L.P.H. van Belle
2021-Jul-16 13:34 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Verify if you are using Credential cache for kerberos also. Did you give "Domain Admins" and/or Administrator an UID/GID? Because : already set via primaryGroupID 512') And i know we start with ID's "normaly" above 10000. For the error below. Try : samba-tool dbcheck --cross-ncs --fix I compaired the "bad and "good" link.. Both are exacly the same. And if you can, upgrade to at least 4.13 of 4.14 And remove the GID from Domain Admins. Reboot the server, check the other dc's after its up again. Test. Report back. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan Bauer via samba > Verzonden: vrijdag 16 juli 2021 13:18 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k > requests per minute - help needed > > Hi, > > ??? > > thanks a lot for all that input. > > > Almost all requests are kerberos traffic (88). I don't think > that a ldap > proxy can help here. > > > Index seems to be active for all the mandatory fields (attached below) > > > > dbcheck only reports a few duplidates, but could not fix it: > > > # samba-tool dbcheck --fix > Checking 4351 objects > Not checking for missing forward links because the db has the > sortedLinks feature > ERROR: Duplicate forward link values for attribute 'member' in > 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' > Duplicate link > '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 > 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra > tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' > Correct?? link > '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 > 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra > tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' > Duplicate link > '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 > 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, > OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco > rp,DC=local' > Correct?? link > '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 > 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, > OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco > rp,DC=local' > RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute > 'member' in 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' > Commit fixes for (missing/duplicate) forward links in > attribute 'member' > [y/N/all/none] all > Failed to fix duplicate links in attribute 'member' : (68, 'samldb: > member > CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor > p,DC=local > already set via primaryGroupID 512') > Checked 4351 objects (2 errors) > > > > # samba-tool dbcheck --reindex > Re-indexing... > ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in > CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local > for index on servicePrincipalName, duplicate of objectGUID > 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME > <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER > ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in > CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local > for index on servicePrincipalName, duplicate of objectGUID > e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME > <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1 > completed re-index OK > > > > Thanks. Stefan > > > -------------------------------------------------------------------- > > > > > # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF > }')/sam.ldb"? -s base -b @INDEXLIST > # record 1 > dn: @INDEXLIST > @IDX_DN_GUID: GUID > @IDXGUID: objectGUID > @IDXONE: 1 > @SAMBA_FEATURES_SUPPORTED: 1 > @SAMDB_INDEXING_VERSION: 2 > @IDXATTR: msDS-DeviceID > @IDXATTR: msDS-DevicePhysicalIDs > @IDXATTR: msDS-DeviceOSType > @IDXATTR: msDS-SyncServerUrl > @IDXATTR: msDS-CloudIsManaged > @IDXATTR: msDS-IsManaged > @IDXATTR: msDS-DeviceObjectVersion > @IDXATTR: msDS-ApproximateLastLogonTimeStamp > @IDXATTR: msDS-RegisteredUsers > @IDXATTR: msDS-RegisteredOwner > @IDXATTR: msDS-cloudExtensionAttribute20 > @IDXATTR: msDS-cloudExtensionAttribute19 > @IDXATTR: msDS-cloudExtensionAttribute18 > @IDXATTR: msDS-cloudExtensionAttribute17 > @IDXATTR: msDS-cloudExtensionAttribute16 > @IDXATTR: msDS-cloudExtensionAttribute15 > @IDXATTR: msDS-cloudExtensionAttribute14 > @IDXATTR: msDS-cloudExtensionAttribute13 > @IDXATTR: msDS-cloudExtensionAttribute12 > @IDXATTR: msDS-cloudExtensionAttribute11 > @IDXATTR: msDS-cloudExtensionAttribute10 > @IDXATTR: msDS-cloudExtensionAttribute9 > @IDXATTR: msDS-cloudExtensionAttribute8 > @IDXATTR: msDS-cloudExtensionAttribute7 > @IDXATTR: msDS-cloudExtensionAttribute6 > @IDXATTR: msDS-cloudExtensionAttribute5 > @IDXATTR: msDS-cloudExtensionAttribute4 > @IDXATTR: msDS-cloudExtensionAttribute3 > @IDXATTR: msDS-cloudExtensionAttribute2 > @IDXATTR: msDS-cloudExtensionAttribute1 > @IDXATTR: netbootDUID > @IDXATTR: msDS-GeoCoordinatesLongitude > @IDXATTR: msDS-GeoCoordinatesLatitude > @IDXATTR: msDS-GeoCoordinatesAltitude > @IDXATTR: msDS-PrimaryComputer > @IDXATTR: msTPM-SrkPubThumbprint > @IDXATTR: msSPP-KMSIds > @IDXATTR: msExchMailboxAuditEnable > @IDXATTR: msExchBypassAudit > @IDXATTR: msExchExtensionCustomAttribute5 > @IDXATTR: msExchExtensionCustomAttribute4 > @IDXATTR: msExchExtensionCustomAttribute3 > @IDXATTR: msExchExtensionCustomAttribute2 > @IDXATTR: msExchExtensionCustomAttribute1 > @IDXATTR: msExchExtensionAttribute45 > @IDXATTR: msExchExtensionAttribute44 > @IDXATTR: msExchExtensionAttribute43 > @IDXATTR: msExchExtensionAttribute42 > @IDXATTR: msExchExtensionAttribute41 > @IDXATTR: msExchExtensionAttribute40 > @IDXATTR: msExchExtensionAttribute39 > @IDXATTR: msExchExtensionAttribute38 > @IDXATTR: msExchExtensionAttribute37 > @IDXATTR: msExchExtensionAttribute36 > @IDXATTR: msExchExtensionAttribute35 > @IDXATTR: msExchExtensionAttribute34 > @IDXATTR: msExchExtensionAttribute33 > @IDXATTR: msExchExtensionAttribute32 > @IDXATTR: msExchExtensionAttribute31 > @IDXATTR: msExchExtensionAttribute30 > @IDXATTR: msExchExtensionAttribute29 > @IDXATTR: msExchExtensionAttribute28 > @IDXATTR: msExchExtensionAttribute27 > @IDXATTR: msExchExtensionAttribute26 > @IDXATTR: msExchExtensionAttribute25 > @IDXATTR: msExchExtensionAttribute24 > @IDXATTR: msExchExtensionAttribute23 > @IDXATTR: msExchExtensionAttribute22 > @IDXATTR: msExchExtensionAttribute21 > @IDXATTR: msExchExtensionAttribute20 > @IDXATTR: msExchExtensionAttribute19 > @IDXATTR: msExchExtensionAttribute18 > @IDXATTR: msExchExtensionAttribute17 > @IDXATTR: msExchExtensionAttribute16 > @IDXATTR: msExchUsageLocation > @IDXATTR: msExchDisabledArchiveGUID > @IDXATTR: msOrg-GroupSubtypeName > @IDXATTR: msOrg-OtherDisplayNames > @IDXATTR: msExchCalculatedTargetAddress > @IDXATTR: msExchReseller > @IDXATTR: msExchExternalDirectoryOrganizationId > @IDXATTR: msExchMailboxAuditLastExternalAccess > @IDXATTR: msExchMailboxAuditLastDelegateAccess > @IDXATTR: msExchMailboxAuditLastAdminAccess > @IDXATTR: msExchSetupStatus > @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL > @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink > @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL > @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink > @IDXATTR: msExchOnPremiseObjectGuid > @IDXATTR: msExchMRSRequestType > @IDXATTR: msExchIntendedServicePlan > @IDXATTR: msExchExternalDirectoryObjectId > @IDXATTR: msExchUMSourceForestPolicyNames > @IDXATTR: msExchSharedConfigServicePlanTag > @IDXATTR: msExchPartnerGroupID > @IDXATTR: msExchUCVoiceMailSettings > @IDXATTR: msExchRemoteRecipientType > @IDXATTR: msExchMailboxMoveRequestGuid > @IDXATTR: msExchCapabilityIdentifiers > @IDXATTR: msExchArchiveStatus > @IDXATTR: msExchArchiveAddress > @IDXATTR: altSecurityIdentities > @IDXATTR: lastLogonTimestamp > @IDXATTR: msFVE-VolumeGuid > @IDXATTR: msFVE-RecoveryGuid > @IDXATTR: msDS-PhoneticCompanyName > @IDXATTR: msDS-PhoneticDisplayName > @IDXATTR: msDS-PhoneticDepartment > @IDXATTR: msDS-PhoneticFirstName > @IDXATTR: msDS-PhoneticLastName > @IDXATTR: msDS-HABSeniorityIndex > @IDXATTR: msDS-Entry-Time-To-Die > @IDXATTR: trustPartner > @IDXATTR: st > @IDXATTR: objectClass > @IDXATTR: department > @IDXATTR: company > @IDXATTR: msExchVoiceMailboxID > @IDXATTR: msExchUserAccountControl > @IDXATTR: msExchUnmergedAttsPt > @IDXATTR: unmergedAtts > @IDXATTR: targetAddress > @IDXATTR: msExchResourceGUID > @IDXATTR: msExchPreviousAccountSid > @IDXATTR: msExchMasterAccountSid > @IDXATTR: msExchMailboxGuid > @IDXATTR: mailNickname > @IDXATTR: importedFrom > @IDXATTR: msExchIMVirtualServer > @IDXATTR: msExchIMPhysicalURL > @IDXATTR: msExchIMMetaPhysicalURL > @IDXATTR: msExchIMAddress > @IDXATTR: msExchFBURL > @IDXATTR: extensionAttribute9 > @IDXATTR: extensionAttribute8 > @IDXATTR: extensionAttribute7 > @IDXATTR: extensionAttribute6 > @IDXATTR: extensionAttribute5 > @IDXATTR: extensionAttribute4 > @IDXATTR: extensionAttribute3 > @IDXATTR: extensionAttribute2 > @IDXATTR: extensionAttribute15 > @IDXATTR: extensionAttribute14 > @IDXATTR: extensionAttribute13 > @IDXATTR: extensionAttribute12 > @IDXATTR: extensionAttribute11 > @IDXATTR: extensionAttribute10 > @IDXATTR: extensionAttribute1 > @IDXATTR: expirationTime > @IDXATTR: msExchADCGlobalNames > @IDXATTR: msExchHomeServerName > @IDXATTR: msExchObjectID > @IDXATTR: msExchLicenseToken > @IDXATTR: msExchMailboxMoveBatchName > @IDXATTR: msExchForeignGroupSID > @IDXATTR: msExchArchiveGUID > @IDXATTR: msExchRoleType > @IDXATTR: msExchRoleEntriesExt > @IDXATTR: msExchMailboxMoveStatus > @IDXATTR: msExchMailboxMoveRemoteHostName > @IDXATTR: msExchUMDialPlanDialedNumbers > @IDXATTR: msExchUMAddresses > @IDXATTR: msExchAlternateMailboxes > @IDXATTR: msExchServicePlan > @IDXATTR: msExchThrottlingPolicyDN > @IDXATTR: msExchThrottlingIsDefaultPolicy > @IDXATTR: msExchUMCallingLineIDs > @IDXATTR: msExchImmutableId > @IDXATTR: msExchWindowsLiveID > @IDXATTR: msExchSignupAddresses > @IDXATTR: msExchEdgeSyncSourceGuid > @IDXATTR: msExchDeviceID > @IDXATTR: msExchArbitrationMailbox > @IDXATTR: msExchRoleLink > @IDXATTR: msExchScopeFlags > @IDXATTR: msExchRoleFlags > @IDXATTR: msExchRoleEntries > @IDXATTR: msExchRoleAssignmentFlags > @IDXATTR: msExchOURoot > @IDXATTR: msExchRecipientTypeDetails > @IDXATTR: msExchRecipientDisplayType > @IDXATTR: msExchMasterAccountHistory > @IDXATTR: msExchAvailabilityForeignConnectorType > @IDXATTR: msExchUMIPGatewayAddress > @IDXATTR: msExchUMDtmfMap > @IDXATTR: msExchUMAutoAttendantDialedNumbers > @IDXATTR: msExchResourceSearchProperties > @IDXATTR: msPKI-Cert-Template-OID > @IDXATTR: msTSExpireDate > @IDXATTR: uSNCreated > @IDXATTR: uSNChanged > @IDXATTR: userPrincipalName > @IDXATTR: userAccountControl > @IDXATTR: sn > @IDXATTR: sIDHistory > @IDXATTR: showInAdvancedViewOnly > @IDXATTR: servicePrincipalName > @IDXATTR: sAMAccountType > @IDXATTR: sAMAccountName > @IDXATTR: name > @IDXATTR: proxyAddresses > @IDXATTR: primaryGroupID > @IDXATTR: ou > @IDXATTR: objectSid > @IDXATTR: objectGUID > @IDXATTR: objectCategory > @IDXATTR: nETBIOSName > @IDXATTR: mSMQOwnerID > @IDXATTR: msDS-SecondaryKrbTgtNumber > @IDXATTR: msDS-Site-Affinity > @IDXATTR: mS-DS-CreatorSID > @IDXATTR: msDS-Cached-Membership-Time-Stamp > @IDXATTR: msDS-AdditionalSamAccountName > @IDXATTR: l > @IDXATTR: legacyExchangeDN > @IDXATTR: lDAPDisplayName > @IDXATTR: keywords > @IDXATTR: invocationId > @IDXATTR: groupType > @IDXATTR: givenName > @IDXATTR: fSMORoleOwner > @IDXATTR: fromServer > @IDXATTR: flatName > @IDXATTR: dnsRoot > @IDXATTR: displayName > @IDXATTR: cn > @IDXATTR: msTSLicenseVersion4 > @IDXATTR: msTSLicenseVersion3 > @IDXATTR: msTSLicenseVersion2 > @IDXATTR: msTSLSProperty02 > @IDXATTR: msTSLSProperty01 > @IDXATTR: msTSExpireDate4 > @IDXATTR: msTSExpireDate3 > @IDXATTR: msTSExpireDate2 > @IDXATTR: msTSManagingLS4 > @IDXATTR: msTSManagingLS3 > @IDXATTR: msTSManagingLS2 > @IDXATTR: terminalServer > @IDXATTR: msTSManagingLS > @IDXATTR: msTSLicenseVersion > @IDXATTR: msTSProperty02 > @IDXATTR: msTSProperty01 > @IDXATTR: msDS-AzObjectGuid > @IDXATTR: msDFSR-ReplicationGroupGuid > @IDXATTR: msDFSR-DfsPath > @IDXATTR: uidNumber > @IDXATTR: gidNumber > @IDXATTR: msSFU30IsValidContainer > @IDXATTR: msSFU30NetgroupUserAtDomain > @IDXATTR: msSFU30NetgroupHostAtDomain > @IDXATTR: msSFU30MaxUidNumber > @IDXATTR: msSFU30MaxGidNumber > @IDXATTR: msSFU30YpServers > @IDXATTR: msSFU30Domains > @IDXATTR: msSFU30NisDomain > @IDXATTR: msSFU30BootFile > @IDXATTR: msSFU30NisMapEntry > @IDXATTR: msSFU30NisMapName > @IDXATTR: msSFU30MemberUid > @IDXATTR: msSFU30MacAddress > @IDXATTR: msSFU30IpHostNumber > @IDXATTR: msSFU30OncRpcNumber > @IDXATTR: msSFU30IpNetmaskNumber > @IDXATTR: msSFU30IpNetworkNumber > @IDXATTR: msSFU30IpProtocolNumber > @IDXATTR: msSFU30GidNumber > @IDXATTR: msSFU30UidNumber > @IDXATTR: msSFU30Name > @IDXATTR: msSFU30OrderNumber > @IDXATTR: msSFU30MasterServerName > @IDXATTR: textEncodedORAddress > @IDXATTR: msExchHomeRoutingGroup > @IDXATTR: msExchRoutingGroupMembersDN > @IDXATTR: mail > @IDXATTR: msExchIMServerName > @IDXATTR: physicalDeliveryOfficeName > @IDXATTR: volTableIdxGUID > @IDXATTR: USNIntersite > @IDXATTR: uNCName > @IDXATTR: timeVolChange > @IDXATTR: serviceClassName > @IDXATTR: rpcNsTransferSyntax > @IDXATTR: rpcNsObjectID > @IDXATTR: rpcNsInterfaceID > @IDXATTR: requiredCategories > @IDXATTR: physicalLocationObject > @IDXATTR: packageFlags > @IDXATTR: oMTIndxGuid > @IDXATTR: netbootGUID > @IDXATTR: mSMQQueueType > @IDXATTR: mSMQLabelEx > @IDXATTR: mSMQLabel > @IDXATTR: mSMQDigests > @IDXATTR: mS-SQL-Alias > @IDXATTR: mS-SQL-Database > @IDXATTR: mS-SQL-Version > @IDXATTR: mS-SQL-Name > @IDXATTR: location > @IDXATTR: implementedCategories > @IDXATTR: groupAttributes > @IDXATTR: fileExtPriority > @IDXATTR: dNSTombstoned > @IDXATTR: dhcpType > @IDXATTR: cOMClassID > @IDXATTR: birthLocation > distinguishedName: @INDEXLIST > > > > On 16.07.21 11:56, L.P.H. van Belle via samba wrote: > > I would start here. > > https://docs.software-univention.de/performance-guide-4.1.html > > > > And run : > > ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF > }')/sam.ldb" -s base -b @INDEXLIST > > That shows what is index at this moment. > > > > You can add ldap proxy on the webserver to offload samba. > > Also samba is Version 4.10.18-Univention newer version has > better performace. > > There is/was a change as of 4.11 > > > > On all AD-DC's run : > > samba-tool dbcheck > > samba-tool dbcheck --reindex > > Might help a bit also. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Stefan Bauer
2021-Jul-19 09:13 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Hi and thank you for your time. We got now the confirmation that samba 4 is not supported by our software-vendor. Hence we will move for now to a plain ldap server. thank you. stefan On 16.07.21 15:34, L.P.H. van Belle via samba wrote:> Verify if you are using Credential cache for kerberos also. > > Did you give "Domain Admins" and/or Administrator an UID/GID? > Because : already set via primaryGroupID 512') > And i know we start with ID's "normaly" above 10000. > > For the error below. Try : samba-tool dbcheck --cross-ncs --fix > I compaired the "bad and "good" link.. > Both are exacly the same. > > And if you can, upgrade to at least 4.13 of 4.14 > And remove the GID from Domain Admins. > > Reboot the server, check the other dc's after its up again. > Test. > > Report back. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Stefan Bauer via samba >> Verzonden: vrijdag 16 juli 2021 13:18 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k >> requests per minute - help needed >> >> Hi, >> >> ??? >> >> thanks a lot for all that input. >> >> >> Almost all requests are kerberos traffic (88). I don't think >> that a ldap >> proxy can help here. >> >> >> Index seems to be active for all the mandatory fields (attached below) >> >> >> >> dbcheck only reports a few duplidates, but could not fix it: >> >> >> # samba-tool dbcheck --fix >> Checking 4351 objects >> Not checking for missing forward links because the db has the >> sortedLinks feature >> ERROR: Duplicate forward link values for attribute 'member' in >> 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' >> Duplicate link >> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 >> 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra >> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' >> Correct?? link >> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 >> 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra >> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' >> Duplicate link >> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 >> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, >> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco >> rp,DC=local' >> Correct?? link >> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 >> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, >> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco >> rp,DC=local' >> RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute >> 'member' in 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' >> Commit fixes for (missing/duplicate) forward links in >> attribute 'member' >> [y/N/all/none] all >> Failed to fix duplicate links in attribute 'member' : (68, 'samldb: >> member >> CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor >> p,DC=local >> already set via primaryGroupID 512') >> Checked 4351 objects (2 errors) >> >> >> >> # samba-tool dbcheck --reindex >> Re-indexing... >> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in >> CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local >> for index on servicePrincipalName, duplicate of objectGUID >> 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME >> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER >> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in >> CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local >> for index on servicePrincipalName, duplicate of objectGUID >> e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME >> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1 >> completed re-index OK >> >> >> >> Thanks. Stefan >> >> >> -------------------------------------------------------------------- >> >> >> >> >> # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF >> }')/sam.ldb"? -s base -b @INDEXLIST >> # record 1 >> dn: @INDEXLIST >> @IDX_DN_GUID: GUID >> @IDXGUID: objectGUID >> @IDXONE: 1 >> @SAMBA_FEATURES_SUPPORTED: 1 >> @SAMDB_INDEXING_VERSION: 2 >> @IDXATTR: msDS-DeviceID >> @IDXATTR: msDS-DevicePhysicalIDs >> @IDXATTR: msDS-DeviceOSType >> @IDXATTR: msDS-SyncServerUrl >> @IDXATTR: msDS-CloudIsManaged >> @IDXATTR: msDS-IsManaged >> @IDXATTR: msDS-DeviceObjectVersion >> @IDXATTR: msDS-ApproximateLastLogonTimeStamp >> @IDXATTR: msDS-RegisteredUsers >> @IDXATTR: msDS-RegisteredOwner >> @IDXATTR: msDS-cloudExtensionAttribute20 >> @IDXATTR: msDS-cloudExtensionAttribute19 >> @IDXATTR: msDS-cloudExtensionAttribute18 >> @IDXATTR: msDS-cloudExtensionAttribute17 >> @IDXATTR: msDS-cloudExtensionAttribute16 >> @IDXATTR: msDS-cloudExtensionAttribute15 >> @IDXATTR: msDS-cloudExtensionAttribute14 >> @IDXATTR: msDS-cloudExtensionAttribute13 >> @IDXATTR: msDS-cloudExtensionAttribute12 >> @IDXATTR: msDS-cloudExtensionAttribute11 >> @IDXATTR: msDS-cloudExtensionAttribute10 >> @IDXATTR: msDS-cloudExtensionAttribute9 >> @IDXATTR: msDS-cloudExtensionAttribute8 >> @IDXATTR: msDS-cloudExtensionAttribute7 >> @IDXATTR: msDS-cloudExtensionAttribute6 >> @IDXATTR: msDS-cloudExtensionAttribute5 >> @IDXATTR: msDS-cloudExtensionAttribute4 >> @IDXATTR: msDS-cloudExtensionAttribute3 >> @IDXATTR: msDS-cloudExtensionAttribute2 >> @IDXATTR: msDS-cloudExtensionAttribute1 >> @IDXATTR: netbootDUID >> @IDXATTR: msDS-GeoCoordinatesLongitude >> @IDXATTR: msDS-GeoCoordinatesLatitude >> @IDXATTR: msDS-GeoCoordinatesAltitude >> @IDXATTR: msDS-PrimaryComputer >> @IDXATTR: msTPM-SrkPubThumbprint >> @IDXATTR: msSPP-KMSIds >> @IDXATTR: msExchMailboxAuditEnable >> @IDXATTR: msExchBypassAudit >> @IDXATTR: msExchExtensionCustomAttribute5 >> @IDXATTR: msExchExtensionCustomAttribute4 >> @IDXATTR: msExchExtensionCustomAttribute3 >> @IDXATTR: msExchExtensionCustomAttribute2 >> @IDXATTR: msExchExtensionCustomAttribute1 >> @IDXATTR: msExchExtensionAttribute45 >> @IDXATTR: msExchExtensionAttribute44 >> @IDXATTR: msExchExtensionAttribute43 >> @IDXATTR: msExchExtensionAttribute42 >> @IDXATTR: msExchExtensionAttribute41 >> @IDXATTR: msExchExtensionAttribute40 >> @IDXATTR: msExchExtensionAttribute39 >> @IDXATTR: msExchExtensionAttribute38 >> @IDXATTR: msExchExtensionAttribute37 >> @IDXATTR: msExchExtensionAttribute36 >> @IDXATTR: msExchExtensionAttribute35 >> @IDXATTR: msExchExtensionAttribute34 >> @IDXATTR: msExchExtensionAttribute33 >> @IDXATTR: msExchExtensionAttribute32 >> @IDXATTR: msExchExtensionAttribute31 >> @IDXATTR: msExchExtensionAttribute30 >> @IDXATTR: msExchExtensionAttribute29 >> @IDXATTR: msExchExtensionAttribute28 >> @IDXATTR: msExchExtensionAttribute27 >> @IDXATTR: msExchExtensionAttribute26 >> @IDXATTR: msExchExtensionAttribute25 >> @IDXATTR: msExchExtensionAttribute24 >> @IDXATTR: msExchExtensionAttribute23 >> @IDXATTR: msExchExtensionAttribute22 >> @IDXATTR: msExchExtensionAttribute21 >> @IDXATTR: msExchExtensionAttribute20 >> @IDXATTR: msExchExtensionAttribute19 >> @IDXATTR: msExchExtensionAttribute18 >> @IDXATTR: msExchExtensionAttribute17 >> @IDXATTR: msExchExtensionAttribute16 >> @IDXATTR: msExchUsageLocation >> @IDXATTR: msExchDisabledArchiveGUID >> @IDXATTR: msOrg-GroupSubtypeName >> @IDXATTR: msOrg-OtherDisplayNames >> @IDXATTR: msExchCalculatedTargetAddress >> @IDXATTR: msExchReseller >> @IDXATTR: msExchExternalDirectoryOrganizationId >> @IDXATTR: msExchMailboxAuditLastExternalAccess >> @IDXATTR: msExchMailboxAuditLastDelegateAccess >> @IDXATTR: msExchMailboxAuditLastAdminAccess >> @IDXATTR: msExchSetupStatus >> @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL >> @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink >> @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL >> @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink >> @IDXATTR: msExchOnPremiseObjectGuid >> @IDXATTR: msExchMRSRequestType >> @IDXATTR: msExchIntendedServicePlan >> @IDXATTR: msExchExternalDirectoryObjectId >> @IDXATTR: msExchUMSourceForestPolicyNames >> @IDXATTR: msExchSharedConfigServicePlanTag >> @IDXATTR: msExchPartnerGroupID >> @IDXATTR: msExchUCVoiceMailSettings >> @IDXATTR: msExchRemoteRecipientType >> @IDXATTR: msExchMailboxMoveRequestGuid >> @IDXATTR: msExchCapabilityIdentifiers >> @IDXATTR: msExchArchiveStatus >> @IDXATTR: msExchArchiveAddress >> @IDXATTR: altSecurityIdentities >> @IDXATTR: lastLogonTimestamp >> @IDXATTR: msFVE-VolumeGuid >> @IDXATTR: msFVE-RecoveryGuid >> @IDXATTR: msDS-PhoneticCompanyName >> @IDXATTR: msDS-PhoneticDisplayName >> @IDXATTR: msDS-PhoneticDepartment >> @IDXATTR: msDS-PhoneticFirstName >> @IDXATTR: msDS-PhoneticLastName >> @IDXATTR: msDS-HABSeniorityIndex >> @IDXATTR: msDS-Entry-Time-To-Die >> @IDXATTR: trustPartner >> @IDXATTR: st >> @IDXATTR: objectClass >> @IDXATTR: department >> @IDXATTR: company >> @IDXATTR: msExchVoiceMailboxID >> @IDXATTR: msExchUserAccountControl >> @IDXATTR: msExchUnmergedAttsPt >> @IDXATTR: unmergedAtts >> @IDXATTR: targetAddress >> @IDXATTR: msExchResourceGUID >> @IDXATTR: msExchPreviousAccountSid >> @IDXATTR: msExchMasterAccountSid >> @IDXATTR: msExchMailboxGuid >> @IDXATTR: mailNickname >> @IDXATTR: importedFrom >> @IDXATTR: msExchIMVirtualServer >> @IDXATTR: msExchIMPhysicalURL >> @IDXATTR: msExchIMMetaPhysicalURL >> @IDXATTR: msExchIMAddress >> @IDXATTR: msExchFBURL >> @IDXATTR: extensionAttribute9 >> @IDXATTR: extensionAttribute8 >> @IDXATTR: extensionAttribute7 >> @IDXATTR: extensionAttribute6 >> @IDXATTR: extensionAttribute5 >> @IDXATTR: extensionAttribute4 >> @IDXATTR: extensionAttribute3 >> @IDXATTR: extensionAttribute2 >> @IDXATTR: extensionAttribute15 >> @IDXATTR: extensionAttribute14 >> @IDXATTR: extensionAttribute13 >> @IDXATTR: extensionAttribute12 >> @IDXATTR: extensionAttribute11 >> @IDXATTR: extensionAttribute10 >> @IDXATTR: extensionAttribute1 >> @IDXATTR: expirationTime >> @IDXATTR: msExchADCGlobalNames >> @IDXATTR: msExchHomeServerName >> @IDXATTR: msExchObjectID >> @IDXATTR: msExchLicenseToken >> @IDXATTR: msExchMailboxMoveBatchName >> @IDXATTR: msExchForeignGroupSID >> @IDXATTR: msExchArchiveGUID >> @IDXATTR: msExchRoleType >> @IDXATTR: msExchRoleEntriesExt >> @IDXATTR: msExchMailboxMoveStatus >> @IDXATTR: msExchMailboxMoveRemoteHostName >> @IDXATTR: msExchUMDialPlanDialedNumbers >> @IDXATTR: msExchUMAddresses >> @IDXATTR: msExchAlternateMailboxes >> @IDXATTR: msExchServicePlan >> @IDXATTR: msExchThrottlingPolicyDN >> @IDXATTR: msExchThrottlingIsDefaultPolicy >> @IDXATTR: msExchUMCallingLineIDs >> @IDXATTR: msExchImmutableId >> @IDXATTR: msExchWindowsLiveID >> @IDXATTR: msExchSignupAddresses >> @IDXATTR: msExchEdgeSyncSourceGuid >> @IDXATTR: msExchDeviceID >> @IDXATTR: msExchArbitrationMailbox >> @IDXATTR: msExchRoleLink >> @IDXATTR: msExchScopeFlags >> @IDXATTR: msExchRoleFlags >> @IDXATTR: msExchRoleEntries >> @IDXATTR: msExchRoleAssignmentFlags >> @IDXATTR: msExchOURoot >> @IDXATTR: msExchRecipientTypeDetails >> @IDXATTR: msExchRecipientDisplayType >> @IDXATTR: msExchMasterAccountHistory >> @IDXATTR: msExchAvailabilityForeignConnectorType >> @IDXATTR: msExchUMIPGatewayAddress >> @IDXATTR: msExchUMDtmfMap >> @IDXATTR: msExchUMAutoAttendantDialedNumbers >> @IDXATTR: msExchResourceSearchProperties >> @IDXATTR: msPKI-Cert-Template-OID >> @IDXATTR: msTSExpireDate >> @IDXATTR: uSNCreated >> @IDXATTR: uSNChanged >> @IDXATTR: userPrincipalName >> @IDXATTR: userAccountControl >> @IDXATTR: sn >> @IDXATTR: sIDHistory >> @IDXATTR: showInAdvancedViewOnly >> @IDXATTR: servicePrincipalName >> @IDXATTR: sAMAccountType >> @IDXATTR: sAMAccountName >> @IDXATTR: name >> @IDXATTR: proxyAddresses >> @IDXATTR: primaryGroupID >> @IDXATTR: ou >> @IDXATTR: objectSid >> @IDXATTR: objectGUID >> @IDXATTR: objectCategory >> @IDXATTR: nETBIOSName >> @IDXATTR: mSMQOwnerID >> @IDXATTR: msDS-SecondaryKrbTgtNumber >> @IDXATTR: msDS-Site-Affinity >> @IDXATTR: mS-DS-CreatorSID >> @IDXATTR: msDS-Cached-Membership-Time-Stamp >> @IDXATTR: msDS-AdditionalSamAccountName >> @IDXATTR: l >> @IDXATTR: legacyExchangeDN >> @IDXATTR: lDAPDisplayName >> @IDXATTR: keywords >> @IDXATTR: invocationId >> @IDXATTR: groupType >> @IDXATTR: givenName >> @IDXATTR: fSMORoleOwner >> @IDXATTR: fromServer >> @IDXATTR: flatName >> @IDXATTR: dnsRoot >> @IDXATTR: displayName >> @IDXATTR: cn >> @IDXATTR: msTSLicenseVersion4 >> @IDXATTR: msTSLicenseVersion3 >> @IDXATTR: msTSLicenseVersion2 >> @IDXATTR: msTSLSProperty02 >> @IDXATTR: msTSLSProperty01 >> @IDXATTR: msTSExpireDate4 >> @IDXATTR: msTSExpireDate3 >> @IDXATTR: msTSExpireDate2 >> @IDXATTR: msTSManagingLS4 >> @IDXATTR: msTSManagingLS3 >> @IDXATTR: msTSManagingLS2 >> @IDXATTR: terminalServer >> @IDXATTR: msTSManagingLS >> @IDXATTR: msTSLicenseVersion >> @IDXATTR: msTSProperty02 >> @IDXATTR: msTSProperty01 >> @IDXATTR: msDS-AzObjectGuid >> @IDXATTR: msDFSR-ReplicationGroupGuid >> @IDXATTR: msDFSR-DfsPath >> @IDXATTR: uidNumber >> @IDXATTR: gidNumber >> @IDXATTR: msSFU30IsValidContainer >> @IDXATTR: msSFU30NetgroupUserAtDomain >> @IDXATTR: msSFU30NetgroupHostAtDomain >> @IDXATTR: msSFU30MaxUidNumber >> @IDXATTR: msSFU30MaxGidNumber >> @IDXATTR: msSFU30YpServers >> @IDXATTR: msSFU30Domains >> @IDXATTR: msSFU30NisDomain >> @IDXATTR: msSFU30BootFile >> @IDXATTR: msSFU30NisMapEntry >> @IDXATTR: msSFU30NisMapName >> @IDXATTR: msSFU30MemberUid >> @IDXATTR: msSFU30MacAddress >> @IDXATTR: msSFU30IpHostNumber >> @IDXATTR: msSFU30OncRpcNumber >> @IDXATTR: msSFU30IpNetmaskNumber >> @IDXATTR: msSFU30IpNetworkNumber >> @IDXATTR: msSFU30IpProtocolNumber >> @IDXATTR: msSFU30GidNumber >> @IDXATTR: msSFU30UidNumber >> @IDXATTR: msSFU30Name >> @IDXATTR: msSFU30OrderNumber >> @IDXATTR: msSFU30MasterServerName >> @IDXATTR: textEncodedORAddress >> @IDXATTR: msExchHomeRoutingGroup >> @IDXATTR: msExchRoutingGroupMembersDN >> @IDXATTR: mail >> @IDXATTR: msExchIMServerName >> @IDXATTR: physicalDeliveryOfficeName >> @IDXATTR: volTableIdxGUID >> @IDXATTR: USNIntersite >> @IDXATTR: uNCName >> @IDXATTR: timeVolChange >> @IDXATTR: serviceClassName >> @IDXATTR: rpcNsTransferSyntax >> @IDXATTR: rpcNsObjectID >> @IDXATTR: rpcNsInterfaceID >> @IDXATTR: requiredCategories >> @IDXATTR: physicalLocationObject >> @IDXATTR: packageFlags >> @IDXATTR: oMTIndxGuid >> @IDXATTR: netbootGUID >> @IDXATTR: mSMQQueueType >> @IDXATTR: mSMQLabelEx >> @IDXATTR: mSMQLabel >> @IDXATTR: mSMQDigests >> @IDXATTR: mS-SQL-Alias >> @IDXATTR: mS-SQL-Database >> @IDXATTR: mS-SQL-Version >> @IDXATTR: mS-SQL-Name >> @IDXATTR: location >> @IDXATTR: implementedCategories >> @IDXATTR: groupAttributes >> @IDXATTR: fileExtPriority >> @IDXATTR: dNSTombstoned >> @IDXATTR: dhcpType >> @IDXATTR: cOMClassID >> @IDXATTR: birthLocation >> distinguishedName: @INDEXLIST >> >> >> >> On 16.07.21 11:56, L.P.H. van Belle via samba wrote: >>> I would start here. >>> https://docs.software-univention.de/performance-guide-4.1.html >>> >>> And run : >>> ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF >> }')/sam.ldb" -s base -b @INDEXLIST >>> That shows what is index at this moment. >>> >>> You can add ldap proxy on the webserver to offload samba. >>> Also samba is Version 4.10.18-Univention newer version has >> better performace. >>> There is/was a change as of 4.11 >>> >>> On all AD-DC's run : >>> samba-tool dbcheck >>> samba-tool dbcheck --reindex >>> Might help a bit also. >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
L.P.H. van Belle
2021-Jul-19 09:50 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Your software vendor? What is the software your using? Even that your software vendor is saying that, that still might be wrong. Its same with the guys of Kopano where i had discussions with. These also said Samba4 and Kopano is slow and not supported. Well, im running it for years, its fast and as long you "manually" ad the corrected indexing. All fine. Plain ldap is already in AD... AD can to the same as plain ldap. So, verify which records al indexed. ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST Then first find the base DN for your setup: ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b "" defaultNamingContext Then edit the schema, using ldbedit and set searchFlags attribute to 1 on the attribute entry you want to index: ( examples, adjust with your values ) ldbedit -H /var/lib/samba/private/sam.ldb -b CN=SCHEMA,CN=CONFIGURATION,DC=S-AD1,DC=INTERNAL,DC=DOMAIN,DC=TLD and change : searchFlags: 0 to : searchFlags: 1 when all is done. stop samba and start samba. ( just to make sure things are ok ) now run : samba-tool dbcheck --reindex << the most important one and.. One more. this might take a while, wait untill its finish. Repeat this on all AD-DC?s. << the most important one !! Personaly i reboot the AD-DC to be sure its still fine after reboots and i check as last the index list to see its all applied : ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST I suggest try above, your vendor is trying to get the cheap way out here.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan Bauer via samba > Verzonden: maandag 19 juli 2021 11:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k > requests per minute - help needed > > Hi and thank you for your time. > > We got now the confirmation that samba 4 is not supported by our > software-vendor. > > Hence we will move for now to a plain ldap server. > > thank you. > > > stefan > > On 16.07.21 15:34, L.P.H. van Belle via samba wrote: > > Verify if you are using Credential cache for kerberos also. > > > > Did you give "Domain Admins" and/or Administrator an UID/GID? > > Because : already set via primaryGroupID 512') > > And i know we start with ID's "normaly" above 10000. > > > > For the error below. Try : samba-tool dbcheck --cross-ncs --fix > > I compaired the "bad and "good" link.. > > Both are exacly the same. > > > > And if you can, upgrade to at least 4.13 of 4.14 > > And remove the GID from Domain Admins. > > > > Reboot the server, check the other dc's after its up again. > > Test. > > > > Report back. > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Stefan Bauer via samba > >> Verzonden: vrijdag 16 juli 2021 13:18 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k > >> requests per minute - help needed > >> > >> Hi, > >> > >> ??? > >> > >> thanks a lot for all that input. > >> > >> > >> Almost all requests are kerberos traffic (88). I don't think > >> that a ldap > >> proxy can help here. > >> > >> > >> Index seems to be active for all the mandatory fields > (attached below) > >> > >> > >> > >> dbcheck only reports a few duplidates, but could not fix it: > >> > >> > >> # samba-tool dbcheck --fix > >> Checking 4351 objects > >> Not checking for missing forward links because the db has the > >> sortedLinks feature > >> ERROR: Duplicate forward link values for attribute 'member' in > >> 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' > >> Duplicate link > >> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 > >> 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > >> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra > >> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' > >> Correct?? link > >> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 > >> 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS > >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > >> CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI > >> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra > >> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' > >> Duplicate link > >> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 > >> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > >> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, > >> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco > >> rp,DC=local' > >> Correct?? link > >> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 > >> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS > >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO > >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI > >> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, > >> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco > >> rp,DC=local' > >> RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute > >> 'member' in 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' > >> Commit fixes for (missing/duplicate) forward links in > >> attribute 'member' > >> [y/N/all/none] all > >> Failed to fix duplicate links in attribute 'member' : (68, 'samldb: > >> member > >> CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor > >> p,DC=local > >> already set via primaryGroupID 512') > >> Checked 4351 objects (2 errors) > >> > >> > >> > >> # samba-tool dbcheck --reindex > >> Re-indexing... > >> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate > attribute value in > >> > CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local > >> for index on servicePrincipalName, duplicate of objectGUID > >> 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME > >> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER > >> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate > attribute value in > >> > CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local > >> for index on servicePrincipalName, duplicate of objectGUID > >> e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME > >> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1 > >> completed re-index OK > >> > >> > >> > >> Thanks. Stefan > >> > >> > >> > -------------------------------------------------------------------- > >> > >> > >> > >> > >> # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF > >> }')/sam.ldb"? -s base -b @INDEXLIST > >> # record 1 > >> dn: @INDEXLIST > >> @IDX_DN_GUID: GUID > >> @IDXGUID: objectGUID > >> @IDXONE: 1 > >> @SAMBA_FEATURES_SUPPORTED: 1 > >> @SAMDB_INDEXING_VERSION: 2 > >> @IDXATTR: msDS-DeviceID > >> @IDXATTR: msDS-DevicePhysicalIDs > >> @IDXATTR: msDS-DeviceOSType > >> @IDXATTR: msDS-SyncServerUrl > >> @IDXATTR: msDS-CloudIsManaged > >> @IDXATTR: msDS-IsManaged > >> @IDXATTR: msDS-DeviceObjectVersion > >> @IDXATTR: msDS-ApproximateLastLogonTimeStamp > >> @IDXATTR: msDS-RegisteredUsers > >> @IDXATTR: msDS-RegisteredOwner > >> @IDXATTR: msDS-cloudExtensionAttribute20 > >> @IDXATTR: msDS-cloudExtensionAttribute19 > >> @IDXATTR: msDS-cloudExtensionAttribute18 > >> @IDXATTR: msDS-cloudExtensionAttribute17 > >> @IDXATTR: msDS-cloudExtensionAttribute16 > >> @IDXATTR: msDS-cloudExtensionAttribute15 > >> @IDXATTR: msDS-cloudExtensionAttribute14 > >> @IDXATTR: msDS-cloudExtensionAttribute13 > >> @IDXATTR: msDS-cloudExtensionAttribute12 > >> @IDXATTR: msDS-cloudExtensionAttribute11 > >> @IDXATTR: msDS-cloudExtensionAttribute10 > >> @IDXATTR: msDS-cloudExtensionAttribute9 > >> @IDXATTR: msDS-cloudExtensionAttribute8 > >> @IDXATTR: msDS-cloudExtensionAttribute7 > >> @IDXATTR: msDS-cloudExtensionAttribute6 > >> @IDXATTR: msDS-cloudExtensionAttribute5 > >> @IDXATTR: msDS-cloudExtensionAttribute4 > >> @IDXATTR: msDS-cloudExtensionAttribute3 > >> @IDXATTR: msDS-cloudExtensionAttribute2 > >> @IDXATTR: msDS-cloudExtensionAttribute1 > >> @IDXATTR: netbootDUID > >> @IDXATTR: msDS-GeoCoordinatesLongitude > >> @IDXATTR: msDS-GeoCoordinatesLatitude > >> @IDXATTR: msDS-GeoCoordinatesAltitude > >> @IDXATTR: msDS-PrimaryComputer > >> @IDXATTR: msTPM-SrkPubThumbprint > >> @IDXATTR: msSPP-KMSIds > >> @IDXATTR: msExchMailboxAuditEnable > >> @IDXATTR: msExchBypassAudit > >> @IDXATTR: msExchExtensionCustomAttribute5 > >> @IDXATTR: msExchExtensionCustomAttribute4 > >> @IDXATTR: msExchExtensionCustomAttribute3 > >> @IDXATTR: msExchExtensionCustomAttribute2 > >> @IDXATTR: msExchExtensionCustomAttribute1 > >> @IDXATTR: msExchExtensionAttribute45 > >> @IDXATTR: msExchExtensionAttribute44 > >> @IDXATTR: msExchExtensionAttribute43 > >> @IDXATTR: msExchExtensionAttribute42 > >> @IDXATTR: msExchExtensionAttribute41 > >> @IDXATTR: msExchExtensionAttribute40 > >> @IDXATTR: msExchExtensionAttribute39 > >> @IDXATTR: msExchExtensionAttribute38 > >> @IDXATTR: msExchExtensionAttribute37 > >> @IDXATTR: msExchExtensionAttribute36 > >> @IDXATTR: msExchExtensionAttribute35 > >> @IDXATTR: msExchExtensionAttribute34 > >> @IDXATTR: msExchExtensionAttribute33 > >> @IDXATTR: msExchExtensionAttribute32 > >> @IDXATTR: msExchExtensionAttribute31 > >> @IDXATTR: msExchExtensionAttribute30 > >> @IDXATTR: msExchExtensionAttribute29 > >> @IDXATTR: msExchExtensionAttribute28 > >> @IDXATTR: msExchExtensionAttribute27 > >> @IDXATTR: msExchExtensionAttribute26 > >> @IDXATTR: msExchExtensionAttribute25 > >> @IDXATTR: msExchExtensionAttribute24 > >> @IDXATTR: msExchExtensionAttribute23 > >> @IDXATTR: msExchExtensionAttribute22 > >> @IDXATTR: msExchExtensionAttribute21 > >> @IDXATTR: msExchExtensionAttribute20 > >> @IDXATTR: msExchExtensionAttribute19 > >> @IDXATTR: msExchExtensionAttribute18 > >> @IDXATTR: msExchExtensionAttribute17 > >> @IDXATTR: msExchExtensionAttribute16 > >> @IDXATTR: msExchUsageLocation > >> @IDXATTR: msExchDisabledArchiveGUID > >> @IDXATTR: msOrg-GroupSubtypeName > >> @IDXATTR: msOrg-OtherDisplayNames > >> @IDXATTR: msExchCalculatedTargetAddress > >> @IDXATTR: msExchReseller > >> @IDXATTR: msExchExternalDirectoryOrganizationId > >> @IDXATTR: msExchMailboxAuditLastExternalAccess > >> @IDXATTR: msExchMailboxAuditLastDelegateAccess > >> @IDXATTR: msExchMailboxAuditLastAdminAccess > >> @IDXATTR: msExchSetupStatus > >> @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL > >> @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink > >> @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL > >> @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink > >> @IDXATTR: msExchOnPremiseObjectGuid > >> @IDXATTR: msExchMRSRequestType > >> @IDXATTR: msExchIntendedServicePlan > >> @IDXATTR: msExchExternalDirectoryObjectId > >> @IDXATTR: msExchUMSourceForestPolicyNames > >> @IDXATTR: msExchSharedConfigServicePlanTag > >> @IDXATTR: msExchPartnerGroupID > >> @IDXATTR: msExchUCVoiceMailSettings > >> @IDXATTR: msExchRemoteRecipientType > >> @IDXATTR: msExchMailboxMoveRequestGuid > >> @IDXATTR: msExchCapabilityIdentifiers > >> @IDXATTR: msExchArchiveStatus > >> @IDXATTR: msExchArchiveAddress > >> @IDXATTR: altSecurityIdentities > >> @IDXATTR: lastLogonTimestamp > >> @IDXATTR: msFVE-VolumeGuid > >> @IDXATTR: msFVE-RecoveryGuid > >> @IDXATTR: msDS-PhoneticCompanyName > >> @IDXATTR: msDS-PhoneticDisplayName > >> @IDXATTR: msDS-PhoneticDepartment > >> @IDXATTR: msDS-PhoneticFirstName > >> @IDXATTR: msDS-PhoneticLastName > >> @IDXATTR: msDS-HABSeniorityIndex > >> @IDXATTR: msDS-Entry-Time-To-Die > >> @IDXATTR: trustPartner > >> @IDXATTR: st > >> @IDXATTR: objectClass > >> @IDXATTR: department > >> @IDXATTR: company > >> @IDXATTR: msExchVoiceMailboxID > >> @IDXATTR: msExchUserAccountControl > >> @IDXATTR: msExchUnmergedAttsPt > >> @IDXATTR: unmergedAtts > >> @IDXATTR: targetAddress > >> @IDXATTR: msExchResourceGUID > >> @IDXATTR: msExchPreviousAccountSid > >> @IDXATTR: msExchMasterAccountSid > >> @IDXATTR: msExchMailboxGuid > >> @IDXATTR: mailNickname > >> @IDXATTR: importedFrom > >> @IDXATTR: msExchIMVirtualServer > >> @IDXATTR: msExchIMPhysicalURL > >> @IDXATTR: msExchIMMetaPhysicalURL > >> @IDXATTR: msExchIMAddress > >> @IDXATTR: msExchFBURL > >> @IDXATTR: extensionAttribute9 > >> @IDXATTR: extensionAttribute8 > >> @IDXATTR: extensionAttribute7 > >> @IDXATTR: extensionAttribute6 > >> @IDXATTR: extensionAttribute5 > >> @IDXATTR: extensionAttribute4 > >> @IDXATTR: extensionAttribute3 > >> @IDXATTR: extensionAttribute2 > >> @IDXATTR: extensionAttribute15 > >> @IDXATTR: extensionAttribute14 > >> @IDXATTR: extensionAttribute13 > >> @IDXATTR: extensionAttribute12 > >> @IDXATTR: extensionAttribute11 > >> @IDXATTR: extensionAttribute10 > >> @IDXATTR: extensionAttribute1 > >> @IDXATTR: expirationTime > >> @IDXATTR: msExchADCGlobalNames > >> @IDXATTR: msExchHomeServerName > >> @IDXATTR: msExchObjectID > >> @IDXATTR: msExchLicenseToken > >> @IDXATTR: msExchMailboxMoveBatchName > >> @IDXATTR: msExchForeignGroupSID > >> @IDXATTR: msExchArchiveGUID > >> @IDXATTR: msExchRoleType > >> @IDXATTR: msExchRoleEntriesExt > >> @IDXATTR: msExchMailboxMoveStatus > >> @IDXATTR: msExchMailboxMoveRemoteHostName > >> @IDXATTR: msExchUMDialPlanDialedNumbers > >> @IDXATTR: msExchUMAddresses > >> @IDXATTR: msExchAlternateMailboxes > >> @IDXATTR: msExchServicePlan > >> @IDXATTR: msExchThrottlingPolicyDN > >> @IDXATTR: msExchThrottlingIsDefaultPolicy > >> @IDXATTR: msExchUMCallingLineIDs > >> @IDXATTR: msExchImmutableId > >> @IDXATTR: msExchWindowsLiveID > >> @IDXATTR: msExchSignupAddresses > >> @IDXATTR: msExchEdgeSyncSourceGuid > >> @IDXATTR: msExchDeviceID > >> @IDXATTR: msExchArbitrationMailbox > >> @IDXATTR: msExchRoleLink > >> @IDXATTR: msExchScopeFlags > >> @IDXATTR: msExchRoleFlags > >> @IDXATTR: msExchRoleEntries > >> @IDXATTR: msExchRoleAssignmentFlags > >> @IDXATTR: msExchOURoot > >> @IDXATTR: msExchRecipientTypeDetails > >> @IDXATTR: msExchRecipientDisplayType > >> @IDXATTR: msExchMasterAccountHistory > >> @IDXATTR: msExchAvailabilityForeignConnectorType > >> @IDXATTR: msExchUMIPGatewayAddress > >> @IDXATTR: msExchUMDtmfMap > >> @IDXATTR: msExchUMAutoAttendantDialedNumbers > >> @IDXATTR: msExchResourceSearchProperties > >> @IDXATTR: msPKI-Cert-Template-OID > >> @IDXATTR: msTSExpireDate > >> @IDXATTR: uSNCreated > >> @IDXATTR: uSNChanged > >> @IDXATTR: userPrincipalName > >> @IDXATTR: userAccountControl > >> @IDXATTR: sn > >> @IDXATTR: sIDHistory > >> @IDXATTR: showInAdvancedViewOnly > >> @IDXATTR: servicePrincipalName > >> @IDXATTR: sAMAccountType > >> @IDXATTR: sAMAccountName > >> @IDXATTR: name > >> @IDXATTR: proxyAddresses > >> @IDXATTR: primaryGroupID > >> @IDXATTR: ou > >> @IDXATTR: objectSid > >> @IDXATTR: objectGUID > >> @IDXATTR: objectCategory > >> @IDXATTR: nETBIOSName > >> @IDXATTR: mSMQOwnerID > >> @IDXATTR: msDS-SecondaryKrbTgtNumber > >> @IDXATTR: msDS-Site-Affinity > >> @IDXATTR: mS-DS-CreatorSID > >> @IDXATTR: msDS-Cached-Membership-Time-Stamp > >> @IDXATTR: msDS-AdditionalSamAccountName > >> @IDXATTR: l > >> @IDXATTR: legacyExchangeDN > >> @IDXATTR: lDAPDisplayName > >> @IDXATTR: keywords > >> @IDXATTR: invocationId > >> @IDXATTR: groupType > >> @IDXATTR: givenName > >> @IDXATTR: fSMORoleOwner > >> @IDXATTR: fromServer > >> @IDXATTR: flatName > >> @IDXATTR: dnsRoot > >> @IDXATTR: displayName > >> @IDXATTR: cn > >> @IDXATTR: msTSLicenseVersion4 > >> @IDXATTR: msTSLicenseVersion3 > >> @IDXATTR: msTSLicenseVersion2 > >> @IDXATTR: msTSLSProperty02 > >> @IDXATTR: msTSLSProperty01 > >> @IDXATTR: msTSExpireDate4 > >> @IDXATTR: msTSExpireDate3 > >> @IDXATTR: msTSExpireDate2 > >> @IDXATTR: msTSManagingLS4 > >> @IDXATTR: msTSManagingLS3 > >> @IDXATTR: msTSManagingLS2 > >> @IDXATTR: terminalServer > >> @IDXATTR: msTSManagingLS > >> @IDXATTR: msTSLicenseVersion > >> @IDXATTR: msTSProperty02 > >> @IDXATTR: msTSProperty01 > >> @IDXATTR: msDS-AzObjectGuid > >> @IDXATTR: msDFSR-ReplicationGroupGuid > >> @IDXATTR: msDFSR-DfsPath > >> @IDXATTR: uidNumber > >> @IDXATTR: gidNumber > >> @IDXATTR: msSFU30IsValidContainer > >> @IDXATTR: msSFU30NetgroupUserAtDomain > >> @IDXATTR: msSFU30NetgroupHostAtDomain > >> @IDXATTR: msSFU30MaxUidNumber > >> @IDXATTR: msSFU30MaxGidNumber > >> @IDXATTR: msSFU30YpServers > >> @IDXATTR: msSFU30Domains > >> @IDXATTR: msSFU30NisDomain > >> @IDXATTR: msSFU30BootFile > >> @IDXATTR: msSFU30NisMapEntry > >> @IDXATTR: msSFU30NisMapName > >> @IDXATTR: msSFU30MemberUid > >> @IDXATTR: msSFU30MacAddress > >> @IDXATTR: msSFU30IpHostNumber > >> @IDXATTR: msSFU30OncRpcNumber > >> @IDXATTR: msSFU30IpNetmaskNumber > >> @IDXATTR: msSFU30IpNetworkNumber > >> @IDXATTR: msSFU30IpProtocolNumber > >> @IDXATTR: msSFU30GidNumber > >> @IDXATTR: msSFU30UidNumber > >> @IDXATTR: msSFU30Name > >> @IDXATTR: msSFU30OrderNumber > >> @IDXATTR: msSFU30MasterServerName > >> @IDXATTR: textEncodedORAddress > >> @IDXATTR: msExchHomeRoutingGroup > >> @IDXATTR: msExchRoutingGroupMembersDN > >> @IDXATTR: mail > >> @IDXATTR: msExchIMServerName > >> @IDXATTR: physicalDeliveryOfficeName > >> @IDXATTR: volTableIdxGUID > >> @IDXATTR: USNIntersite > >> @IDXATTR: uNCName > >> @IDXATTR: timeVolChange > >> @IDXATTR: serviceClassName > >> @IDXATTR: rpcNsTransferSyntax > >> @IDXATTR: rpcNsObjectID > >> @IDXATTR: rpcNsInterfaceID > >> @IDXATTR: requiredCategories > >> @IDXATTR: physicalLocationObject > >> @IDXATTR: packageFlags > >> @IDXATTR: oMTIndxGuid > >> @IDXATTR: netbootGUID > >> @IDXATTR: mSMQQueueType > >> @IDXATTR: mSMQLabelEx > >> @IDXATTR: mSMQLabel > >> @IDXATTR: mSMQDigests > >> @IDXATTR: mS-SQL-Alias > >> @IDXATTR: mS-SQL-Database > >> @IDXATTR: mS-SQL-Version > >> @IDXATTR: mS-SQL-Name > >> @IDXATTR: location > >> @IDXATTR: implementedCategories > >> @IDXATTR: groupAttributes > >> @IDXATTR: fileExtPriority > >> @IDXATTR: dNSTombstoned > >> @IDXATTR: dhcpType > >> @IDXATTR: cOMClassID > >> @IDXATTR: birthLocation > >> distinguishedName: @INDEXLIST > >> > >> > >> > >> On 16.07.21 11:56, L.P.H. van Belle via samba wrote: > >>> I would start here. > >>> https://docs.software-univention.de/performance-guide-4.1.html > >>> > >>> And run : > >>> ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF > >> }')/sam.ldb" -s base -b @INDEXLIST > >>> That shows what is index at this moment. > >>> > >>> You can add ldap proxy on the webserver to offload samba. > >>> Also samba is Version 4.10.18-Univention newer version has > >> better performace. > >>> There is/was a change as of 4.11 > >>> > >>> On all AD-DC's run : > >>> samba-tool dbcheck > >>> samba-tool dbcheck --reindex > >>> Might help a bit also. > >>> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >