samba - Jul 2021 - howto optimize samba/kerberos for 20k requests per minute - help needed

Seems that my attachment was removed. Kindly find it here please:



https://nopaste.chaoz-irc.net/view/64530586





-----Urspr?ngliche Nachricht-----
Von: Stefan Bauer via samba?<samba at lists.samba.org>
Gesendet: Freitag 16 Juli 2021 08:09
An: samba at lists.samba.org
Betreff: [Samba] howto optimize samba/kerberos for 20k requests per minute -
help needed



Dear Samba-Users,



we have to use a very bad web-application that does around 20million
DAP/Kerberos-requests against our samba domain controller per day.



That renders the system almost unusable due to the high amount of requests.

Server iowait is at 20-30%.



As the web-application does not have any caching options, I'm hoping for
help on this list to "optimize" the samba domain cotroller.



iotop reports:



Total DISK READ:???????? 0.00 B/s | Total DISK WRITE:???????? 2.67 M/s
Current DISK READ:?????? 0.00 B/s | Current DISK WRITE:?????? 2.80 M/s
? TID? PRIO? USER???? DISK READ? DISK WRITE? SWAPIN???? IO>???
COMMAND????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
?
?1996 be/4 root??????? 0.00 B/s??? 2.55 M/s? 0.00 % 27.84 % samba: conn[kdc_tcp]
c[ipv4:172.16.2.4:50400] s[ipv4:172.16.2.2:88] server_id[1996.47]
?2560 be/4 root??????? 0.00 B/s??? 0.00 B/s? 0.00 %? 0.00 % samba: conn[ldap]
c[ipv4:172.16.2.4:55068] s[ipv4:172.16.2.2:389] server_id[2560]





172.16.2.4 is the web-application.



I record around 15K kerberos request / minute with tcpdump.



Any help is greatly appreciated.



samba is Version 4.10.18-Univention

configuration attached.



thank you.



Kind regards,



Stefan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 2021-07-16 at 06:41 +0000, Stefan Bauer via samba
wrote:
> Seems that my attachment was removed. Kindly find it here please:
> 
> 
> 
> https://nopaste.chaoz-irc.net/view/64530586
> 

Can you try adding a standard Samba AD DC to your domain (I would
suggest using Debian 10 with Louis's repo: https://apt.van-belle.nl/ )
and point your clients at that.

This will rule out all the rubbish that Univention have added.

Rowland

I would start here. 
https://docs.software-univention.de/performance-guide-4.1.html

And run : 
ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
}')/sam.ldb"  -s base -b @INDEXLIST
That shows what is index at this moment.

You can add ldap proxy on the webserver to offload samba.
Also samba is Version 4.10.18-Univention newer version has better performace. 
There is/was a change as of 4.11 

On all AD-DC's run : 
samba-tool dbcheck
samba-tool dbcheck --reindex 
Might help a bit also. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 16 juli 2021 10:19
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k 
> requests per minute - help needed
> 
> On Fri, 2021-07-16 at 06:41 +0000, Stefan Bauer via samba wrote:
> > Seems that my attachment was removed. Kindly find it here please:
> > 
> > 
> > 
> > https://nopaste.chaoz-irc.net/view/64530586
> > 
> 
> 
> Can you try adding a standard Samba AD DC to your domain (I would
> suggest using Debian 10 with Louis's repo: https://apt.van-belle.nl/ )
> and point your clients at that.
> 
> This will rule out all the rubbish that Univention have added.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>