Hello all, I'm having an issue with Winbind and I'm not sure if it's occurring by design or not. My Samba server resides in a Windows NT domain and uses winbindd to authenticate to a mixed-mode 2003 domain over a trust relationship. Everything works the way it ought to. However, every so often my users experience delays of anywhere from 30 to 60 seconds when connecting to a share, instead of the share being instantaneously available, as is normally the case. I've done some investigating and have found that winbindd queries WINS for a domain controller for the 2003 domain, which it finds just fine and is able to authenticate users against. However, the problem is that the server it's finding is on a different subnet, connected via a T1 WAN link. So it uses the remote server instead of a local 2003 DC, which is acting as a BDC, that resides on the same LAN as the Samba server. Shouldn't winbindd use the local DC? Can I configure it to do so? I'm fairly convinced that authenticating over the WAN link is causing the delays I'm experiencing. Any ideas are welcome. Thank you. Please include my e-mail address in all replies. Sven Ruth
Hello all, I'm having an issue with Winbind and I'm not sure if it's occurring by design or not. My Samba server resides in a Windows NT domain and uses winbindd to authenticate to a mixed-mode 2003 domain over a trust relationship. Everything works the way it ought to. However, every so often my users experience delays of anywhere from 30 to 60 seconds when connecting to a share, instead of the share being instantaneously available, as is normally the case. I've done some investigating and have found that winbindd queries WINS for a domain controller for the 2003 domain, which it finds just fine and is able to authenticate users against. However, the problem is that the server it's finding is on a different subnet, connected via a T1 WAN link. So it uses the remote server instead of a local 2003 DC, which is acting as a BDC, that resides on the same LAN as the Samba server. Shouldn't winbindd use the local DC? Can I configure it to do so? I'm fairly convinced that authenticating over the WAN link is causing the delays I'm experiencing. Any ideas are welcome. Thank you. Sven Ruth
On Tue, May 20, 2003 at 10:22:38AM -0400, SRuth@LANDAM.com wrote:> I've done some investigating and have found that winbindd queries WINS for a > domain controller for the 2003 domain, which it finds just fine and is able > to authenticate users against. However, the problem is that the server it's > finding is on a different subnet, connected via a T1 WAN link. So it uses > the remote server instead of a local 2003 DC, which is acting as a BDC, that > resides on the same LAN as the Samba server. > > Shouldn't winbindd use the local DC? Can I configure it to do so? I'm > fairly convinced that authenticating over the WAN link is causing the delays > I'm experiencing. Any ideas are welcome.You should be able to specify which domain controller to use with the 'password server' smb.conf parameter. When there is no password server specified winbindd should pick the "closest" domain controller. Is there anything in the logs about errors contacting closer DCs? That's the only reason I can think that the remote DC is being chosen over local ones. Tim.
Tim & Brent Thanks for responding. Unfortunately, the solution is not that simple. :) The password server field is intended, AFAIK, for the domain that the Samba server is a member of. However, my domain structure has an accounts domain and resource domains. My Samba server is a member of a resource domain, which has a one-way trust relationship to the accounts domain. This means winbind has to contact DCs in the accounts domain to authenticate users. Therein lies the trouble, because the accounts domain has a server on the same LAN as the Samba server, but winbindd decides to use the server that resides across a WAN link. The server it decides to use is always the PDC of the accounts domain. Just to test, I tried changing the password server field to point to the local accounts domain DC, but then Samba was unable to authenticate at all. Presumably because the Samba server does not exist in the accounts domain. Any other ideas? :) Sven -----Original Message----- From: Tim Potter [mailto:tpot@samba.org] Sent: Tuesday, May 20, 2003 8:24 PM To: SRuth@LANDAM.com Cc: samba@lists.samba.org Subject: Re: [Samba] Inefficient Winbind behavior? On Tue, May 20, 2003 at 10:22:38AM -0400, SRuth@LANDAM.com wrote:> I've done some investigating and have found that winbindd queries WINS fora> domain controller for the 2003 domain, which it finds just fine and isable> to authenticate users against. However, the problem is that the serverit's> finding is on a different subnet, connected via a T1 WAN link. So it uses > the remote server instead of a local 2003 DC, which is acting as a BDC,that> resides on the same LAN as the Samba server. > > Shouldn't winbindd use the local DC? Can I configure it to do so? I'm > fairly convinced that authenticating over the WAN link is causing thedelays> I'm experiencing. Any ideas are welcome.You should be able to specify which domain controller to use with the 'password server' smb.conf parameter. When there is no password server specified winbindd should pick the "closest" domain controller. Is there anything in the logs about errors contacting closer DCs? That's the only reason I can think that the remote DC is being chosen over local ones. Tim.
I believe you can tell when the server joins the domain what the PDC is (just make it the LOCAL BDC).... also maybe an option in smb.conf. Sounds like the delay could be while winbind is updating. Have you done the getent passwd or getent group? how long does it take to pull through winbind? -----Original Message----- From: SRuth@LANDAM.com [mailto:SRuth@LANDAM.com] Sent: Tuesday, May 13, 2003 10:51 AM To: samba@lists.samba.org Subject: [Samba] Inefficient Winbind behavior? Hello all, I'm having an issue with Winbind and I'm not sure if it's occurring by design or not. My Samba server resides in a Windows NT domain and uses winbindd to authenticate to a mixed-mode 2003 domain over a trust relationship. Everything works the way it ought to. However, every so often my users experience delays of anywhere from 30 to 60 seconds when connecting to a share, instead of the share being instantaneously available, as is normally the case. I've done some investigating and have found that winbindd queries WINS for a domain controller for the 2003 domain, which it finds just fine and is able to authenticate users against. However, the problem is that the server it's finding is on a different subnet, connected via a T1 WAN link. So it uses the remote server instead of a local 2003 DC, which is acting as a BDC, that resides on the same LAN as the Samba server. Shouldn't winbindd use the local DC? Can I configure it to do so? I'm fairly convinced that authenticating over the WAN link is causing the delays I'm experiencing. Any ideas are welcome. Thank you. Please include my e-mail address in all replies. Sven Ruth -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba