Stefan Bauer
2021-Jul-19 09:13 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Hi and thank you for your time. We got now the confirmation that samba 4 is not supported by our software-vendor. Hence we will move for now to a plain ldap server. thank you. stefan On 16.07.21 15:34, L.P.H. van Belle via samba wrote:> Verify if you are using Credential cache for kerberos also. > > Did you give "Domain Admins" and/or Administrator an UID/GID? > Because : already set via primaryGroupID 512') > And i know we start with ID's "normaly" above 10000. > > For the error below. Try : samba-tool dbcheck --cross-ncs --fix > I compaired the "bad and "good" link.. > Both are exacly the same. > > And if you can, upgrade to at least 4.13 of 4.14 > And remove the GID from Domain Admins. > > Reboot the server, check the other dc's after its up again. > Test. > > Report back. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Stefan Bauer via samba >> Verzonden: vrijdag 16 juli 2021 13:18 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k >> requests per minute - help needed >> >> Hi, >> >> ??? >> >> thanks a lot for all that input. >> >> >> Almost all requests are kerberos traffic (88). I don't think >> that a ldap >> proxy can help here. >> >> >> Index seems to be active for all the mandatory fields (attached below) >> >> >> >> dbcheck only reports a few duplidates, but could not fix it: >> >> >> # samba-tool dbcheck --fix >> Checking 4351 objects >> Not checking for missing forward links because the db has the >> sortedLinks feature >> ERROR: Duplicate forward link values for attribute 'member' in >> 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' >> Duplicate link >> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 >> 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra >> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' >> Correct?? link >> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 >> 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra >> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' >> Duplicate link >> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 >> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, >> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco >> rp,DC=local' >> Correct?? link >> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 >> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, >> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco >> rp,DC=local' >> RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute >> 'member' in 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' >> Commit fixes for (missing/duplicate) forward links in >> attribute 'member' >> [y/N/all/none] all >> Failed to fix duplicate links in attribute 'member' : (68, 'samldb: >> member >> CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor >> p,DC=local >> already set via primaryGroupID 512') >> Checked 4351 objects (2 errors) >> >> >> >> # samba-tool dbcheck --reindex >> Re-indexing... >> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in >> CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local >> for index on servicePrincipalName, duplicate of objectGUID >> 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME >> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER >> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in >> CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local >> for index on servicePrincipalName, duplicate of objectGUID >> e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME >> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1 >> completed re-index OK >> >> >> >> Thanks. Stefan >> >> >> -------------------------------------------------------------------- >> >> >> >> >> # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF >> }')/sam.ldb"? -s base -b @INDEXLIST >> # record 1 >> dn: @INDEXLIST >> @IDX_DN_GUID: GUID >> @IDXGUID: objectGUID >> @IDXONE: 1 >> @SAMBA_FEATURES_SUPPORTED: 1 >> @SAMDB_INDEXING_VERSION: 2 >> @IDXATTR: msDS-DeviceID >> @IDXATTR: msDS-DevicePhysicalIDs >> @IDXATTR: msDS-DeviceOSType >> @IDXATTR: msDS-SyncServerUrl >> @IDXATTR: msDS-CloudIsManaged >> @IDXATTR: msDS-IsManaged >> @IDXATTR: msDS-DeviceObjectVersion >> @IDXATTR: msDS-ApproximateLastLogonTimeStamp >> @IDXATTR: msDS-RegisteredUsers >> @IDXATTR: msDS-RegisteredOwner >> @IDXATTR: msDS-cloudExtensionAttribute20 >> @IDXATTR: msDS-cloudExtensionAttribute19 >> @IDXATTR: msDS-cloudExtensionAttribute18 >> @IDXATTR: msDS-cloudExtensionAttribute17 >> @IDXATTR: msDS-cloudExtensionAttribute16 >> @IDXATTR: msDS-cloudExtensionAttribute15 >> @IDXATTR: msDS-cloudExtensionAttribute14 >> @IDXATTR: msDS-cloudExtensionAttribute13 >> @IDXATTR: msDS-cloudExtensionAttribute12 >> @IDXATTR: msDS-cloudExtensionAttribute11 >> @IDXATTR: msDS-cloudExtensionAttribute10 >> @IDXATTR: msDS-cloudExtensionAttribute9 >> @IDXATTR: msDS-cloudExtensionAttribute8 >> @IDXATTR: msDS-cloudExtensionAttribute7 >> @IDXATTR: msDS-cloudExtensionAttribute6 >> @IDXATTR: msDS-cloudExtensionAttribute5 >> @IDXATTR: msDS-cloudExtensionAttribute4 >> @IDXATTR: msDS-cloudExtensionAttribute3 >> @IDXATTR: msDS-cloudExtensionAttribute2 >> @IDXATTR: msDS-cloudExtensionAttribute1 >> @IDXATTR: netbootDUID >> @IDXATTR: msDS-GeoCoordinatesLongitude >> @IDXATTR: msDS-GeoCoordinatesLatitude >> @IDXATTR: msDS-GeoCoordinatesAltitude >> @IDXATTR: msDS-PrimaryComputer >> @IDXATTR: msTPM-SrkPubThumbprint >> @IDXATTR: msSPP-KMSIds >> @IDXATTR: msExchMailboxAuditEnable >> @IDXATTR: msExchBypassAudit >> @IDXATTR: msExchExtensionCustomAttribute5 >> @IDXATTR: msExchExtensionCustomAttribute4 >> @IDXATTR: msExchExtensionCustomAttribute3 >> @IDXATTR: msExchExtensionCustomAttribute2 >> @IDXATTR: msExchExtensionCustomAttribute1 >> @IDXATTR: msExchExtensionAttribute45 >> @IDXATTR: msExchExtensionAttribute44 >> @IDXATTR: msExchExtensionAttribute43 >> @IDXATTR: msExchExtensionAttribute42 >> @IDXATTR: msExchExtensionAttribute41 >> @IDXATTR: msExchExtensionAttribute40 >> @IDXATTR: msExchExtensionAttribute39 >> @IDXATTR: msExchExtensionAttribute38 >> @IDXATTR: msExchExtensionAttribute37 >> @IDXATTR: msExchExtensionAttribute36 >> @IDXATTR: msExchExtensionAttribute35 >> @IDXATTR: msExchExtensionAttribute34 >> @IDXATTR: msExchExtensionAttribute33 >> @IDXATTR: msExchExtensionAttribute32 >> @IDXATTR: msExchExtensionAttribute31 >> @IDXATTR: msExchExtensionAttribute30 >> @IDXATTR: msExchExtensionAttribute29 >> @IDXATTR: msExchExtensionAttribute28 >> @IDXATTR: msExchExtensionAttribute27 >> @IDXATTR: msExchExtensionAttribute26 >> @IDXATTR: msExchExtensionAttribute25 >> @IDXATTR: msExchExtensionAttribute24 >> @IDXATTR: msExchExtensionAttribute23 >> @IDXATTR: msExchExtensionAttribute22 >> @IDXATTR: msExchExtensionAttribute21 >> @IDXATTR: msExchExtensionAttribute20 >> @IDXATTR: msExchExtensionAttribute19 >> @IDXATTR: msExchExtensionAttribute18 >> @IDXATTR: msExchExtensionAttribute17 >> @IDXATTR: msExchExtensionAttribute16 >> @IDXATTR: msExchUsageLocation >> @IDXATTR: msExchDisabledArchiveGUID >> @IDXATTR: msOrg-GroupSubtypeName >> @IDXATTR: msOrg-OtherDisplayNames >> @IDXATTR: msExchCalculatedTargetAddress >> @IDXATTR: msExchReseller >> @IDXATTR: msExchExternalDirectoryOrganizationId >> @IDXATTR: msExchMailboxAuditLastExternalAccess >> @IDXATTR: msExchMailboxAuditLastDelegateAccess >> @IDXATTR: msExchMailboxAuditLastAdminAccess >> @IDXATTR: msExchSetupStatus >> @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL >> @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink >> @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL >> @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink >> @IDXATTR: msExchOnPremiseObjectGuid >> @IDXATTR: msExchMRSRequestType >> @IDXATTR: msExchIntendedServicePlan >> @IDXATTR: msExchExternalDirectoryObjectId >> @IDXATTR: msExchUMSourceForestPolicyNames >> @IDXATTR: msExchSharedConfigServicePlanTag >> @IDXATTR: msExchPartnerGroupID >> @IDXATTR: msExchUCVoiceMailSettings >> @IDXATTR: msExchRemoteRecipientType >> @IDXATTR: msExchMailboxMoveRequestGuid >> @IDXATTR: msExchCapabilityIdentifiers >> @IDXATTR: msExchArchiveStatus >> @IDXATTR: msExchArchiveAddress >> @IDXATTR: altSecurityIdentities >> @IDXATTR: lastLogonTimestamp >> @IDXATTR: msFVE-VolumeGuid >> @IDXATTR: msFVE-RecoveryGuid >> @IDXATTR: msDS-PhoneticCompanyName >> @IDXATTR: msDS-PhoneticDisplayName >> @IDXATTR: msDS-PhoneticDepartment >> @IDXATTR: msDS-PhoneticFirstName >> @IDXATTR: msDS-PhoneticLastName >> @IDXATTR: msDS-HABSeniorityIndex >> @IDXATTR: msDS-Entry-Time-To-Die >> @IDXATTR: trustPartner >> @IDXATTR: st >> @IDXATTR: objectClass >> @IDXATTR: department >> @IDXATTR: company >> @IDXATTR: msExchVoiceMailboxID >> @IDXATTR: msExchUserAccountControl >> @IDXATTR: msExchUnmergedAttsPt >> @IDXATTR: unmergedAtts >> @IDXATTR: targetAddress >> @IDXATTR: msExchResourceGUID >> @IDXATTR: msExchPreviousAccountSid >> @IDXATTR: msExchMasterAccountSid >> @IDXATTR: msExchMailboxGuid >> @IDXATTR: mailNickname >> @IDXATTR: importedFrom >> @IDXATTR: msExchIMVirtualServer >> @IDXATTR: msExchIMPhysicalURL >> @IDXATTR: msExchIMMetaPhysicalURL >> @IDXATTR: msExchIMAddress >> @IDXATTR: msExchFBURL >> @IDXATTR: extensionAttribute9 >> @IDXATTR: extensionAttribute8 >> @IDXATTR: extensionAttribute7 >> @IDXATTR: extensionAttribute6 >> @IDXATTR: extensionAttribute5 >> @IDXATTR: extensionAttribute4 >> @IDXATTR: extensionAttribute3 >> @IDXATTR: extensionAttribute2 >> @IDXATTR: extensionAttribute15 >> @IDXATTR: extensionAttribute14 >> @IDXATTR: extensionAttribute13 >> @IDXATTR: extensionAttribute12 >> @IDXATTR: extensionAttribute11 >> @IDXATTR: extensionAttribute10 >> @IDXATTR: extensionAttribute1 >> @IDXATTR: expirationTime >> @IDXATTR: msExchADCGlobalNames >> @IDXATTR: msExchHomeServerName >> @IDXATTR: msExchObjectID >> @IDXATTR: msExchLicenseToken >> @IDXATTR: msExchMailboxMoveBatchName >> @IDXATTR: msExchForeignGroupSID >> @IDXATTR: msExchArchiveGUID >> @IDXATTR: msExchRoleType >> @IDXATTR: msExchRoleEntriesExt >> @IDXATTR: msExchMailboxMoveStatus >> @IDXATTR: msExchMailboxMoveRemoteHostName >> @IDXATTR: msExchUMDialPlanDialedNumbers >> @IDXATTR: msExchUMAddresses >> @IDXATTR: msExchAlternateMailboxes >> @IDXATTR: msExchServicePlan >> @IDXATTR: msExchThrottlingPolicyDN >> @IDXATTR: msExchThrottlingIsDefaultPolicy >> @IDXATTR: msExchUMCallingLineIDs >> @IDXATTR: msExchImmutableId >> @IDXATTR: msExchWindowsLiveID >> @IDXATTR: msExchSignupAddresses >> @IDXATTR: msExchEdgeSyncSourceGuid >> @IDXATTR: msExchDeviceID >> @IDXATTR: msExchArbitrationMailbox >> @IDXATTR: msExchRoleLink >> @IDXATTR: msExchScopeFlags >> @IDXATTR: msExchRoleFlags >> @IDXATTR: msExchRoleEntries >> @IDXATTR: msExchRoleAssignmentFlags >> @IDXATTR: msExchOURoot >> @IDXATTR: msExchRecipientTypeDetails >> @IDXATTR: msExchRecipientDisplayType >> @IDXATTR: msExchMasterAccountHistory >> @IDXATTR: msExchAvailabilityForeignConnectorType >> @IDXATTR: msExchUMIPGatewayAddress >> @IDXATTR: msExchUMDtmfMap >> @IDXATTR: msExchUMAutoAttendantDialedNumbers >> @IDXATTR: msExchResourceSearchProperties >> @IDXATTR: msPKI-Cert-Template-OID >> @IDXATTR: msTSExpireDate >> @IDXATTR: uSNCreated >> @IDXATTR: uSNChanged >> @IDXATTR: userPrincipalName >> @IDXATTR: userAccountControl >> @IDXATTR: sn >> @IDXATTR: sIDHistory >> @IDXATTR: showInAdvancedViewOnly >> @IDXATTR: servicePrincipalName >> @IDXATTR: sAMAccountType >> @IDXATTR: sAMAccountName >> @IDXATTR: name >> @IDXATTR: proxyAddresses >> @IDXATTR: primaryGroupID >> @IDXATTR: ou >> @IDXATTR: objectSid >> @IDXATTR: objectGUID >> @IDXATTR: objectCategory >> @IDXATTR: nETBIOSName >> @IDXATTR: mSMQOwnerID >> @IDXATTR: msDS-SecondaryKrbTgtNumber >> @IDXATTR: msDS-Site-Affinity >> @IDXATTR: mS-DS-CreatorSID >> @IDXATTR: msDS-Cached-Membership-Time-Stamp >> @IDXATTR: msDS-AdditionalSamAccountName >> @IDXATTR: l >> @IDXATTR: legacyExchangeDN >> @IDXATTR: lDAPDisplayName >> @IDXATTR: keywords >> @IDXATTR: invocationId >> @IDXATTR: groupType >> @IDXATTR: givenName >> @IDXATTR: fSMORoleOwner >> @IDXATTR: fromServer >> @IDXATTR: flatName >> @IDXATTR: dnsRoot >> @IDXATTR: displayName >> @IDXATTR: cn >> @IDXATTR: msTSLicenseVersion4 >> @IDXATTR: msTSLicenseVersion3 >> @IDXATTR: msTSLicenseVersion2 >> @IDXATTR: msTSLSProperty02 >> @IDXATTR: msTSLSProperty01 >> @IDXATTR: msTSExpireDate4 >> @IDXATTR: msTSExpireDate3 >> @IDXATTR: msTSExpireDate2 >> @IDXATTR: msTSManagingLS4 >> @IDXATTR: msTSManagingLS3 >> @IDXATTR: msTSManagingLS2 >> @IDXATTR: terminalServer >> @IDXATTR: msTSManagingLS >> @IDXATTR: msTSLicenseVersion >> @IDXATTR: msTSProperty02 >> @IDXATTR: msTSProperty01 >> @IDXATTR: msDS-AzObjectGuid >> @IDXATTR: msDFSR-ReplicationGroupGuid >> @IDXATTR: msDFSR-DfsPath >> @IDXATTR: uidNumber >> @IDXATTR: gidNumber >> @IDXATTR: msSFU30IsValidContainer >> @IDXATTR: msSFU30NetgroupUserAtDomain >> @IDXATTR: msSFU30NetgroupHostAtDomain >> @IDXATTR: msSFU30MaxUidNumber >> @IDXATTR: msSFU30MaxGidNumber >> @IDXATTR: msSFU30YpServers >> @IDXATTR: msSFU30Domains >> @IDXATTR: msSFU30NisDomain >> @IDXATTR: msSFU30BootFile >> @IDXATTR: msSFU30NisMapEntry >> @IDXATTR: msSFU30NisMapName >> @IDXATTR: msSFU30MemberUid >> @IDXATTR: msSFU30MacAddress >> @IDXATTR: msSFU30IpHostNumber >> @IDXATTR: msSFU30OncRpcNumber >> @IDXATTR: msSFU30IpNetmaskNumber >> @IDXATTR: msSFU30IpNetworkNumber >> @IDXATTR: msSFU30IpProtocolNumber >> @IDXATTR: msSFU30GidNumber >> @IDXATTR: msSFU30UidNumber >> @IDXATTR: msSFU30Name >> @IDXATTR: msSFU30OrderNumber >> @IDXATTR: msSFU30MasterServerName >> @IDXATTR: textEncodedORAddress >> @IDXATTR: msExchHomeRoutingGroup >> @IDXATTR: msExchRoutingGroupMembersDN >> @IDXATTR: mail >> @IDXATTR: msExchIMServerName >> @IDXATTR: physicalDeliveryOfficeName >> @IDXATTR: volTableIdxGUID >> @IDXATTR: USNIntersite >> @IDXATTR: uNCName >> @IDXATTR: timeVolChange >> @IDXATTR: serviceClassName >> @IDXATTR: rpcNsTransferSyntax >> @IDXATTR: rpcNsObjectID >> @IDXATTR: rpcNsInterfaceID >> @IDXATTR: requiredCategories >> @IDXATTR: physicalLocationObject >> @IDXATTR: packageFlags >> @IDXATTR: oMTIndxGuid >> @IDXATTR: netbootGUID >> @IDXATTR: mSMQQueueType >> @IDXATTR: mSMQLabelEx >> @IDXATTR: mSMQLabel >> @IDXATTR: mSMQDigests >> @IDXATTR: mS-SQL-Alias >> @IDXATTR: mS-SQL-Database >> @IDXATTR: mS-SQL-Version >> @IDXATTR: mS-SQL-Name >> @IDXATTR: location >> @IDXATTR: implementedCategories >> @IDXATTR: groupAttributes >> @IDXATTR: fileExtPriority >> @IDXATTR: dNSTombstoned >> @IDXATTR: dhcpType >> @IDXATTR: cOMClassID >> @IDXATTR: birthLocation >> distinguishedName: @INDEXLIST >> >> >> >> On 16.07.21 11:56, L.P.H. van Belle via samba wrote: >>> I would start here. >>> https://docs.software-univention.de/performance-guide-4.1.html >>> >>> And run : >>> ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF >> }')/sam.ldb" -s base -b @INDEXLIST >>> That shows what is index at this moment. >>> >>> You can add ldap proxy on the webserver to offload samba. >>> Also samba is Version 4.10.18-Univention newer version has >> better performace. >>> There is/was a change as of 4.11 >>> >>> On all AD-DC's run : >>> samba-tool dbcheck >>> samba-tool dbcheck --reindex >>> Might help a bit also. >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
Rowland Penny
2021-Jul-19 09:27 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
On Mon, 2021-07-19 at 11:13 +0200, Stefan Bauer via samba wrote:> Hi and thank you for your time. > > We got now the confirmation that samba 4 is not supported by our > software-vendor.If I might ask, who is your software vendor and what is the software ? In most cases, when a supplier says they do not support Samba 4, they do support AD.> > Hence we will move for now to a plain ldap server.Shouldn't really matter, as long as you can get the schema, Samba can act as an ldap server. Rowland
Stefan Kania
2021-Jul-19 09:52 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
20k per minute shoudn't be a problem for openLDAP, even 20k per second is not problem ;-). I think the amount of request is the reason why they don't support Samba or AD. Am 19.07.21 um 11:13 schrieb Stefan Bauer via samba:> Hi and thank you for your time. > > We got now the confirmation that samba 4 is not supported by our > software-vendor. > > Hence we will move for now to a plain ldap server. > > thank you. > > > stefan > > On 16.07.21 15:34, L.P.H. van Belle via samba wrote: >> Verify if you are using Credential cache for kerberos also. >> >> Did you give "Domain Admins" and/or Administrator an UID/GID? >> Because : already set via primaryGroupID 512') >> And i know we start with ID's "normaly" above 10000. >> >> For the error below. Try : samba-tool dbcheck --cross-ncs --fix >> I compaired the "bad and "good" link.. >> Both are exacly the same. >> >> And if you can, upgrade to at least 4.13 of 4.14 >> And remove the GID from Domain Admins. >> >> Reboot the server, check the other dc's after its up again. >> Test. >> >> Report back. >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Stefan Bauer via samba >>> Verzonden: vrijdag 16 juli 2021 13:18 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] howto optimize samba/kerberos for 20k >>> requests per minute - help needed >>> >>> Hi, >>> >>> ??? >>> >>> thanks a lot for all that input. >>> >>> >>> Almost all requests are kerberos traffic (88). I don't think >>> that a ldap >>> proxy can help here. >>> >>> >>> Index seems to be active for all the mandatory fields (attached below) >>> >>> >>> >>> dbcheck only reports a few duplidates, but could not fix it: >>> >>> >>> # samba-tool dbcheck --fix >>> Checking 4351 objects >>> Not checking for missing forward links because the db has the >>> sortedLinks feature >>> ERROR: Duplicate forward link values for attribute 'member' in >>> 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' >>> Duplicate link >>> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 >>> 98974210000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >>> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >>> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra >>> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' >>> Correct?? link >>> '<GUID=eb4fcbe3-c57d-4747-87e4-13f00bd672b9>;<RMD_ADDTIME=1308 >>> 98974210000000>;<RMD_CHANGETIME=132697952890000000>;<RMD_FLAGS >>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >>> CAL_USN=22248>;<RMD_ORIGINATING_USN=22248>;<RMD_VERSION=4>;<SI >>> D=S-1-5-21-588273740-1646099605-1082013118-6194>;CN=Administra >>> tor_MS,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procorp,DC=local' >>> Duplicate link >>> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 >>> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >>> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >>> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, >>> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco >>> rp,DC=local' >>> Correct?? link >>> '<GUID=f78c768b-20b8-4df5-bd09-08d0bfe46565>;<RMD_ADDTIME=1298 >>> 87105960000000>;<RMD_CHANGETIME=132697748320000000>;<RMD_FLAGS >>> =1>;<RMD_INVOCID=d2d4c906-b197-4b44-983f-7bf6143b9d91>;<RMD_LO >>> CAL_USN=20104>;<RMD_ORIGINATING_USN=20104>;<RMD_VERSION=2>;<SI >>> D=S-1-5-21-588273740-1646099605-1082013118-6084>;CN=sql-admin, >>> OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=procorp,DC=proco >>> rp,DC=local' >>> RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute >>> 'member' in 'CN=dom?nen-admins,CN=Users,DC=procorp,DC=local' >>> Commit fixes for (missing/duplicate) forward links in >>> attribute 'member' >>> [y/N/all/none] all >>> Failed to fix duplicate links in attribute 'member' : (68, 'samldb: >>> member >>> CN=Administrator,OU=Benutzer,OU=Sys-Admin,OU=procorp,DC=procor >>> p,DC=local >>> already set via primaryGroupID 512') >>> Checked 4351 objects (2 errors) >>> >>> >>> >>> # samba-tool dbcheck --reindex >>> Re-indexing... >>> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in >>> CN=ADM-TKSERVER,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local >>> for index on servicePrincipalName, duplicate of objectGUID >>> 0ff73729-efe9-43f6-a34e-b4f43436d0c2 in @INDEX:SERVICEPRINCIPALNAME >>> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-TKSERVER >>> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in >>> CN=ADM-HYPER-V1,OU=Server,OU=Sys-Admin,OU=PROCORP,DC=PROCORP,DC=local >>> for index on servicePrincipalName, duplicate of objectGUID >>> e4b73032-97ab-4cd1-8189-9b0f29c8b87a in @INDEX:SERVICEPRINCIPALNAME >>> <INDEX:SERVICEPRINCIPALNAME>:WSMAN/ADM-HYPER-V1 >>> completed re-index OK >>> >>> >>> >>> Thanks. Stefan >>> >>> >>> -------------------------------------------------------------------- >>> >>> >>> >>> >>> # ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF >>> }')/sam.ldb"? -s base -b @INDEXLIST >>> # record 1 >>> dn: @INDEXLIST >>> @IDX_DN_GUID: GUID >>> @IDXGUID: objectGUID >>> @IDXONE: 1 >>> @SAMBA_FEATURES_SUPPORTED: 1 >>> @SAMDB_INDEXING_VERSION: 2 >>> @IDXATTR: msDS-DeviceID >>> @IDXATTR: msDS-DevicePhysicalIDs >>> @IDXATTR: msDS-DeviceOSType >>> @IDXATTR: msDS-SyncServerUrl >>> @IDXATTR: msDS-CloudIsManaged >>> @IDXATTR: msDS-IsManaged >>> @IDXATTR: msDS-DeviceObjectVersion >>> @IDXATTR: msDS-ApproximateLastLogonTimeStamp >>> @IDXATTR: msDS-RegisteredUsers >>> @IDXATTR: msDS-RegisteredOwner >>> @IDXATTR: msDS-cloudExtensionAttribute20 >>> @IDXATTR: msDS-cloudExtensionAttribute19 >>> @IDXATTR: msDS-cloudExtensionAttribute18 >>> @IDXATTR: msDS-cloudExtensionAttribute17 >>> @IDXATTR: msDS-cloudExtensionAttribute16 >>> @IDXATTR: msDS-cloudExtensionAttribute15 >>> @IDXATTR: msDS-cloudExtensionAttribute14 >>> @IDXATTR: msDS-cloudExtensionAttribute13 >>> @IDXATTR: msDS-cloudExtensionAttribute12 >>> @IDXATTR: msDS-cloudExtensionAttribute11 >>> @IDXATTR: msDS-cloudExtensionAttribute10 >>> @IDXATTR: msDS-cloudExtensionAttribute9 >>> @IDXATTR: msDS-cloudExtensionAttribute8 >>> @IDXATTR: msDS-cloudExtensionAttribute7 >>> @IDXATTR: msDS-cloudExtensionAttribute6 >>> @IDXATTR: msDS-cloudExtensionAttribute5 >>> @IDXATTR: msDS-cloudExtensionAttribute4 >>> @IDXATTR: msDS-cloudExtensionAttribute3 >>> @IDXATTR: msDS-cloudExtensionAttribute2 >>> @IDXATTR: msDS-cloudExtensionAttribute1 >>> @IDXATTR: netbootDUID >>> @IDXATTR: msDS-GeoCoordinatesLongitude >>> @IDXATTR: msDS-GeoCoordinatesLatitude >>> @IDXATTR: msDS-GeoCoordinatesAltitude >>> @IDXATTR: msDS-PrimaryComputer >>> @IDXATTR: msTPM-SrkPubThumbprint >>> @IDXATTR: msSPP-KMSIds >>> @IDXATTR: msExchMailboxAuditEnable >>> @IDXATTR: msExchBypassAudit >>> @IDXATTR: msExchExtensionCustomAttribute5 >>> @IDXATTR: msExchExtensionCustomAttribute4 >>> @IDXATTR: msExchExtensionCustomAttribute3 >>> @IDXATTR: msExchExtensionCustomAttribute2 >>> @IDXATTR: msExchExtensionCustomAttribute1 >>> @IDXATTR: msExchExtensionAttribute45 >>> @IDXATTR: msExchExtensionAttribute44 >>> @IDXATTR: msExchExtensionAttribute43 >>> @IDXATTR: msExchExtensionAttribute42 >>> @IDXATTR: msExchExtensionAttribute41 >>> @IDXATTR: msExchExtensionAttribute40 >>> @IDXATTR: msExchExtensionAttribute39 >>> @IDXATTR: msExchExtensionAttribute38 >>> @IDXATTR: msExchExtensionAttribute37 >>> @IDXATTR: msExchExtensionAttribute36 >>> @IDXATTR: msExchExtensionAttribute35 >>> @IDXATTR: msExchExtensionAttribute34 >>> @IDXATTR: msExchExtensionAttribute33 >>> @IDXATTR: msExchExtensionAttribute32 >>> @IDXATTR: msExchExtensionAttribute31 >>> @IDXATTR: msExchExtensionAttribute30 >>> @IDXATTR: msExchExtensionAttribute29 >>> @IDXATTR: msExchExtensionAttribute28 >>> @IDXATTR: msExchExtensionAttribute27 >>> @IDXATTR: msExchExtensionAttribute26 >>> @IDXATTR: msExchExtensionAttribute25 >>> @IDXATTR: msExchExtensionAttribute24 >>> @IDXATTR: msExchExtensionAttribute23 >>> @IDXATTR: msExchExtensionAttribute22 >>> @IDXATTR: msExchExtensionAttribute21 >>> @IDXATTR: msExchExtensionAttribute20 >>> @IDXATTR: msExchExtensionAttribute19 >>> @IDXATTR: msExchExtensionAttribute18 >>> @IDXATTR: msExchExtensionAttribute17 >>> @IDXATTR: msExchExtensionAttribute16 >>> @IDXATTR: msExchUsageLocation >>> @IDXATTR: msExchDisabledArchiveGUID >>> @IDXATTR: msOrg-GroupSubtypeName >>> @IDXATTR: msOrg-OtherDisplayNames >>> @IDXATTR: msExchCalculatedTargetAddress >>> @IDXATTR: msExchReseller >>> @IDXATTR: msExchExternalDirectoryOrganizationId >>> @IDXATTR: msExchMailboxAuditLastExternalAccess >>> @IDXATTR: msExchMailboxAuditLastDelegateAccess >>> @IDXATTR: msExchMailboxAuditLastAdminAccess >>> @IDXATTR: msExchSetupStatus >>> @IDXATTR: msExchMailboxMoveTargetArchiveMDBBL >>> @IDXATTR: msExchMailboxMoveTargetArchiveMDBLink >>> @IDXATTR: msExchMailboxMoveSourceArchiveMDBBL >>> @IDXATTR: msExchMailboxMoveSourceArchiveMDBLink >>> @IDXATTR: msExchOnPremiseObjectGuid >>> @IDXATTR: msExchMRSRequestType >>> @IDXATTR: msExchIntendedServicePlan >>> @IDXATTR: msExchExternalDirectoryObjectId >>> @IDXATTR: msExchUMSourceForestPolicyNames >>> @IDXATTR: msExchSharedConfigServicePlanTag >>> @IDXATTR: msExchPartnerGroupID >>> @IDXATTR: msExchUCVoiceMailSettings >>> @IDXATTR: msExchRemoteRecipientType >>> @IDXATTR: msExchMailboxMoveRequestGuid >>> @IDXATTR: msExchCapabilityIdentifiers >>> @IDXATTR: msExchArchiveStatus >>> @IDXATTR: msExchArchiveAddress >>> @IDXATTR: altSecurityIdentities >>> @IDXATTR: lastLogonTimestamp >>> @IDXATTR: msFVE-VolumeGuid >>> @IDXATTR: msFVE-RecoveryGuid >>> @IDXATTR: msDS-PhoneticCompanyName >>> @IDXATTR: msDS-PhoneticDisplayName >>> @IDXATTR: msDS-PhoneticDepartment >>> @IDXATTR: msDS-PhoneticFirstName >>> @IDXATTR: msDS-PhoneticLastName >>> @IDXATTR: msDS-HABSeniorityIndex >>> @IDXATTR: msDS-Entry-Time-To-Die >>> @IDXATTR: trustPartner >>> @IDXATTR: st >>> @IDXATTR: objectClass >>> @IDXATTR: department >>> @IDXATTR: company >>> @IDXATTR: msExchVoiceMailboxID >>> @IDXATTR: msExchUserAccountControl >>> @IDXATTR: msExchUnmergedAttsPt >>> @IDXATTR: unmergedAtts >>> @IDXATTR: targetAddress >>> @IDXATTR: msExchResourceGUID >>> @IDXATTR: msExchPreviousAccountSid >>> @IDXATTR: msExchMasterAccountSid >>> @IDXATTR: msExchMailboxGuid >>> @IDXATTR: mailNickname >>> @IDXATTR: importedFrom >>> @IDXATTR: msExchIMVirtualServer >>> @IDXATTR: msExchIMPhysicalURL >>> @IDXATTR: msExchIMMetaPhysicalURL >>> @IDXATTR: msExchIMAddress >>> @IDXATTR: msExchFBURL >>> @IDXATTR: extensionAttribute9 >>> @IDXATTR: extensionAttribute8 >>> @IDXATTR: extensionAttribute7 >>> @IDXATTR: extensionAttribute6 >>> @IDXATTR: extensionAttribute5 >>> @IDXATTR: extensionAttribute4 >>> @IDXATTR: extensionAttribute3 >>> @IDXATTR: extensionAttribute2 >>> @IDXATTR: extensionAttribute15 >>> @IDXATTR: extensionAttribute14 >>> @IDXATTR: extensionAttribute13 >>> @IDXATTR: extensionAttribute12 >>> @IDXATTR: extensionAttribute11 >>> @IDXATTR: extensionAttribute10 >>> @IDXATTR: extensionAttribute1 >>> @IDXATTR: expirationTime >>> @IDXATTR: msExchADCGlobalNames >>> @IDXATTR: msExchHomeServerName >>> @IDXATTR: msExchObjectID >>> @IDXATTR: msExchLicenseToken >>> @IDXATTR: msExchMailboxMoveBatchName >>> @IDXATTR: msExchForeignGroupSID >>> @IDXATTR: msExchArchiveGUID >>> @IDXATTR: msExchRoleType >>> @IDXATTR: msExchRoleEntriesExt >>> @IDXATTR: msExchMailboxMoveStatus >>> @IDXATTR: msExchMailboxMoveRemoteHostName >>> @IDXATTR: msExchUMDialPlanDialedNumbers >>> @IDXATTR: msExchUMAddresses >>> @IDXATTR: msExchAlternateMailboxes >>> @IDXATTR: msExchServicePlan >>> @IDXATTR: msExchThrottlingPolicyDN >>> @IDXATTR: msExchThrottlingIsDefaultPolicy >>> @IDXATTR: msExchUMCallingLineIDs >>> @IDXATTR: msExchImmutableId >>> @IDXATTR: msExchWindowsLiveID >>> @IDXATTR: msExchSignupAddresses >>> @IDXATTR: msExchEdgeSyncSourceGuid >>> @IDXATTR: msExchDeviceID >>> @IDXATTR: msExchArbitrationMailbox >>> @IDXATTR: msExchRoleLink >>> @IDXATTR: msExchScopeFlags >>> @IDXATTR: msExchRoleFlags >>> @IDXATTR: msExchRoleEntries >>> @IDXATTR: msExchRoleAssignmentFlags >>> @IDXATTR: msExchOURoot >>> @IDXATTR: msExchRecipientTypeDetails >>> @IDXATTR: msExchRecipientDisplayType >>> @IDXATTR: msExchMasterAccountHistory >>> @IDXATTR: msExchAvailabilityForeignConnectorType >>> @IDXATTR: msExchUMIPGatewayAddress >>> @IDXATTR: msExchUMDtmfMap >>> @IDXATTR: msExchUMAutoAttendantDialedNumbers >>> @IDXATTR: msExchResourceSearchProperties >>> @IDXATTR: msPKI-Cert-Template-OID >>> @IDXATTR: msTSExpireDate >>> @IDXATTR: uSNCreated >>> @IDXATTR: uSNChanged >>> @IDXATTR: userPrincipalName >>> @IDXATTR: userAccountControl >>> @IDXATTR: sn >>> @IDXATTR: sIDHistory >>> @IDXATTR: showInAdvancedViewOnly >>> @IDXATTR: servicePrincipalName >>> @IDXATTR: sAMAccountType >>> @IDXATTR: sAMAccountName >>> @IDXATTR: name >>> @IDXATTR: proxyAddresses >>> @IDXATTR: primaryGroupID >>> @IDXATTR: ou >>> @IDXATTR: objectSid >>> @IDXATTR: objectGUID >>> @IDXATTR: objectCategory >>> @IDXATTR: nETBIOSName >>> @IDXATTR: mSMQOwnerID >>> @IDXATTR: msDS-SecondaryKrbTgtNumber >>> @IDXATTR: msDS-Site-Affinity >>> @IDXATTR: mS-DS-CreatorSID >>> @IDXATTR: msDS-Cached-Membership-Time-Stamp >>> @IDXATTR: msDS-AdditionalSamAccountName >>> @IDXATTR: l >>> @IDXATTR: legacyExchangeDN >>> @IDXATTR: lDAPDisplayName >>> @IDXATTR: keywords >>> @IDXATTR: invocationId >>> @IDXATTR: groupType >>> @IDXATTR: givenName >>> @IDXATTR: fSMORoleOwner >>> @IDXATTR: fromServer >>> @IDXATTR: flatName >>> @IDXATTR: dnsRoot >>> @IDXATTR: displayName >>> @IDXATTR: cn >>> @IDXATTR: msTSLicenseVersion4 >>> @IDXATTR: msTSLicenseVersion3 >>> @IDXATTR: msTSLicenseVersion2 >>> @IDXATTR: msTSLSProperty02 >>> @IDXATTR: msTSLSProperty01 >>> @IDXATTR: msTSExpireDate4 >>> @IDXATTR: msTSExpireDate3 >>> @IDXATTR: msTSExpireDate2 >>> @IDXATTR: msTSManagingLS4 >>> @IDXATTR: msTSManagingLS3 >>> @IDXATTR: msTSManagingLS2 >>> @IDXATTR: terminalServer >>> @IDXATTR: msTSManagingLS >>> @IDXATTR: msTSLicenseVersion >>> @IDXATTR: msTSProperty02 >>> @IDXATTR: msTSProperty01 >>> @IDXATTR: msDS-AzObjectGuid >>> @IDXATTR: msDFSR-ReplicationGroupGuid >>> @IDXATTR: msDFSR-DfsPath >>> @IDXATTR: uidNumber >>> @IDXATTR: gidNumber >>> @IDXATTR: msSFU30IsValidContainer >>> @IDXATTR: msSFU30NetgroupUserAtDomain >>> @IDXATTR: msSFU30NetgroupHostAtDomain >>> @IDXATTR: msSFU30MaxUidNumber >>> @IDXATTR: msSFU30MaxGidNumber >>> @IDXATTR: msSFU30YpServers >>> @IDXATTR: msSFU30Domains >>> @IDXATTR: msSFU30NisDomain >>> @IDXATTR: msSFU30BootFile >>> @IDXATTR: msSFU30NisMapEntry >>> @IDXATTR: msSFU30NisMapName >>> @IDXATTR: msSFU30MemberUid >>> @IDXATTR: msSFU30MacAddress >>> @IDXATTR: msSFU30IpHostNumber >>> @IDXATTR: msSFU30OncRpcNumber >>> @IDXATTR: msSFU30IpNetmaskNumber >>> @IDXATTR: msSFU30IpNetworkNumber >>> @IDXATTR: msSFU30IpProtocolNumber >>> @IDXATTR: msSFU30GidNumber >>> @IDXATTR: msSFU30UidNumber >>> @IDXATTR: msSFU30Name >>> @IDXATTR: msSFU30OrderNumber >>> @IDXATTR: msSFU30MasterServerName >>> @IDXATTR: textEncodedORAddress >>> @IDXATTR: msExchHomeRoutingGroup >>> @IDXATTR: msExchRoutingGroupMembersDN >>> @IDXATTR: mail >>> @IDXATTR: msExchIMServerName >>> @IDXATTR: physicalDeliveryOfficeName >>> @IDXATTR: volTableIdxGUID >>> @IDXATTR: USNIntersite >>> @IDXATTR: uNCName >>> @IDXATTR: timeVolChange >>> @IDXATTR: serviceClassName >>> @IDXATTR: rpcNsTransferSyntax >>> @IDXATTR: rpcNsObjectID >>> @IDXATTR: rpcNsInterfaceID >>> @IDXATTR: requiredCategories >>> @IDXATTR: physicalLocationObject >>> @IDXATTR: packageFlags >>> @IDXATTR: oMTIndxGuid >>> @IDXATTR: netbootGUID >>> @IDXATTR: mSMQQueueType >>> @IDXATTR: mSMQLabelEx >>> @IDXATTR: mSMQLabel >>> @IDXATTR: mSMQDigests >>> @IDXATTR: mS-SQL-Alias >>> @IDXATTR: mS-SQL-Database >>> @IDXATTR: mS-SQL-Version >>> @IDXATTR: mS-SQL-Name >>> @IDXATTR: location >>> @IDXATTR: implementedCategories >>> @IDXATTR: groupAttributes >>> @IDXATTR: fileExtPriority >>> @IDXATTR: dNSTombstoned >>> @IDXATTR: dhcpType >>> @IDXATTR: cOMClassID >>> @IDXATTR: birthLocation >>> distinguishedName: @INDEXLIST >>> >>> >>> >>> On 16.07.21 11:56, L.P.H. van Belle via samba wrote: >>>> I would start here. >>>> https://docs.software-univention.de/performance-guide-4.1.html >>>> >>>> And run : >>>> ldbsearch -H "$(samba -b|grep PRIVATE_DIR |awk '{ print $NF >>> }')/sam.ldb"? -s base -b @INDEXLIST >>>> That shows what is index at this moment. >>>> >>>> You can add ldap proxy on the webserver to offload samba. >>>> Also samba is Version 4.10.18-Univention newer version has >>> better performace. >>>> There is/was a change as of 4.11 >>>> >>>> On all AD-DC's run : >>>> samba-tool dbcheck >>>> samba-tool dbcheck --reindex >>>> Might help a bit also. >>>> >>> --? >>> To unsubscribe from this list go to the following URL and read the >>> instructions:? https://lists.samba.org/mailman/options/samba >>> >>> >> >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html