samba - Aug 2008 - connecting to shares in other subnet : slow

Greets, samba-users,

I contact this list because of a problem I face at a customer's site.

We run Samba version 3.0.28-0.6-1787-SUSE-CODE10 there on a SLES 10 SP2 
server. This server is located behind a firewall (run by me), that 
firewall allows all relevant Samba-ports through (137-139, 445).

The clients are located in a separated subnet, the routing between 
client- and server-subnet is run by an external service-provider, we 
have to trust in what they do (and say).

Connections work fine as soon as they are established, the problem is 
that the connecting itself takes way too long.

There's a small batch-script doing the "net use x: ..." and it
sometimes
takes up to half an hour (!) until the shares are connected.

connecting via telnet works fine, so routing and firewalling seems to 
work OK.

Today I narrowed things down via "smb ports = 445" but without
improvements.

Doing a "net view \\our.server.domain.tld" returns the shares 
immediately, and we also use the FQDN in the batch-script.

As soon as the shares are connected, transfers are working fine and fast.

Connections within the server-net start up immediately as well, so the 
hardware and smb.conf should be OK also afaik.

[global]
	workgroup = ROM
	map to guest = Bad User
	log level = 2
	smb ports = 445
	printcap name = cups
	logon path = \\%L\profiles\.msprofile
	logon drive = P:
	logon home = \\%L\%U\.9xprofile
	usershare allow guests = Yes
	printing = cups
	cups options = raw
	print command 	lpq command = %p
	lprm command 	include = /etc/samba/dhcp.conf

the only speciality is that we use auditing in the shares, but I don't 
think this might be the reason:

[public]
	comment = fuer alle
	path = /mnt/public
	force group = users
	read only = No
	inherit acls = Yes
	vfs objects = full_audit
	full_audit:failure = all
	full_audit:success = all
	full_audit:priority = NOTICE
	full_audit:facility = LOCAL5


The logs don't show anything suspicious, at least nothing I understand 
as problematic.

I'll be happy to provide any logs and/or tcpdumps or something if needed.

Does anyone have any pointer for me?

Thanks in advance, best regards,
Stefan

Stefan G. Weichinger schrieb:
> 
> Greets, samba-users,
> 
> I contact this list because of a problem I face at a customer's site.
> 
> We run Samba version 3.0.28-0.6-1787-SUSE-CODE10 there on a SLES 10 SP2 
> server. This server is located behind a firewall (run by me), that 
> firewall allows all relevant Samba-ports through (137-139, 445).
> 
> The clients are located in a separated subnet, the routing between 
> client- and server-subnet is run by an external service-provider, we 
> have to trust in what they do (and say).
> 
> Connections work fine as soon as they are established, the problem is 
> that the connecting itself takes way too long.
> 
> There's a small batch-script doing the "net use x: ..." and
it sometimes
> takes up to half an hour (!) until the shares are connected.
> 
> connecting via telnet works fine, so routing and firewalling seems to 
> work OK.
> 
> Today I narrowed things down via "smb ports = 445" but without 
> improvements.
> 
> Doing a "net view \\our.server.domain.tld" returns the shares 
> immediately, and we also use the FQDN in the batch-script.
> 
> As soon as the shares are connected, transfers are working fine and fast.
> 
> Connections within the server-net start up immediately as well, so the 
> hardware and smb.conf should be OK also afaik.
> 
> [global]
>     workgroup = ROM
>     map to guest = Bad User
>     log level = 2
>     smb ports = 445
>     printcap name = cups
>     logon path = \\%L\profiles\.msprofile
>     logon drive = P:
>     logon home = \\%L\%U\.9xprofile
>     usershare allow guests = Yes
>     printing = cups
>     cups options = raw
>     print command >     lpq command = %p
>     lprm command >     include = /etc/samba/dhcp.conf
I changed the stupid lines enabling roaming profiles here, don't need 
that (thanks to Dale for pointing me at this off-list).

looks like

[global]
	workgroup = ROM
	log level = 2
	log file = /var/log/samba/%U.log
	max log size = 1000
	logon path 	logon home 	usershare allow guests = Yes

I toggled "use spnego" to no and changed the calling script to specify
the workgroup of the server as well.

Seems to help a bit ...

could spnego be the problem?

Thanks, Stefan