Chris Stankevitz
2017-Jan-31 16:59 UTC
[Samba] net ads and wbinfo are painfully slow -- but they work
I just created a windows domain. it is essentially empty except for a couple of users and an group policy related to windows update. I then configured samba to connect using ads. net ads join took > 5 minutes - but worked fine net ads testjoin takes ~5 minutes - shows a good join wbinfo -u takes ~5 minutes and shows the users During the long wbinfo pause, the log show: "Starting GENSEC sub mechanism gse-krb5" I'm using samba 4.2.14 on FreeBSD 10.3. Configuration files printed below and came from the samba wiki [1]. The network is not connected to the internet. Can you tell me what is wrong? Thank you, Chris [1] https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member root at nickel:~ # smbd --version Version 4.2.14 root at nickel:~ # cat /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true root at nickel:~ # cat /usr/local/etc/smb4.conf [global] security = ADS workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL disable netbios = yes idmap config * : backend = tdb idmap config * : range = 3000-19999 username map = /usr/local/etc/user.map log file = /var/log/samba4/log.%U log level = 10 include = /usr/local/etc/smb4.%U.conf store dos attributes = yes local master = no directory name cache size = 0 domain master = no preferred master = no # Workaround kqueue bug (pcbsd bug 4728, samba 11063) kernel change notify = no
Rowland Penny
2017-Jan-31 17:22 UTC
[Samba] net ads and wbinfo are painfully slow -- but they work
On Tue, 31 Jan 2017 08:59:02 -0800 Chris Stankevitz via samba <samba at lists.samba.org> wrote:> I just created a windows domain. it is essentially empty except for a > couple of users and an group policy related to windows update. I then > configured samba to connect using ads. > > net ads join took > 5 minutes - but worked fine > > net ads testjoin takes ~5 minutes - shows a good join > > wbinfo -u takes ~5 minutes and shows the users > > During the long wbinfo pause, the log show: "Starting GENSEC sub > mechanism gse-krb5" > > I'm using samba 4.2.14 on FreeBSD 10.3. Configuration files printed > below and came from the samba wiki [1]. The network is not connected > to the internet. > > Can you tell me what is wrong? > > Thank you, > > Chris > > [1] > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > root at nickel:~ # smbd --version > Version 4.2.14 > > root at nickel:~ # cat /etc/krb5.conf > [libdefaults] > default_realm = MYDOMAIN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > root at nickel:~ # cat /usr/local/etc/smb4.conf > [global] > security = ADS > workgroup = MYDOMAIN > realm = MYDOMAIN.LOCAL > disable netbios = yes > idmap config * : backend = tdb > idmap config * : range = 3000-19999I know you say that you followed the wiki and I can see that the above two 'idmap config' lines were copied from the wiki, but did you miss or not understand the info directly below where the two lines came from ? What I am trying to get at, is it obvious that you need to click on one of the links ? I would also expect to see at least something like this: idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 Rowland
Rowland Penny
2017-Jan-31 20:36 UTC
[Samba] net ads and wbinfo are painfully slow -- but they work
On Tue, 31 Jan 2017 12:06:14 -0800 Chris Stankevitz <chrisstankevitz at gmail.com> wrote:> On Tue, Jan 31, 2017 at 9:22 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > I would also expect to see at least something like this: > > > > idmap config SAMDOM : backend = rid > > idmap config SAMDOM : range = 10000-999999 > > Rowland, > > Thank you. I corrected the mistake you identified by adding a rid > backend and range for my domain. > > However, some operations are still outrageously slow. For example, > "net ads testjoin" takes 5 minutes to complete. The logs imply the > slowdown is at or soon after "Starting GENSEC sub mechanism gse-krb5". > > Do you know of a way I can methodically identify the source of the > slowdown? If not, does your instinct lead you to suspect my new samba > setup or my new Windows Server 2012R2 domain (or perhaps my network or > DNS)? > > Thank you again, > > ChrisThat is very very slow ;-) time net ads testjoin Join is OK real 0m0.476s user 0m0.108s sys 0m0.008s Is the Windows AD DC running a dns server ? Does the Unix client have the AD DC as its nameserver ? I would also look at the ethernet cables, switches etc Can you post your /etc/resolv.conf and /etc/hosts It might also help if you can upgrade to a later version of Samba. Rowland
Chris Stankevitz
2017-Jan-31 22:04 UTC
[Samba] net ads and wbinfo are painfully slow -- but they work
On Tue, Jan 31, 2017 at 12:36 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 31 Jan 2017 12:06:14 -0800 > Chris Stankevitz <chrisstankevitz at gmail.com> wrote: > >> On Tue, Jan 31, 2017 at 9:22 AM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >> > I would also expect to see at least something like this: >> > >> > idmap config SAMDOM : backend = rid >> > idmap config SAMDOM : range = 10000-999999 >> >> Rowland, >> >> Thank you. I corrected the mistake you identified by adding a rid >> backend and range for my domain. >> >> However, some operations are still outrageously slow. For example, >> "net ads testjoin" takes 5 minutes to complete. The logs imply the >> slowdown is at or soon after "Starting GENSEC sub mechanism gse-krb5". >> >> Do you know of a way I can methodically identify the source of the >> slowdown? If not, does your instinct lead you to suspect my new samba >> setup or my new Windows Server 2012R2 domain (or perhaps my network or >> DNS)? >> >> Thank you again, >> >> Chris > > That is very very slow ;-) > > time net ads testjoin > Join is OK > > real 0m0.476s > user 0m0.108s > sys 0m0.008sYes, I know... I have a similar setup (same version of samba, same hardware, same OS but a different windows domain on a different network) that is working fine.> > Is the Windows AD DC running a dns server ? > Does the Unix client have the AD DC as its nameserver ? > > I would also look at the ethernet cables, switches etc > > Can you post your /etc/resolv.conf and /etc/hosts > > It might also help if you can upgrade to a later version of Samba. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Chris Stankevitz
2017-Jan-31 22:24 UTC
[Samba] net ads and wbinfo are painfully slow -- but they work
On Tue, Jan 31, 2017 at 12:36 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> time net ads testjoin > Join is OK > > real 0m0.476s > user 0m0.108s > sys 0m0.008sYes, I know... I have a similar setup (same version of samba, same hardware, same OS but a different windows domain on a different network) that is working fine.> Is the Windows AD DC running a dns server ? > Does the Unix client have the AD DC as its nameserver ?Yes and yes. If I didn't have that, I'm not sure how samba could have joined the domain given my configuration. (But I don't understand what is going on under the hood.)> Can you post your /etc/resolv.conf and /etc/hostsConfig files posted below. But first an exciting hint: When I try to ssh into the box while samba utilities (like "net ads" and "wbinfo") are frozen -- the ssh login is also frozen until everything is released. Maybe nsswitch I fouled. /etc/resolv.conf: root at nickel:~ # cat /etc/resolv.conf nameserver 192.168.11.5 nameserver 192.168.1.4 domain mydomain.local /etc/hosts: 127.0.0.1 localhost localhost.mydomain.local 192.168.11.3 nickel.mydomain.local nickel 192.168.1.2 iron.mydomain.local iron /etc/nsswitch.conf: # default #group: compat #group_compat: nis #passwd: compat #passwd_compat: nis # 20170131 samba setup group: files winbind passwd: files winbind hosts: files dns networks: files shells: files services: compat services_compat: nis protocols: files rpc: files Thanks again, Chris
Possibly Parallel Threads
- net ads and wbinfo are painfully slow -- but they work
- net ads and wbinfo are painfully slow -- but they work
- net ads and wbinfo are painfully slow -- but they work
- net ads and wbinfo are painfully slow -- but they work
- net ads and wbinfo are painfully slow -- but they work