (Subversion, ViewCVS) on this 
server, and want the users to be able to authenticate to their ADS 
accounts.  To get there, I have set up winbind using pam_winbind and in 
Apache, mod_auth_pam.

I have Samba authenticating to a medium-sized Windows 2000 Active 
Directory domain (approx 5000 users).  The authentication times are 
ranging from 15 to 30 seconds, and when trying to win acceptance for 
Linux as a stable server platform / file and development code 
repository, this performance is unacceptable to many of my peers.  It is 
the same whether they authenticate through the Apache engine or if I add 
authentication to the xdm config and I login to KDE, or even from 
command line.

Anyone have any ideas or better ways of doing this?

Regards,
Frank

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Gruman wrote:

| I have Samba authenticating to a medium-sized Windows
| 2000 Active Directory domain (approx 5000 users).
| The authentication times are  ranging from 15 to
| 30 seconds, and when trying to win acceptance for
| Linux as a stable server platform / file and
| development code  repository, this performance
| is unacceptable to many of my peers.  It is the
| same whether they authenticate through the Apache
| engine or if I add authentication to the xdm config
| and I login to KDE, or even from command line.

Frank,  Use ethereal and try to determine where the lag
is?  Is it actually during the authentication ?  Is it a
name resolution delay?  Or is it during the getpwnam()?







cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCqY3LIR7qMdg1EfYRAuscAJ9pZfcsuYwjgLLTwxzql+4FgEgf6QCfQNLn
L9P2RccV8Wg5zIlJFO2LHCI=hgO/
-----END PGP SIGNATURE-----

We had issues with auth times until the AD structure was fixed here. It
involved configuring AD sites to make sure that our auth requests went to
local AD servers.
I continuously track auth times with
Time wbinfo -a username%password
Just to have an idea when there are problems.
Our local AD structure that we have some control of normally takes:

Real	.031s
User	.019s
Sys	.000s

Our enterprise AD with all the real user accounts that we have no control
of:

Real	.04 to .1 s
User	.018s
Sys	.002s

This is after it being fixed. Before we saw real times of .04s to 20s. If
you constantly get 20s times, it is basically unusable. 

I found native AD to be slower so am using domain membership on FC2, samba
3.14a.
My guess is that the difference between user + sys and real is the wait for
the reply back from AD.
I found no difference in using AD DNS or local bind dns in my case.
I didn't even ask about the AD added attributes but use openldap to store
the SID to UID mappings.
When I use wbinfo to test UID to SID resolution time, it is very quick, so I
think most of my latency right now is in AD.

Chuck