Em 2015-08-05 11:45, Rowland Penny escreveu:> On 05/08/15 15:36, Jefferson B. Limeira wrote:
>> An example of how slow is...
>>
>> [root at CTA1PAPAN001645 ~]# time id teste
>> uid=16777232(teste) gid=16777216(domain users) grupos=16777216(domain
>> users),16777220(operacao),16777222(BUILTIN\users)
>>
>> real 1m15.981s
>> user 0m0.005s
>> sys 0m0.007s
>>
>> According this documentation, if I want use File Sharing without AD
>> modifications only option is Winbind (idmap_rid).
>>
>>
https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf
>> Em 2015-07-31 13:19, John Yocum escreveu:
>>> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:
>>>> What is the best way to authenticate users in SMB4 DC on Linux
>>>> workstation?
>>>> I'm using pam_winbind, but sometimes its very slow...
>>>>
>>>
>>> How slow is "very slow"?
>>>
>>> That said, nslcd with LDAP over SSL works, and it's fast in my
>>> experience. You could combine nslcd with Kerberos, which also works
>>> very
>>> well. Of course both of these methods require you to have unix
>>> attributes stored in AD for your users.
>>>
>>> -- John Yocum, Systems Administrator, DEOHS
>>
>
> You seem to have a serious problem there:
>
> rowland at ThinkPad ~/ $ time id rowland
> uid=10000(rowland) gid=10000(domain_users)
>
groups=10000(domain_users),24(cdrom),10001(administration),4294967295,10002(domain_admins),4294967295,2001(BUILTIN\users),2000(BUILTIN\administrators)
>
> real 0m0.614s
> user 0m0.002s
> sys 0m0.003s
>
> Just how many users do you have ?
>
> Can we see your smb.conf ?
>
> This could be a network problem, have you investigated this possibility
> ?
>
> Rowland
Around 4700 users...
[root at CTA1PAPAN001645 ~]# cat /etc/samba/smb.conf
[global]
workgroup = BP
realm = BP.NET
security = ads
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config BP:backend = rid
idmap config BP:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/BP/%U
template shell = /bin/bash
hosts allow = 192.168.
valid users = %U
interfaces = eth0
bind interfaces only = yes
[root at CTA1PAPAN001645 ~]# net ads info
LDAP server: 192.168.200.80
LDAP server name: srvsmb4-pdc.bp.net
Realm: BP.NET
Bind Path: dc=BP,dc=NET
LDAP port: 389
Server time: Qua, 05 Ago 2015 13:08:16 BRT
KDC server: 192.168.200.80
Server time offset: 0
[root at CTA1PAPAN001645 ~]# ping -f -c 10000 192.168.200.80
PING 192.168.200.80 (192.168.200.80) 56(84) bytes of data.
.
--- 192.168.200.80 ping statistics ---
10000 packets transmitted, 9999 received, 0% packet loss, time 4735ms
rtt min/avg/max/mdev = 0.254/0.410/8.855/0.139 ms, ipg/ewma 0.473/0.377
ms
Is normal id command take 20~30s, 1m15s is an extreme case.
--
[]'s Jefferson B. Limeira
jbl at internexxus.com.br
https://br.linkedin.com/in/jlimeira
(41) 9928-8628