samba - May 2006 - Excessive traffic causing slow logons

I am seeing some extremely slow logons to my SUSE servers.  All are
configured exactly the same.  When I attempt to log on, I can enter my
domain (AD) account without any problems.  I then enter my password and
sit and wait for several minutes until it eventually takes me to my
desktop.  In attempting to debug the problem, we have been able to see
millions of calls to the domain controller.  They all look similar to
this...

 

16:19:31.943556 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: P 6096:6369(273) ack 7014 win 16080
<nop,nop,timestamp 89505560 7529129>

16:19:31.944886 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7014:7391(377) ack 6369 win
64170 <nop,nop,timestamp 7529129 89505560>

16:19:31.945122 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: P 6369:6647(278) ack 7391 win 16080
<nop,nop,timestamp 89505561 7529129>

16:19:31.946500 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7391:7778(387) ack 6647 win
65535 <nop,nop,timestamp 7529129 89505561>

16:19:31.946733 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: P 6647:6919(272) ack 7778 win 16080
<nop,nop,timestamp 89505563 7529129>

16:19:31.948064 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7778:8152(374) ack 6919 win
65263 <nop,nop,timestamp 7529129 89505563>

16:19:31.948298 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: P 6919:7194(275) ack 8152 win 16080
<nop,nop,timestamp 89505565 7529129>

16:19:31.949678 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8152:8532(380) ack 7194 win
64988 <nop,nop,timestamp 7529129 89505565>

16:19:31.949913 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: P 7194:7466(272) ack 8532 win 16080
<nop,nop,timestamp 89505566 7529129>

16:19:31.951244 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8532:8905(373) ack 7466 win
64716 <nop,nop,timestamp 7529129 89505566>

16:19:31.951478 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: P 7466:7729(263) ack 8905 win 16080
<nop,nop,timestamp 89505568 7529129>

16:19:31.953003 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8905:9186(281) ack 7729 win
64453 <nop,nop,timestamp 7529129 89505568>

16:19:31.953098 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: P 7729:7736(7) ack 9186 win 16080
<nop,nop,timestamp 89505569 7529129>

16:19:31.953117 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: F 7736:7736(0) ack 9186 win 16080
<nop,nop,timestamp 89505569 7529129>

16:19:31.953252 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 >
ustr-nadc1.na.uis.unisys.com.ldap: S 1051543388:1051543388(0) win 5840
<mss 1460,sackOK,timestamp 89505570 0,nop,wscale 0>

16:19:31.953592 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: . ack 7737 win 64446
<nop,nop,timestamp 7529129 89505569>

16:19:31.954376 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: F 9186:9186(0) ack 7737 win 64446
<nop,nop,timestamp 7529129 89505569>

16:19:31.954391 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 >
ustr-nadc1.na.uis.unisys.com.ldap: . ack 9187 win 16080
<nop,nop,timestamp 89505571 7529129>

16:19:31.954817 IP ustr-nadc1.na.uis.unisys.com.ldap >
USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696: S 702706062:702706062(0) ack
1051543389 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0
0,nop,nop,sackOK>

16:19:31.954830 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 >
ustr-nadc1.na.uis.unisys.com.ldap: . ack 1 win 5840 <nop,nop,timestamp
89505571 0>

16:19:31.954959 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 >
ustr-nadc1.na.uis.unisys.com.ldap: P 1:91(90) ack 1 win 5840
<nop,nop,timestamp 89505571 0>

 

As you can imagine, we see millions of these over the 4 to 5 minutes it
takes to log on.  On the Windows side, the domain controller does not
report any errors in the logs.  

 

I have turned the debug level of winbind up to 10 and have some very
extensive logs showing what is going on.  Unfortunately, I cannot
interpret all of this myself.  Can anyone help me with this issue?  This
issue is very quickly making us think twice about continuing to use
Samba.

 

Thanks,

Ron

On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D
wrote:
> I am seeing some extremely slow logons to my SUSE servers.  All are
> configured exactly the same.  When I attempt to log on, I can enter my
> domain (AD) account without any problems.  I then enter my password and
> sit and wait for several minutes until it eventually takes me to my
> desktop.  In attempting to debug the problem, we have been able to see
> millions of calls to the domain controller.  They all look similar to
> this...
What version of Samba ? Do you have SuSE support ? This is the
sort of thing we track down for customers....

Jeremy.

USTR-MINT-A-2:~ # rpm -qa |grep samba
samba-client-3.0.20b-3.4
yast2-samba-server-2.9.33-0.3
samba-3.0.20b-3.4
samba-pdb-3.0.20b-3.4
yast2-samba-client-2.9.17-1.3
samba-winbind-3.0.20b-3.4
kdebase3-samba-3.2.1-68.46

We do have some SuSE support, but I am not sure how far that will get me
since they will just point me back to samba.  How would you suggest I
proceed?

-----Original Message-----
From: Jeremy Allison [mailto:jra@samba.org] 
Sent: Thursday, May 04, 2006 10:28 AM
To: Trimble, Ronald D
Cc: samba@lists.samba.org
Subject: Re: [Samba] Excessive traffic causing slow logons

On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D
wrote:
> I am seeing some extremely slow logons to my SUSE servers.  All are
> configured exactly the same.  When I attempt to log on, I can enter my
> domain (AD) account without any problems.  I then enter my password
and
> sit and wait for several minutes until it eventually takes me to my
> desktop.  In attempting to debug the problem, we have been able to see
> millions of calls to the domain controller.  They all look similar to
> this...
What version of Samba ? Do you have SuSE support ? This is the
sort of thing we track down for customers....

Jeremy.

On Thu, May 04, 2006 at 10:30:31AM -0400, Trimble, Ronald D
wrote:
> USTR-MINT-A-2:~ # rpm -qa |grep samba
> samba-client-3.0.20b-3.4
> yast2-samba-server-2.9.33-0.3
> samba-3.0.20b-3.4
> samba-pdb-3.0.20b-3.4
> yast2-samba-client-2.9.17-1.3
> samba-winbind-3.0.20b-3.4
> kdebase3-samba-3.2.1-68.46
> 
> We do have some SuSE support, but I am not sure how far that will get me
> since they will just point me back to samba.  How would you suggest I
> proceed?
No they will not. SuSE does support Samba. I know because a SuSE
logged bug will be assigned to either Gunther, Lars, or myself
:-) :-).

Jeremy.

Hi,

On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D
wrote:
> I am seeing some extremely slow logons to my SUSE servers.  All are
> configured exactly the same.  When I attempt to log on, I can enter my
> domain (AD) account without any problems.  I then enter my password and
> sit and wait for several minutes until it eventually takes me to my
> desktop.  In attempting to debug the problem, we have been able to see
> millions of calls to the domain controller.  They all look similar to
> this...
... 
> I have turned the debug level of winbind up to 10 and have some very
> extensive logs showing what is going on.  Unfortunately, I cannot
> interpret all of this myself.  Can anyone help me with this issue?
Sure, could you please send those logs (offlist if too large for the
list) and tell us a little more about your local configuration?

Guenther

-- 
G?nther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd@suse.de
Samba Team                              gd@samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20060504/a9360e91/attachment.bin

Trimble, Ronald D wrote:
> I am seeing some extremely slow logons to my SUSE servers.  All are
> configured exactly the same.  When I attempt to log on, I can enter my
> domain (AD) account without any problems.  I then enter my password and
> sit and wait for several minutes until it eventually takes me to my
> desktop.  In attempting to debug the problem, we have been able to see
> millions of calls to the domain controller.  They all look similar to
> this...
> 
You may want to look at the DNS/DHCP server.  If there is a 2003 DC and 
it is not the DNS/DHCP server then things can slow down.  I believe it 
is a reverse DNS issue.

-- 
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.ca

I have already gone this route.  Our DC is also a DNS server and the
entries are all there.  What's really interesting that through all of
the requests, the DC acks every single one.

-----Original Message-----
From: Gerald Drouillard [mailto:gerrylist@drouillard.ca] 
Sent: Thursday, May 04, 2006 12:53 PM
To: Trimble, Ronald D
Cc: samba@lists.samba.org
Subject: Re: [Samba] Excessive traffic causing slow logons

Trimble, Ronald D wrote:
> I am seeing some extremely slow logons to my SUSE servers.  All are
> configured exactly the same.  When I attempt to log on, I can enter my
> domain (AD) account without any problems.  I then enter my password
and
> sit and wait for several minutes until it eventually takes me to my
> desktop.  In attempting to debug the problem, we have been able to see
> millions of calls to the domain controller.  They all look similar to
> this...
> 
You may want to look at the DNS/DHCP server.  If there is a 2003 DC and 
it is not the DNS/DHCP server then things can slow down.  I believe it 
is a reverse DNS issue.

-- 
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.ca

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trimble, Ronald D wrote:
> I am seeing some extremely slow logons to my SUSE servers.  All are
> configured exactly the same.  When I attempt to log on, I can enter my
> domain (AD) account without any problems.  I then enter my password and
> sit and wait for several minutes until it eventually takes me to my
> desktop.  In attempting to debug the problem, we have been able to see
> millions of calls to the domain controller.  They all look similar to
> this...
> As you can imagine, we see millions of these over the 4 to 5 minutes it
> takes to log on.  On the Windows side, the domain controller does not
> report any errors in the logs.  
> 
You mention LDAP traffic but you say nothing about what the
traffic is actually doing nor do you give any details of how you
server is configured.  You could be using nss_ldap for all I know.

Just gazing into my crystal ball, I would ask whether or not
you have set 'winbind enum users = no' and 'winbind enum groups =
no'?
If not, then do this first.

Then it would helpful to know more about your server.
> ...  Can anyone help me with this issue?  This
> issue is very quickly making us think twice about continuing 
> to use Samba.
That's your call.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEWkJUIR7qMdg1EfYRAmwXAJ4sP/Xfo/iVNppMH7LiZDWyWR9ZWQCgzAs1
apb03AgWO5h+/NTuTZy0Bds=LeHR
-----END PGP SIGNATURE-----

Your crystal ball must be pretty good because changing the winbind enum
user and group entries to "no" did the trick.  The man page isn't
very
specific about this change.  Are they any downsides to this setting?

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
Sent: Thursday, May 04, 2006 2:05 PM
To: Trimble, Ronald D
Cc: samba@lists.samba.org
Subject: Re: [Samba] Excessive traffic causing slow logons

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trimble, Ronald D wrote:
> I am seeing some extremely slow logons to my SUSE servers.  All are
> configured exactly the same.  When I attempt to log on, I can enter my
> domain (AD) account without any problems.  I then enter my password
and
> sit and wait for several minutes until it eventually takes me to my
> desktop.  In attempting to debug the problem, we have been able to see
> millions of calls to the domain controller.  They all look similar to
> this...
> As you can imagine, we see millions of these over the 4 to 5 minutes
it
> takes to log on.  On the Windows side, the domain controller does not
> report any errors in the logs.  
> 
You mention LDAP traffic but you say nothing about what the
traffic is actually doing nor do you give any details of how you
server is configured.  You could be using nss_ldap for all I know.

Just gazing into my crystal ball, I would ask whether or not
you have set 'winbind enum users = no' and 'winbind enum groups =
no'?
If not, then do this first.

Then it would helpful to know more about your server.
> ...  Can anyone help me with this issue?  This
> issue is very quickly making us think twice about continuing 
> to use Samba.
That's your call.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEWkJUIR7qMdg1EfYRAmwXAJ4sP/Xfo/iVNppMH7LiZDWyWR9ZWQCgzAs1
apb03AgWO5h+/NTuTZy0Bds=LeHR
-----END PGP SIGNATURE-----

In any event thanks for your help!

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
Sent: Friday, May 05, 2006 10:54 AM
To: Trimble, Ronald D
Cc: samba@lists.samba.org
Subject: Re: [Samba] Excessive traffic causing slow logons

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trimble, Ronald D wrote:
> Your crystal ball must be pretty good because changing 
> the winbind enum user and group entries to "no" did
> the trick.
I thought that might help.  Which is why are changing
the default in 3.0.23 :-)
> The man page isn't very specific about this change.
> Are they any downsides to this setting?
It disables support for setpwent()/getpwent()/endpwent()
functionality.  So apps that try to enumerate all users
or groups will break.  Running 'id user' will fail.  But
running 'id' as the user will work.  Most apps just use
getpwnam() or getgrnam() anyways.  The NSS interface
is a little too narrow for real searching.




cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEW2cKIR7qMdg1EfYRAvCPAKDQRytsJR4CCgMgjHbRMlcC/csPfQCfZvgV
oR/BWRwRwutM63DjfxW2hzE=9dHG
-----END PGP SIGNATURE-----