Zdravko Zdravkov
2018-Dec-06 20:08 UTC
[Samba] Samba with BIND9 DLZ affecting internet speed
Hi folks. I've just experienced strange behaviour with our samba ad configured with bind9 dlz and our ftp server (separate machine on the same network). In the past few days I've noticed significant drop of the download speed from the ftp server. As nothing obvious came to my mind I just rebooted our samba AD server. Afterwards the speed increased about 9 times, back to what we are used to. The ftp server uses the samba AD as dns. That's the only connection between the two machines. I'm wondering if anyone else can report such troubles or the issue is here only. Thanks
Andrew Bartlett
2018-Dec-06 21:26 UTC
[Samba] Samba with BIND9 DLZ affecting internet speed
On Thu, 2018-12-06 at 22:08 +0200, Zdravko Zdravkov via samba wrote:> Hi folks. > > I've just experienced strange behaviour with our samba ad configured with > bind9 dlz and our ftp server (separate machine on the same network). > > In the past few days I've noticed significant drop of the download speed > from the ftp server. > As nothing obvious came to my mind I just rebooted our samba AD server. > Afterwards the speed increased about 9 times, back to what we are used to. > > The ftp server uses the samba AD as dns. That's the only connection between > the two machines. > > I'm wondering if anyone else can report such troubles or the issue is here > only.Each DNS lookup takes the Samba DB lock, no matter what the zone. This appears to be the main issue here. We need to cache the list of zones we have so we don't need to get the lock. In the meantime, set your FTP server to reference a caching BIND9 that only forwards the Samba zone to the Samba DC. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
L.P.H. van Belle
2018-Dec-07 08:11 UTC
[Samba] Samba with BIND9 DLZ affecting internet speed
Hai, As Andrew also told, setup a caching dns and forward the samba dns zones. This works great, i use this on 2 internet connected servers. What we (i) also want to know is your running OS and samba version. That does help us, yes, really.. ;-) A very simple to setup for a forwarding dns. Install bind9 on the ftp server. Set in the named.options. dnssec-enable yes; dnssec-validation yes; // If you dont any ipv6 resolving. disable dnssec since your dropping valid records. ( not adviced ) // if you do this make user all iv6 things are disabled, but again not adviced. //dnssec-enable no; //filter-aaaa-on-v4 yes; // From 9.9.5 ARM, disables interfaces scanning to prevent unwanted stop listening //interface-interval 0; // Listen on local interfaces only listen-on-v6 { ::1; }; listen-on { 127.0.0.1; }; // MailServer optimized changes for spamassassin. // Improve cache timings, adjust these to your needs. min-cache-ttl 60; // Spamassassin RBL server optimization for a CACHING dns server. // set in view or global, in seconds, changed to 5 min. // I lowered the time so RBL server changes are picked up much quicker. // Adjust these to your needs. max-cache-ttl 300; // default 7 days. max-ncache-ttl 300; // default 3 hours // make sure bind does not eat all the ram. Set what you need/want. max-cache-size 32M; // Dont load empty zones, this can conflict with samba bind_dlz zones. empty-zones-enable no; And add your forwarded zones, if you run this on an internet connected machine, make sure your dns request to go correct direction. // 0.1 and 0.2 are the samba-ad-dc servers. zone "internal.domain.tld" { type forward; forwarders { 192.168.0.1; 192.168.0.2; }; }; // zone "168.192.in-addr.arpa" { type forward; forwarders { 192.168.0.1; 192.168.0.2; }; }; zone "0.10.in-addr.arpa" { type forward; forwarders { 192.168.0.1; 192.168.0.2; }; }; // here i forward the internet zone to the internet dns. // i needed this on my mail server due to my dkim/spf/dmarc/tlsa setup. zone "domain.tld" { type forward; forwarders { internet_dns1; internet_dns1; }; }; And change the resolv.conf to localhost as first resolver. What helps also, at least for me, on debian 9, to reduce the problem. I've changed the bind9 systemd service. Add this part, it stops bind from reloading, which helps.. # /etc/systemd/system/bind9.service.d/override.conf [Service] ExecReload Samba-ad-dc does not like it when bind reloads. This is one on my todo list to re-configure these services and link them together. And my weekly backup, stops samba and bind , for full offline backup, and starts them again. If anyone has some spare time left, i suggest read this. http://alesnosek.com/blog/2016/12/04/controlling-a-multi-service-application-with-systemd/ Thats the idea to help workaround this problem. In my opinion, what it should do. samba-ad-dc should detect if bind9 is available, if its available, start it before samba starts. Samba-ad-dc should detect if ntp is vailable, if so start it before samba starts. With a samba reload, not reload bind, With a samba restart, restart bind first. And stop stop both, but first samba. Just these 2 changes to the samba-ad-dc services will help reduceing the samba dns problem. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andrew Bartlett via samba > Verzonden: donderdag 6 december 2018 22:26 > Aan: Zdravko Zdravkov; Samba List > Onderwerp: Re: [Samba] Samba with BIND9 DLZ affecting internet speed > > On Thu, 2018-12-06 at 22:08 +0200, Zdravko Zdravkov via samba wrote: > > Hi folks. > > > > I've just experienced strange behaviour with our samba ad > configured with > > bind9 dlz and our ftp server (separate machine on the same network). > > > > In the past few days I've noticed significant drop of the > download speed > > from the ftp server. > > As nothing obvious came to my mind I just rebooted our > samba AD server. > > Afterwards the speed increased about 9 times, back to what > we are used to. > > > > The ftp server uses the samba AD as dns. That's the only > connection between > > the two machines. > > > > I'm wondering if anyone else can report such troubles or > the issue is here > > only. > > Each DNS lookup takes the Samba DB lock, no matter what the > zone. This > appears to be the main issue here. > > We need to cache the list of zones we have so we don't need to get the > lock. > > In the meantime, set your FTP server to reference a caching BIND9 that > only forwards the Samba zone to the Samba DC. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Zdravko Zdravkov
2018-Dec-07 10:28 UTC
[Samba] Samba with BIND9 DLZ affecting internet speed
Hi there. Setup is Centos 7.4 with Samba 4.7.4. I In our second office I've got configured Centos 7.5 with latest samba ad + dlz, which I've set just as Andrew suggested, using separate bind9 that forwards queries to the samba AD(dlz) for the given dns zone. Unfortunately the office isn't operational yet, so I can't share any experience. Best On Fri, Dec 7, 2018 at 10:11 AM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hai, > > > As Andrew also told, setup a caching dns and forward the samba dns zones. > This works great, i use this on 2 internet connected servers. > > What we (i) also want to know is your running OS and samba version. > That does help us, yes, really.. ;-) > > A very simple to setup for a forwarding dns. > Install bind9 on the ftp server. > Set in the named.options. > > dnssec-enable yes; > dnssec-validation yes; > // If you dont any ipv6 resolving. disable dnssec since your > dropping valid records. ( not adviced ) > // if you do this make user all iv6 things are disabled, but > again not adviced. > //dnssec-enable no; > //filter-aaaa-on-v4 yes; > > // From 9.9.5 ARM, disables interfaces scanning to prevent > unwanted stop listening > //interface-interval 0; > > // Listen on local interfaces only > listen-on-v6 { ::1; }; > listen-on { 127.0.0.1; }; > > // MailServer optimized changes for spamassassin. > // Improve cache timings, adjust these to your needs. > min-cache-ttl 60; > > // Spamassassin RBL server optimization for a CACHING dns server. > // set in view or global, in seconds, changed to 5 min. > // I lowered the time so RBL server changes are picked up much > quicker. > // Adjust these to your needs. > max-cache-ttl 300; // default 7 days. > max-ncache-ttl 300; // default 3 hours > > // make sure bind does not eat all the ram. Set what you need/want. > max-cache-size 32M; > // Dont load empty zones, this can conflict with samba bind_dlz > zones. > empty-zones-enable no; > > > And add your forwarded zones, if you run this on an internet connected > machine, make sure your dns request to go correct direction. > // 0.1 and 0.2 are the samba-ad-dc servers. > zone "internal.domain.tld" { > type forward; > forwarders { 192.168.0.1; 192.168.0.2; }; > }; > > // > zone "168.192.in-addr.arpa" { > type forward; > forwarders { 192.168.0.1; 192.168.0.2; }; > }; > zone "0.10.in-addr.arpa" { > type forward; > forwarders { 192.168.0.1; 192.168.0.2; }; > }; > // here i forward the internet zone to the internet dns. > // i needed this on my mail server due to my dkim/spf/dmarc/tlsa setup. > zone "domain.tld" { > type forward; > forwarders { internet_dns1; internet_dns1; }; > }; > > And change the resolv.conf to localhost as first resolver. > > What helps also, at least for me, on debian 9, to reduce the problem. > > I've changed the bind9 systemd service. > Add this part, it stops bind from reloading, which helps.. > > # /etc/systemd/system/bind9.service.d/override.conf > [Service] > ExecReload> > > Samba-ad-dc does not like it when bind reloads. > This is one on my todo list to re-configure these services and link them > together. > And my weekly backup, stops samba and bind , for full offline backup, and > starts them again. > > If anyone has some spare time left, i suggest read this. > > http://alesnosek.com/blog/2016/12/04/controlling-a-multi-service-application-with-systemd/ > Thats the idea to help workaround this problem. > > In my opinion, what it should do. > > samba-ad-dc should detect if bind9 is available, if its available, start > it before samba starts. > Samba-ad-dc should detect if ntp is vailable, if so start it before samba > starts. > With a samba reload, not reload bind, > With a samba restart, restart bind first. > And stop stop both, but first samba. > > Just these 2 changes to the samba-ad-dc services will help reduceing the > samba dns problem. > > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Andrew Bartlett via samba > > Verzonden: donderdag 6 december 2018 22:26 > > Aan: Zdravko Zdravkov; Samba List > > Onderwerp: Re: [Samba] Samba with BIND9 DLZ affecting internet speed > > > > On Thu, 2018-12-06 at 22:08 +0200, Zdravko Zdravkov via samba wrote: > > > Hi folks. > > > > > > I've just experienced strange behaviour with our samba ad > > configured with > > > bind9 dlz and our ftp server (separate machine on the same network). > > > > > > In the past few days I've noticed significant drop of the > > download speed > > > from the ftp server. > > > As nothing obvious came to my mind I just rebooted our > > samba AD server. > > > Afterwards the speed increased about 9 times, back to what > > we are used to. > > > > > > The ftp server uses the samba AD as dns. That's the only > > connection between > > > the two machines. > > > > > > I'm wondering if anyone else can report such troubles or > > the issue is here > > > only. > > > > Each DNS lookup takes the Samba DB lock, no matter what the > > zone. This > > appears to be the main issue here. > > > > We need to cache the list of zones we have so we don't need to get the > > lock. > > > > In the meantime, set your FTP server to reference a caching BIND9 that > > only forwards the Samba zone to the Samba DC. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett http://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > Samba Developer, Catalyst IT > > http://catalyst.net.nz/services/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Samba with BIND9 DLZ affecting internet speed
- Samba with BIND9 DLZ affecting internet speed
- Samba 4.7.4 + bind9 DLZ /backend/ dropping delegated domain
- Samba 4.7.4 + bind9 DLZ /backend/ dropping delegated domain
- Samba 4.7.4 + bind9 DLZ /backend/ dropping delegated domain