L.P.H. van Belle
2021-Jul-16 09:56 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
I would start here.
https://docs.software-univention.de/performance-guide-4.1.html
And run :
ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
}')/sam.ldb" -s base -b @INDEXLIST
That shows what is index at this moment.
You can add ldap proxy on the webserver to offload samba.
Also samba is Version 4.10.18-Univention newer version has better performace.
There is/was a change as of 4.11
On all AD-DC's run :
samba-tool dbcheck
samba-tool dbcheck --reindex
Might help a bit also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: vrijdag 16 juli 2021 10:19
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k
> requests per minute - help needed
>
> On Fri, 2021-07-16 at 06:41 +0000, Stefan Bauer via samba wrote:
> > Seems that my attachment was removed. Kindly find it here please:
> >
> >
> >
> > https://nopaste.chaoz-irc.net/view/64530586
> >
>
>
> Can you try adding a standard Samba AD DC to your domain (I would
> suggest using Debian 10 with Louis's repo: https://apt.van-belle.nl/ )
> and point your clients at that.
>
> This will rule out all the rubbish that Univention have added.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Stefan Bauer
2021-Jul-16 11:18 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Hi,
?
thanks a lot for all that input.
Almost all requests are kerberos traffic (88). I don't think that a ldap
proxy can help here.
Index seems to be active for all the mandatory fields (attached below)
dbcheck only reports a few duplidates, but could not fix it:
# samba-tool dbcheck --fix
Checking 4351 objects
Not checking for missing forward links because the db has the
sortedLinks feature
ERROR: Duplicate forward link values for attribute 'member' in
'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local'
Duplicate link
'<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=130898974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SID=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administrator_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
Correct?? link
'<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=130898974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SID=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administrator_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
Duplicate link
'<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=129887105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SID=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
Correct?? link
'<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=129887105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS=1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LOCAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SID=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin,OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local'
RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute
'member' in 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local'
Commit fixes for (missing/duplicate) forward links in attribute 'member'
[y/N/all/none] all
Failed to fix duplicate links in attribute 'member' : (68, 'samldb:
member
CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local
already set via primaryGroupID 512')
Checked 4351 objects (2 errors)
# samba-tool dbcheck --reindex
Re-indexing...
../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local
for index on servicePrincipalName, duplicate of objectGUID
0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME
<INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER
../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local
for index on servicePrincipalName, duplicate of objectGUID
e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME
<INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1
completed re-index OK
Thanks. Stefan
--------------------------------------------------------------------
# ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
}')/sam.ldb"? -s base -b @INDEXLIST
# record 1
dn: @INDEXLIST
@IDX_DN_GUID: GUID
@IDXGUID: objectGUID
@IDXONE: 1
@SAMBA_FEATURES_SUPPORTED: 1
@SAMDB_INDEXING_VERSION: 2
@IDXATTR: msDS-DeviceID
@IDXATTR: msDS-DevicePhysicalIDs
@IDXATTR: msDS-DeviceOSType
@IDXATTR: msDS-SyncServerUrl
@IDXATTR: msDS-CloudIsManaged
@IDXATTR: msDS-IsManaged
@IDXATTR: msDS-DeviceObjectVersion
@IDXATTR: msDS-ApproximateLastLogonTimeStamp
@IDXATTR: msDS-RegisteredUsers
@IDXATTR: msDS-RegisteredOwner
@IDXATTR: msDS-cloudExtensionAttribute20
@IDXATTR: msDS-cloudExtensionAttribute19
@IDXATTR: msDS-cloudExtensionAttribute18
@IDXATTR: msDS-cloudExtensionAttribute17
@IDXATTR: msDS-cloudExtensionAttribute16
@IDXATTR: msDS-cloudExtensionAttribute15
@IDXATTR: msDS-cloudExtensionAttribute14
@IDXATTR: msDS-cloudExtensionAttribute13
@IDXATTR: msDS-cloudExtensionAttribute12
@IDXATTR: msDS-cloudExtensionAttribute11
@IDXATTR: msDS-cloudExtensionAttribute10
@IDXATTR: msDS-cloudExtensionAttribute9
@IDXATTR: msDS-cloudExtensionAttribute8
@IDXATTR: msDS-cloudExtensionAttribute7
@IDXATTR: msDS-cloudExtensionAttribute6
@IDXATTR: msDS-cloudExtensionAttribute5
@IDXATTR: msDS-cloudExtensionAttribute4
@IDXATTR: msDS-cloudExtensionAttribute3
@IDXATTR: msDS-cloudExtensionAttribute2
@IDXATTR: msDS-cloudExtensionAttribute1
@IDXATTR: netbootDUID
@IDXATTR: msDS-GeoCoordinatesLongitude
@IDXATTR: msDS-GeoCoordinatesLatitude
@IDXATTR: msDS-GeoCoordinatesAltitude
@IDXATTR: msDS-PrimaryComputer
@IDXATTR: msTPM-SrkPubThumbprint
@IDXATTR: msSPP-KMSIds
@IDXATTR: msExchMailboxAuditEnable
@IDXATTR: msExchBypassAudit
@IDXATTR: msExchExtensionCustomAttribute5
@IDXATTR: msExchExtensionCustomAttribute4
@IDXATTR: msExchExtensionCustomAttribute3
@IDXATTR: msExchExtensionCustomAttribute2
@IDXATTR: msExchExtensionCustomAttribute1
@IDXATTR: msExchExtensionAttribute45
@IDXATTR: msExchExtensionAttribute44
@IDXATTR: msExchExtensionAttribute43
@IDXATTR: msExchExtensionAttribute42
@IDXATTR: msExchExtensionAttribute41
@IDXATTR: msExchExtensionAttribute40
@IDXATTR: msExchExtensionAttribute39
@IDXATTR: msExchExtensionAttribute38
@IDXATTR: msExchExtensionAttribute37
@IDXATTR: msExchExtensionAttribute36
@IDXATTR: msExchExtensionAttribute35
@IDXATTR: msExchExtensionAttribute34
@IDXATTR: msExchExtensionAttribute33
@IDXATTR: msExchExtensionAttribute32
@IDXATTR: msExchExtensionAttribute31
@IDXATTR: msExchExtensionAttribute30
@IDXATTR: msExchExtensionAttribute29
@IDXATTR: msExchExtensionAttribute28
@IDXATTR: msExchExtensionAttribute27
@IDXATTR: msExchExtensionAttribute26
@IDXATTR: msExchExtensionAttribute25
@IDXATTR: msExchExtensionAttribute24
@IDXATTR: msExchExtensionAttribute23
@IDXATTR: msExchExtensionAttribute22
@IDXATTR: msExchExtensionAttribute21
@IDXATTR: msExchExtensionAttribute20
@IDXATTR: msExchExtensionAttribute19
@IDXATTR: msExchExtensionAttribute18
@IDXATTR: msExchExtensionAttribute17
@IDXATTR: msExchExtensionAttribute16
@IDXATTR: msExchUsageLocation
@IDXATTR: msExchDisabledArchiveGUID
@IDXATTR: msOrg-GroupSubtypeName
@IDXATTR: msOrg-OtherDisplayNames
@IDXATTR: msExchCalculatedTargetAddress
@IDXATTR: msExchReseller
@IDXATTR: msExchExternalDirectoryOrganizationId
@IDXATTR: msExchMailboxAuditLastExternalAccess
@IDXATTR: msExchMailboxAuditLastDelegateAccess
@IDXATTR: msExchMailboxAuditLastAdminAccess
@IDXATTR: msExchSetupStatus
@IDXATTR: msExchMailboxMoveTargetArchiveMDBBL
@IDXATTR: msExchMailboxMoveTargetArchiveMDBLink
@IDXATTR: msExchMailboxMoveSourceArchiveMDBBL
@IDXATTR: msExchMailboxMoveSourceArchiveMDBLink
@IDXATTR: msExchOnPremiseObjectGuid
@IDXATTR: msExchMRSRequestType
@IDXATTR: msExchIntendedServicePlan
@IDXATTR: msExchExternalDirectoryObjectId
@IDXATTR: msExchUMSourceForestPolicyNames
@IDXATTR: msExchSharedConfigServicePlanTag
@IDXATTR: msExchPartnerGroupID
@IDXATTR: msExchUCVoiceMailSettings
@IDXATTR: msExchRemoteRecipientType
@IDXATTR: msExchMailboxMoveRequestGuid
@IDXATTR: msExchCapabilityIdentifiers
@IDXATTR: msExchArchiveStatus
@IDXATTR: msExchArchiveAddress
@IDXATTR: altSecurityIdentities
@IDXATTR: lastLogonTimestamp
@IDXATTR: msFVE-VolumeGuid
@IDXATTR: msFVE-RecoveryGuid
@IDXATTR: msDS-PhoneticCompanyName
@IDXATTR: msDS-PhoneticDisplayName
@IDXATTR: msDS-PhoneticDepartment
@IDXATTR: msDS-PhoneticFirstName
@IDXATTR: msDS-PhoneticLastName
@IDXATTR: msDS-HABSeniorityIndex
@IDXATTR: msDS-Entry-Time-To-Die
@IDXATTR: trustPartner
@IDXATTR: st
@IDXATTR: objectClass
@IDXATTR: department
@IDXATTR: company
@IDXATTR: msExchVoiceMailboxID
@IDXATTR: msExchUserAccountControl
@IDXATTR: msExchUnmergedAttsPt
@IDXATTR: unmergedAtts
@IDXATTR: targetAddress
@IDXATTR: msExchResourceGUID
@IDXATTR: msExchPreviousAccountSid
@IDXATTR: msExchMasterAccountSid
@IDXATTR: msExchMailboxGuid
@IDXATTR: mailNickname
@IDXATTR: importedFrom
@IDXATTR: msExchIMVirtualServer
@IDXATTR: msExchIMPhysicalURL
@IDXATTR: msExchIMMetaPhysicalURL
@IDXATTR: msExchIMAddress
@IDXATTR: msExchFBURL
@IDXATTR: extensionAttribute9
@IDXATTR: extensionAttribute8
@IDXATTR: extensionAttribute7
@IDXATTR: extensionAttribute6
@IDXATTR: extensionAttribute5
@IDXATTR: extensionAttribute4
@IDXATTR: extensionAttribute3
@IDXATTR: extensionAttribute2
@IDXATTR: extensionAttribute15
@IDXATTR: extensionAttribute14
@IDXATTR: extensionAttribute13
@IDXATTR: extensionAttribute12
@IDXATTR: extensionAttribute11
@IDXATTR: extensionAttribute10
@IDXATTR: extensionAttribute1
@IDXATTR: expirationTime
@IDXATTR: msExchADCGlobalNames
@IDXATTR: msExchHomeServerName
@IDXATTR: msExchObjectID
@IDXATTR: msExchLicenseToken
@IDXATTR: msExchMailboxMoveBatchName
@IDXATTR: msExchForeignGroupSID
@IDXATTR: msExchArchiveGUID
@IDXATTR: msExchRoleType
@IDXATTR: msExchRoleEntriesExt
@IDXATTR: msExchMailboxMoveStatus
@IDXATTR: msExchMailboxMoveRemoteHostName
@IDXATTR: msExchUMDialPlanDialedNumbers
@IDXATTR: msExchUMAddresses
@IDXATTR: msExchAlternateMailboxes
@IDXATTR: msExchServicePlan
@IDXATTR: msExchThrottlingPolicyDN
@IDXATTR: msExchThrottlingIsDefaultPolicy
@IDXATTR: msExchUMCallingLineIDs
@IDXATTR: msExchImmutableId
@IDXATTR: msExchWindowsLiveID
@IDXATTR: msExchSignupAddresses
@IDXATTR: msExchEdgeSyncSourceGuid
@IDXATTR: msExchDeviceID
@IDXATTR: msExchArbitrationMailbox
@IDXATTR: msExchRoleLink
@IDXATTR: msExchScopeFlags
@IDXATTR: msExchRoleFlags
@IDXATTR: msExchRoleEntries
@IDXATTR: msExchRoleAssignmentFlags
@IDXATTR: msExchOURoot
@IDXATTR: msExchRecipientTypeDetails
@IDXATTR: msExchRecipientDisplayType
@IDXATTR: msExchMasterAccountHistory
@IDXATTR: msExchAvailabilityForeignConnectorType
@IDXATTR: msExchUMIPGatewayAddress
@IDXATTR: msExchUMDtmfMap
@IDXATTR: msExchUMAutoAttendantDialedNumbers
@IDXATTR: msExchResourceSearchProperties
@IDXATTR: msPKI-Cert-Template-OID
@IDXATTR: msTSExpireDate
@IDXATTR: uSNCreated
@IDXATTR: uSNChanged
@IDXATTR: userPrincipalName
@IDXATTR: userAccountControl
@IDXATTR: sn
@IDXATTR: sIDHistory
@IDXATTR: showInAdvancedViewOnly
@IDXATTR: servicePrincipalName
@IDXATTR: sAMAccountType
@IDXATTR: sAMAccountName
@IDXATTR: name
@IDXATTR: proxyAddresses
@IDXATTR: primaryGroupID
@IDXATTR: ou
@IDXATTR: objectSid
@IDXATTR: objectGUID
@IDXATTR: objectCategory
@IDXATTR: nETBIOSName
@IDXATTR: mSMQOwnerID
@IDXATTR: msDS-SecondaryKrbTgtNumber
@IDXATTR: msDS-Site-Affinity
@IDXATTR: mS-DS-CreatorSID
@IDXATTR: msDS-Cached-Membership-Time-Stamp
@IDXATTR: msDS-AdditionalSamAccountName
@IDXATTR: l
@IDXATTR: legacyExchangeDN
@IDXATTR: lDAPDisplayName
@IDXATTR: keywords
@IDXATTR: invocationId
@IDXATTR: groupType
@IDXATTR: givenName
@IDXATTR: fSMORoleOwner
@IDXATTR: fromServer
@IDXATTR: flatName
@IDXATTR: dnsRoot
@IDXATTR: displayName
@IDXATTR: cn
@IDXATTR: msTSLicenseVersion4
@IDXATTR: msTSLicenseVersion3
@IDXATTR: msTSLicenseVersion2
@IDXATTR: msTSLSProperty02
@IDXATTR: msTSLSProperty01
@IDXATTR: msTSExpireDate4
@IDXATTR: msTSExpireDate3
@IDXATTR: msTSExpireDate2
@IDXATTR: msTSManagingLS4
@IDXATTR: msTSManagingLS3
@IDXATTR: msTSManagingLS2
@IDXATTR: terminalServer
@IDXATTR: msTSManagingLS
@IDXATTR: msTSLicenseVersion
@IDXATTR: msTSProperty02
@IDXATTR: msTSProperty01
@IDXATTR: msDS-AzObjectGuid
@IDXATTR: msDFSR-ReplicationGroupGuid
@IDXATTR: msDFSR-DfsPath
@IDXATTR: uidNumber
@IDXATTR: gidNumber
@IDXATTR: msSFU30IsValidContainer
@IDXATTR: msSFU30NetgroupUserAtDomain
@IDXATTR: msSFU30NetgroupHostAtDomain
@IDXATTR: msSFU30MaxUidNumber
@IDXATTR: msSFU30MaxGidNumber
@IDXATTR: msSFU30YpServers
@IDXATTR: msSFU30Domains
@IDXATTR: msSFU30NisDomain
@IDXATTR: msSFU30BootFile
@IDXATTR: msSFU30NisMapEntry
@IDXATTR: msSFU30NisMapName
@IDXATTR: msSFU30MemberUid
@IDXATTR: msSFU30MacAddress
@IDXATTR: msSFU30IpHostNumber
@IDXATTR: msSFU30OncRpcNumber
@IDXATTR: msSFU30IpNetmaskNumber
@IDXATTR: msSFU30IpNetworkNumber
@IDXATTR: msSFU30IpProtocolNumber
@IDXATTR: msSFU30GidNumber
@IDXATTR: msSFU30UidNumber
@IDXATTR: msSFU30Name
@IDXATTR: msSFU30OrderNumber
@IDXATTR: msSFU30MasterServerName
@IDXATTR: textEncodedORAddress
@IDXATTR: msExchHomeRoutingGroup
@IDXATTR: msExchRoutingGroupMembersDN
@IDXATTR: mail
@IDXATTR: msExchIMServerName
@IDXATTR: physicalDeliveryOfficeName
@IDXATTR: volTableIdxGUID
@IDXATTR: USNIntersite
@IDXATTR: uNCName
@IDXATTR: timeVolChange
@IDXATTR: serviceClassName
@IDXATTR: rpcNsTransferSyntax
@IDXATTR: rpcNsObjectID
@IDXATTR: rpcNsInterfaceID
@IDXATTR: requiredCategories
@IDXATTR: physicalLocationObject
@IDXATTR: packageFlags
@IDXATTR: oMTIndxGuid
@IDXATTR: netbootGUID
@IDXATTR: mSMQQueueType
@IDXATTR: mSMQLabelEx
@IDXATTR: mSMQLabel
@IDXATTR: mSMQDigests
@IDXATTR: mS-SQL-Alias
@IDXATTR: mS-SQL-Database
@IDXATTR: mS-SQL-Version
@IDXATTR: mS-SQL-Name
@IDXATTR: location
@IDXATTR: implementedCategories
@IDXATTR: groupAttributes
@IDXATTR: fileExtPriority
@IDXATTR: dNSTombstoned
@IDXATTR: dhcpType
@IDXATTR: cOMClassID
@IDXATTR: birthLocation
distinguishedName: @INDEXLIST
On 16.07.21 11:56, L.P.H. van Belle via samba wrote:> I would start here.
> https://docs.software-univention.de/performance-guide-4.1.html
>
> And run :
> ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF
}')/sam.ldb" -s base -b @INDEXLIST
> That shows what is index at this moment.
>
> You can add ldap proxy on the webserver to offload samba.
> Also samba is Version 4.10.18-Univention newer version has better
performace.
> There is/was a change as of 4.11
>
> On all AD-DC's run :
> samba-tool dbcheck
> samba-tool dbcheck --reindex
> Might help a bit also.
>
L.P.H. van Belle
2021-Jul-16 13:34 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Verify if you are using Credential cache for kerberos also. Did you give "Domain Admins" and/or Administrator an UID/GID? Because : already set via primaryGroupID 512') And i know we start with ID's "normaly" above 10000. For the error below. Try : samba-tool dbcheck --cross-ncs --fix I compaired the "bad and "good" link.. Both are exacly the same. And if you can, upgrade to at least 4.13 of 4.14 And remove the GID from Domain Admins. Reboot the server, check the other dc's after its up again. Test. Report back. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan Bauer via samba > Verzonden: vrijdag 16 juli 2021 13:18 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k > requests per minute - help needed > > Hi, > > ??? > > thanks a lot for all that input. > > > Almost all requests are kerberos traffic (88). I don't think > that a ldap > proxy can help here. > > > Index seems to be active for all the mandatory fields (attached below) > > > > dbcheck only reports a few duplidates, but could not fix it: > > > # samba-tool dbcheck --fix > Checking 4351 objects > Not checking for missing forward links because the db has the > sortedLinks feature > ERROR: Duplicate forward link values for attribute 'member' in > 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' > Duplicate link > '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 > 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra > tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' > Correct?? link > '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 > 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra > tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' > Duplicate link > '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 > 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, > OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco > rp,DC=local' > Correct?? link > '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 > 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, > OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco > rp,DC=local' > RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute > 'member' in 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' > Commit fixes for (missing/duplicate) forward links in > attribute 'member' > [y/N/all/none] all > Failed to fix duplicate links in attribute 'member' : (68, 'samldb: > member > CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor > p,DC=local > already set via primaryGroupID 512') > Checked 4351 objects (2 errors) > > > > # samba-tool dbcheck --reindex > Re-indexing... > ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in > CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local > for index on servicePrincipalName, duplicate of objectGUID > 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME > <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER > ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in > CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local > for index on servicePrincipalName, duplicate of objectGUID > e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME > <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1 > completed re-index OK > > > > Thanks. Stefan > > > -------------------------------------------------------------------- > > > > > # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF > }')/sam.ldb"? -s base -b @INDEXLIST > # record 1 > dn: @INDEXLIST > @IDX_DN_GUID: GUID > @IDXGUID: objectGUID > @IDXONE: 1 > @SAMBA_FEATURES_SUPPORTED: 1 > @SAMDB_INDEXING_VERSION: 2 > @IDXATTR: msDS-DeviceID > @IDXATTR: msDS-DevicePhysicalIDs > @IDXATTR: msDS-DeviceOSType > @IDXATTR: msDS-SyncServerUrl > @IDXATTR: msDS-CloudIsManaged > @IDXATTR: msDS-IsManaged > @IDXATTR: msDS-DeviceObjectVersion > @IDXATTR: msDS-ApproximateLastLogonTimeStamp > @IDXATTR: msDS-RegisteredUsers > @IDXATTR: msDS-RegisteredOwner > @IDXATTR: msDS-cloudExtensionAttribute20 > @IDXATTR: msDS-cloudExtensionAttribute19 > @IDXATTR: msDS-cloudExtensionAttribute18 > @IDXATTR: msDS-cloudExtensionAttribute17 > @IDXATTR: msDS-cloudExtensionAttribute16 > @IDXATTR: msDS-cloudExtensionAttribute15 > @IDXATTR: msDS-cloudExtensionAttribute14 > @IDXATTR: msDS-cloudExtensionAttribute13 > @IDXATTR: msDS-cloudExtensionAttribute12 > @IDXATTR: msDS-cloudExtensionAttribute11 > @IDXATTR: msDS-cloudExtensionAttribute10 > @IDXATTR: msDS-cloudExtensionAttribute9 > @IDXATTR: msDS-cloudExtensionAttribute8 > @IDXATTR: msDS-cloudExtensionAttribute7 > @IDXATTR: msDS-cloudExtensionAttribute6 > @IDXATTR: msDS-cloudExtensionAttribute5 > @IDXATTR: msDS-cloudExtensionAttribute4 > @IDXATTR: msDS-cloudExtensionAttribute3 > @IDXATTR: msDS-cloudExtensionAttribute2 > @IDXATTR: msDS-cloudExtensionAttribute1 > @IDXATTR: netbootDUID > @IDXATTR: msDS-GeoCoordinatesLongitude > @IDXATTR: msDS-GeoCoordinatesLatitude > @IDXATTR: msDS-GeoCoordinatesAltitude > @IDXATTR: msDS-PrimaryComputer > @IDXATTR: msTPM-SrkPubThumbprint > @IDXATTR: msSPP-KMSIds > @IDXATTR: msExchMailboxAuditEnable > @IDXATTR: msExchBypassAudit > @IDXATTR: msExchExtensionCustomAttribute5 > @IDXATTR: msExchExtensionCustomAttribute4 > @IDXATTR: msExchExtensionCustomAttribute3 > @IDXATTR: msExchExtensionCustomAttribute2 > @IDXATTR: msExchExtensionCustomAttribute1 > @IDXATTR: msExchExtensionAttribute45 > @IDXATTR: msExchExtensionAttribute44 > @IDXATTR: msExchExtensionAttribute43 > @IDXATTR: msExchExtensionAttribute42 > @IDXATTR: msExchExtensionAttribute41 > @IDXATTR: msExchExtensionAttribute40 > @IDXATTR: msExchExtensionAttribute39 > @IDXATTR: msExchExtensionAttribute38 > @IDXATTR: msExchExtensionAttribute37 > @IDXATTR: msExchExtensionAttribute36 > @IDXATTR: msExchExtensionAttribute35 > @IDXATTR: msExchExtensionAttribute34 > @IDXATTR: msExchExtensionAttribute33 > @IDXATTR: msExchExtensionAttribute32 > @IDXATTR: msExchExtensionAttribute31 > @IDXATTR: msExchExtensionAttribute30 > @IDXATTR: msExchExtensionAttribute29 > @IDXATTR: msExchExtensionAttribute28 > @IDXATTR: msExchExtensionAttribute27 > @IDXATTR: msExchExtensionAttribute26 > @IDXATTR: msExchExtensionAttribute25 > @IDXATTR: msExchExtensionAttribute24 > @IDXATTR: msExchExtensionAttribute23 > @IDXATTR: msExchExtensionAttribute22 > @IDXATTR: msExchExtensionAttribute21 > @IDXATTR: msExchExtensionAttribute20 > @IDXATTR: msExchExtensionAttribute19 > @IDXATTR: msExchExtensionAttribute18 > @IDXATTR: msExchExtensionAttribute17 > @IDXATTR: msExchExtensionAttribute16 > @IDXATTR: msExchUsageLocation > @IDXATTR: msExchDisabledArchiveGUID > @IDXATTR: msOrg-GroupSubtypeName > @IDXATTR: msOrg-OtherDisplayNames > @IDXATTR: msExchCalculatedTargetAddress > @IDXATTR: msExchReseller > @IDXATTR: msExchExternalDirectoryOrganizationId > @IDXATTR: msExchMailboxAuditLastExternalAccess > @IDXATTR: msExchMailboxAuditLastDelegateAccess > @IDXATTR: msExchMailboxAuditLastAdminAccess > @IDXATTR: msExchSetupStatus > @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL > @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink > @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL > @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink > @IDXATTR: msExchOnPremiseObjectGuid > @IDXATTR: msExchMRSRequestType > @IDXATTR: msExchIntendedServicePlan > @IDXATTR: msExchExternalDirectoryObjectId > @IDXATTR: msExchUMSourceForestPolicyNames > @IDXATTR: msExchSharedConfigServicePlanTag > @IDXATTR: msExchPartnerGroupID > @IDXATTR: msExchUCVoiceMailSettings > @IDXATTR: msExchRemoteRecipientType > @IDXATTR: msExchMailboxMoveRequestGuid > @IDXATTR: msExchCapabilityIdentifiers > @IDXATTR: msExchArchiveStatus > @IDXATTR: msExchArchiveAddress > @IDXATTR: altSecurityIdentities > @IDXATTR: lastLogonTimestamp > @IDXATTR: msFVE-VolumeGuid > @IDXATTR: msFVE-RecoveryGuid > @IDXATTR: msDS-PhoneticCompanyName > @IDXATTR: msDS-PhoneticDisplayName > @IDXATTR: msDS-PhoneticDepartment > @IDXATTR: msDS-PhoneticFirstName > @IDXATTR: msDS-PhoneticLastName > @IDXATTR: msDS-HABSeniorityIndex > @IDXATTR: msDS-Entry-Time-To-Die > @IDXATTR: trustPartner > @IDXATTR: st > @IDXATTR: objectClass > @IDXATTR: department > @IDXATTR: company > @IDXATTR: msExchVoiceMailboxID > @IDXATTR: msExchUserAccountControl > @IDXATTR: msExchUnmergedAttsPt > @IDXATTR: unmergedAtts > @IDXATTR: targetAddress > @IDXATTR: msExchResourceGUID > @IDXATTR: msExchPreviousAccountSid > @IDXATTR: msExchMasterAccountSid > @IDXATTR: msExchMailboxGuid > @IDXATTR: mailNickname > @IDXATTR: importedFrom > @IDXATTR: msExchIMVirtualServer > @IDXATTR: msExchIMPhysicalURL > @IDXATTR: msExchIMMetaPhysicalURL > @IDXATTR: msExchIMAddress > @IDXATTR: msExchFBURL > @IDXATTR: extensionAttribute9 > @IDXATTR: extensionAttribute8 > @IDXATTR: extensionAttribute7 > @IDXATTR: extensionAttribute6 > @IDXATTR: extensionAttribute5 > @IDXATTR: extensionAttribute4 > @IDXATTR: extensionAttribute3 > @IDXATTR: extensionAttribute2 > @IDXATTR: extensionAttribute15 > @IDXATTR: extensionAttribute14 > @IDXATTR: extensionAttribute13 > @IDXATTR: extensionAttribute12 > @IDXATTR: extensionAttribute11 > @IDXATTR: extensionAttribute10 > @IDXATTR: extensionAttribute1 > @IDXATTR: expirationTime > @IDXATTR: msExchADCGlobalNames > @IDXATTR: msExchHomeServerName > @IDXATTR: msExchObjectID > @IDXATTR: msExchLicenseToken > @IDXATTR: msExchMailboxMoveBatchName > @IDXATTR: msExchForeignGroupSID > @IDXATTR: msExchArchiveGUID > @IDXATTR: msExchRoleType > @IDXATTR: msExchRoleEntriesExt > @IDXATTR: msExchMailboxMoveStatus > @IDXATTR: msExchMailboxMoveRemoteHostName > @IDXATTR: msExchUMDialPlanDialedNumbers > @IDXATTR: msExchUMAddresses > @IDXATTR: msExchAlternateMailboxes > @IDXATTR: msExchServicePlan > @IDXATTR: msExchThrottlingPolicyDN > @IDXATTR: msExchThrottlingIsDefaultPolicy > @IDXATTR: msExchUMCallingLineIDs > @IDXATTR: msExchImmutableId > @IDXATTR: msExchWindowsLiveID > @IDXATTR: msExchSignupAddresses > @IDXATTR: msExchEdgeSyncSourceGuid > @IDXATTR: msExchDeviceID > @IDXATTR: msExchArbitrationMailbox > @IDXATTR: msExchRoleLink > @IDXATTR: msExchScopeFlags > @IDXATTR: msExchRoleFlags > @IDXATTR: msExchRoleEntries > @IDXATTR: msExchRoleAssignmentFlags > @IDXATTR: msExchOURoot > @IDXATTR: msExchRecipientTypeDetails > @IDXATTR: msExchRecipientDisplayType > @IDXATTR: msExchMasterAccountHistory > @IDXATTR: msExchAvailabilityForeignConnectorType > @IDXATTR: msExchUMIPGatewayAddress > @IDXATTR: msExchUMDtmfMap > @IDXATTR: msExchUMAutoAttendantDialedNumbers > @IDXATTR: msExchResourceSearchProperties > @IDXATTR: msPKI-Cert-Template-OID > @IDXATTR: msTSExpireDate > @IDXATTR: uSNCreated > @IDXATTR: uSNChanged > @IDXATTR: userPrincipalName > @IDXATTR: userAccountControl > @IDXATTR: sn > @IDXATTR: sIDHistory > @IDXATTR: showInAdvancedViewOnly > @IDXATTR: servicePrincipalName > @IDXATTR: sAMAccountType > @IDXATTR: sAMAccountName > @IDXATTR: name > @IDXATTR: proxyAddresses > @IDXATTR: primaryGroupID > @IDXATTR: ou > @IDXATTR: objectSid > @IDXATTR: objectGUID > @IDXATTR: objectCategory > @IDXATTR: nETBIOSName > @IDXATTR: mSMQOwnerID > @IDXATTR: msDS-SecondaryKrbTgtNumber > @IDXATTR: msDS-Site-Affinity > @IDXATTR: mS-DS-CreatorSID > @IDXATTR: msDS-Cached-Membership-Time-Stamp > @IDXATTR: msDS-AdditionalSamAccountName > @IDXATTR: l > @IDXATTR: legacyExchangeDN > @IDXATTR: lDAPDisplayName > @IDXATTR: keywords > @IDXATTR: invocationId > @IDXATTR: groupType > @IDXATTR: givenName > @IDXATTR: fSMORoleOwner > @IDXATTR: fromServer > @IDXATTR: flatName > @IDXATTR: dnsRoot > @IDXATTR: displayName > @IDXATTR: cn > @IDXATTR: msTSLicenseVersion4 > @IDXATTR: msTSLicenseVersion3 > @IDXATTR: msTSLicenseVersion2 > @IDXATTR: msTSLSProperty02 > @IDXATTR: msTSLSProperty01 > @IDXATTR: msTSExpireDate4 > @IDXATTR: msTSExpireDate3 > @IDXATTR: msTSExpireDate2 > @IDXATTR: msTSManagingLS4 > @IDXATTR: msTSManagingLS3 > @IDXATTR: msTSManagingLS2 > @IDXATTR: terminalServer > @IDXATTR: msTSManagingLS > @IDXATTR: msTSLicenseVersion > @IDXATTR: msTSProperty02 > @IDXATTR: msTSProperty01 > @IDXATTR: msDS-AzObjectGuid > @IDXATTR: msDFSR-ReplicationGroupGuid > @IDXATTR: msDFSR-DfsPath > @IDXATTR: uidNumber > @IDXATTR: gidNumber > @IDXATTR: msSFU30IsValidContainer > @IDXATTR: msSFU30NetgroupUserAtDomain > @IDXATTR: msSFU30NetgroupHostAtDomain > @IDXATTR: msSFU30MaxUidNumber > @IDXATTR: msSFU30MaxGidNumber > @IDXATTR: msSFU30YpServers > @IDXATTR: msSFU30Domains > @IDXATTR: msSFU30NisDomain > @IDXATTR: msSFU30BootFile > @IDXATTR: msSFU30NisMapEntry > @IDXATTR: msSFU30NisMapName > @IDXATTR: msSFU30MemberUid > @IDXATTR: msSFU30MacAddress > @IDXATTR: msSFU30IpHostNumber > @IDXATTR: msSFU30OncRpcNumber > @IDXATTR: msSFU30IpNetmaskNumber > @IDXATTR: msSFU30IpNetworkNumber > @IDXATTR: msSFU30IpProtocolNumber > @IDXATTR: msSFU30GidNumber > @IDXATTR: msSFU30UidNumber > @IDXATTR: msSFU30Name > @IDXATTR: msSFU30OrderNumber > @IDXATTR: msSFU30MasterServerName > @IDXATTR: textEncodedORAddress > @IDXATTR: msExchHomeRoutingGroup > @IDXATTR: msExchRoutingGroupMembersDN > @IDXATTR: mail > @IDXATTR: msExchIMServerName > @IDXATTR: physicalDeliveryOfficeName > @IDXATTR: volTableIdxGUID > @IDXATTR: USNIntersite > @IDXATTR: uNCName > @IDXATTR: timeVolChange > @IDXATTR: serviceClassName > @IDXATTR: rpcNsTransferSyntax > @IDXATTR: rpcNsObjectID > @IDXATTR: rpcNsInterfaceID > @IDXATTR: requiredCategories > @IDXATTR: physicalLocationObject > @IDXATTR: packageFlags > @IDXATTR: oMTIndxGuid > @IDXATTR: netbootGUID > @IDXATTR: mSMQQueueType > @IDXATTR: mSMQLabelEx > @IDXATTR: mSMQLabel > @IDXATTR: mSMQDigests > @IDXATTR: mS-SQL-Alias > @IDXATTR: mS-SQL-Database > @IDXATTR: mS-SQL-Version > @IDXATTR: mS-SQL-Name > @IDXATTR: location > @IDXATTR: implementedCategories > @IDXATTR: groupAttributes > @IDXATTR: fileExtPriority > @IDXATTR: dNSTombstoned > @IDXATTR: dhcpType > @IDXATTR: cOMClassID > @IDXATTR: birthLocation > distinguishedName: @INDEXLIST > > > > On 16.07.21 11:56, L.P.H. van Belle via samba wrote: > > I would start here. > > https://docs.software-univention.de/performance-guide-4.1.html > > > > And run : > > ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF > }')/sam.ldb" -s base -b @INDEXLIST > > That shows what is index at this moment. > > > > You can add ldap proxy on the webserver to offload samba. > > Also samba is Version 4.10.18-Univention newer version has > better performace. > > There is/was a change as of 4.11 > > > > On all AD-DC's run : > > samba-tool dbcheck > > samba-tool dbcheck --reindex > > Might help a bit also. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >