Hi all, On Thu, Apr 16, 2015 at 03:00:49PM -0700, Jeremy Allison wrote:> On Thu, Apr 16, 2015 at 08:42:48PM +0200, Ervin Heged?s wrote: > > Dear Samba users, > > > > here is an Ubuntu 14.04, with Samba 4 (4.1.6), and LDAP (slapd > > 2.4.31). The config came from a previous system (Debian Squeezy), > > which had been crashed (HW error - on this new machine, I've put > > Ubuntu). > > > > So, as I wrote, the smb.conf and LDAP database was copied from > > the backup from the old system - but it works as well. Only one > > thing what's very annoying. The Samba is "only" a fileserver, not > > AD. Users put all files to Samba, eg. small projects for > > microcontrollers, written in C. Most user compiles the project on > > the Samba shares. The clients are Windows 7 and 8. > > > > These processes on the previous system takes about 8-10 seconds > > (of course, this is a very relative time...). On this new system, > > this compile process for some users takes still 8 seconds, but > > for some users takes 80-100 seconds. The different between the > > two groups is the "fast" group members are listed after the > > "admin users" in the smb.conf, the "slow" users aren't. > > My guess is this is to do with user lookups. "admin users" > get mapped to root, non admin users don't.I've searched away the config, I've found this: # net rpc group members administrators <EMPTY LIST> # net rpc group members "domain admins" MYDOMAIN\root MYDOMAIN\user1 MYDOMAIN\user2 MYDOMAIN\user3 but here isn't listed the user4, which listed in smb.conf, near to "admin users" option. These users above (and only these users) are members of Domain Admins group in LDAP. Why faster the Samba for users, who listed in "admin users" in smb.conf? Thanks, Ervin -- I ? UTF-8
Hello Ervin, ? On Sat, Apr 18, 2015 at 5:01 PM, Ervin Heged?s <airween at gmail.com> wrote:> > Why faster the Samba for users, who listed in "admin users" in > smb.conf?Hmm looks like earlier return for users with root permission, so admin users would not go through SMB_VFS_GET_NT_ACL(), which takes more time on permission checking.[1] Non-admin users would go through SMB_VFS_GET_NT_ACL(), and finally would reach getegid() and geteuid().[2] Hence strace said the top 2 records are getegid() and geteuid(). [1] code snippet: NTSTATUS smbd_check_access_rights(struct connection_struct *conn, ... if (!use_privs && get_current_uid(conn) == (uid_t)0) { /* I'm sorry sir, I didn't know you were root... */ DEBUG(10,("smbd_check_access_rights: root override " "on %s. Granting 0x%x\n", smb_fname_str_dbg(smb_fname), (unsigned int)access_mask )); return NT_STATUS_OK; } ... status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL), talloc_tos(), &sd); ?[2]? perf top call graph: ?1.49% libc-2.6.1.so [.] __geteuid | --- __geteuid uwrap_geteuid assert_uid set_unix_security_ctx set_sec_ctx set_root_sec_ctx smbd_become_root legacy_gid_to_sid gid_to_sid create_file_sids posix_get_nt_acl_common posix_get_nt_acl vfswrap_get_nt_acl smb_vfs_call_get_nt_acl smbd_check_access_rights 1.22% libc-2.6.1.so [.] __getegid | --- __getegid uwrap_getegid assert_gid set_unix_security_ctx set_sec_ctx set_root_sec_ctx smbd_become_root become_root pdb_default_uid_to_sid pdb_uid_to_sid legacy_uid_to_sid uid_to_sid create_file_sids posix_get_nt_acl_common posix_get_nt_acl vfswrap_get_nt_acl smb_vfs_call_get_nt_acl smbd_check_access_rights? -- Regards, Jones Syue | ??? *QNAP* Systems,Inc. <http://www.qnap.com/> ?
Hi Jones, many thanks for your reply. Yepp, I'm using ACL's (Posix ACL's) on filesystem to regulate the access of users for files and directories. Do you mean that this is the "normal" way? These geteuid and getegid system calls are so slow? On the previous system (Debian Wheezy, Samba 3) I've also used ACL's, but there were much faster than this... What should be the solution? Do you have any idea? Thanks, Ervin On Mon, Apr 20, 2015 at 10:48:37AM +0800, Jones Syue wrote:> Hello Ervin, > ? > > On Sat, Apr 18, 2015 at 5:01 PM, Ervin Heged?s <airween at gmail.com> wrote: > > > > > Why faster the Samba for users, who listed in "admin users" in > > smb.conf? > > > > Hmm looks like earlier return for users with root permission, > so admin users would not go through SMB_VFS_GET_NT_ACL(), > which takes more time on permission checking.[1] > > Non-admin users would go through SMB_VFS_GET_NT_ACL(), > and finally would reach getegid() and geteuid().[2] > > Hence strace said the top 2 records are getegid() and geteuid(). > > > [1] code snippet: > NTSTATUS smbd_check_access_rights(struct connection_struct *conn, > ... > if (!use_privs && get_current_uid(conn) == (uid_t)0) { > /* I'm sorry sir, I didn't know you were root... */ > DEBUG(10,("smbd_check_access_rights: root override " > "on %s. Granting 0x%x\n", > smb_fname_str_dbg(smb_fname), > (unsigned int)access_mask )); > return NT_STATUS_OK; > } > ... > status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, > (SECINFO_OWNER | > SECINFO_GROUP | > SECINFO_DACL), talloc_tos(), &sd); > > ?[2]? perf top call graph: > > ?1.49% libc-2.6.1.so [.] __geteuid > | > --- __geteuid > uwrap_geteuid > assert_uid > set_unix_security_ctx > set_sec_ctx > set_root_sec_ctx > smbd_become_root > legacy_gid_to_sid > gid_to_sid > create_file_sids > posix_get_nt_acl_common > posix_get_nt_acl > vfswrap_get_nt_acl > smb_vfs_call_get_nt_acl > smbd_check_access_rights > > 1.22% libc-2.6.1.so [.] __getegid > | > --- __getegid > uwrap_getegid > assert_gid > set_unix_security_ctx > set_sec_ctx > set_root_sec_ctx > smbd_become_root > become_root > pdb_default_uid_to_sid > pdb_uid_to_sid > legacy_uid_to_sid > uid_to_sid > create_file_sids > posix_get_nt_acl_common > posix_get_nt_acl > vfswrap_get_nt_acl > smb_vfs_call_get_nt_acl > smbd_check_access_rights? > > -- > Regards, > Jones Syue | ??? > *QNAP* Systems,Inc. <http://www.qnap.com/> > ?