I am seeing some extremely slow logons to my SUSE servers. All are configured exactly the same. When I attempt to log on, I can enter my domain (AD) account without any problems. I then enter my password and sit and wait for several minutes until it eventually takes me to my desktop. In attempting to debug the problem, we have been able to see millions of calls to the domain controller. They all look similar to this... 16:19:31.943556 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6096:6369(273) ack 7014 win 16080 <nop,nop,timestamp 89505560 7529129> 16:19:31.944886 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7014:7391(377) ack 6369 win 64170 <nop,nop,timestamp 7529129 89505560> 16:19:31.945122 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6369:6647(278) ack 7391 win 16080 <nop,nop,timestamp 89505561 7529129> 16:19:31.946500 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7391:7778(387) ack 6647 win 65535 <nop,nop,timestamp 7529129 89505561> 16:19:31.946733 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6647:6919(272) ack 7778 win 16080 <nop,nop,timestamp 89505563 7529129> 16:19:31.948064 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7778:8152(374) ack 6919 win 65263 <nop,nop,timestamp 7529129 89505563> 16:19:31.948298 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6919:7194(275) ack 8152 win 16080 <nop,nop,timestamp 89505565 7529129> 16:19:31.949678 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8152:8532(380) ack 7194 win 64988 <nop,nop,timestamp 7529129 89505565> 16:19:31.949913 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 7194:7466(272) ack 8532 win 16080 <nop,nop,timestamp 89505566 7529129> 16:19:31.951244 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8532:8905(373) ack 7466 win 64716 <nop,nop,timestamp 7529129 89505566> 16:19:31.951478 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 7466:7729(263) ack 8905 win 16080 <nop,nop,timestamp 89505568 7529129> 16:19:31.953003 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8905:9186(281) ack 7729 win 64453 <nop,nop,timestamp 7529129 89505568> 16:19:31.953098 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 7729:7736(7) ack 9186 win 16080 <nop,nop,timestamp 89505569 7529129> 16:19:31.953117 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: F 7736:7736(0) ack 9186 win 16080 <nop,nop,timestamp 89505569 7529129> 16:19:31.953252 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 > ustr-nadc1.na.uis.unisys.com.ldap: S 1051543388:1051543388(0) win 5840 <mss 1460,sackOK,timestamp 89505570 0,nop,wscale 0> 16:19:31.953592 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: . ack 7737 win 64446 <nop,nop,timestamp 7529129 89505569> 16:19:31.954376 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: F 9186:9186(0) ack 7737 win 64446 <nop,nop,timestamp 7529129 89505569> 16:19:31.954391 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: . ack 9187 win 16080 <nop,nop,timestamp 89505571 7529129> 16:19:31.954817 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696: S 702706062:702706062(0) ack 1051543389 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> 16:19:31.954830 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 > ustr-nadc1.na.uis.unisys.com.ldap: . ack 1 win 5840 <nop,nop,timestamp 89505571 0> 16:19:31.954959 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 > ustr-nadc1.na.uis.unisys.com.ldap: P 1:91(90) ack 1 win 5840 <nop,nop,timestamp 89505571 0> As you can imagine, we see millions of these over the 4 to 5 minutes it takes to log on. On the Windows side, the domain controller does not report any errors in the logs. I have turned the debug level of winbind up to 10 and have some very extensive logs showing what is going on. Unfortunately, I cannot interpret all of this myself. Can anyone help me with this issue? This issue is very quickly making us think twice about continuing to use Samba. Thanks, Ron
On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D wrote:> I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my password and > sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this...What version of Samba ? Do you have SuSE support ? This is the sort of thing we track down for customers.... Jeremy.
USTR-MINT-A-2:~ # rpm -qa |grep samba samba-client-3.0.20b-3.4 yast2-samba-server-2.9.33-0.3 samba-3.0.20b-3.4 samba-pdb-3.0.20b-3.4 yast2-samba-client-2.9.17-1.3 samba-winbind-3.0.20b-3.4 kdebase3-samba-3.2.1-68.46 We do have some SuSE support, but I am not sure how far that will get me since they will just point me back to samba. How would you suggest I proceed? -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Thursday, May 04, 2006 10:28 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D wrote:> I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my passwordand> sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this...What version of Samba ? Do you have SuSE support ? This is the sort of thing we track down for customers.... Jeremy.
On Thu, May 04, 2006 at 10:30:31AM -0400, Trimble, Ronald D wrote:> USTR-MINT-A-2:~ # rpm -qa |grep samba > samba-client-3.0.20b-3.4 > yast2-samba-server-2.9.33-0.3 > samba-3.0.20b-3.4 > samba-pdb-3.0.20b-3.4 > yast2-samba-client-2.9.17-1.3 > samba-winbind-3.0.20b-3.4 > kdebase3-samba-3.2.1-68.46 > > We do have some SuSE support, but I am not sure how far that will get me > since they will just point me back to samba. How would you suggest I > proceed?No they will not. SuSE does support Samba. I know because a SuSE logged bug will be assigned to either Gunther, Lars, or myself :-) :-). Jeremy.
Hi, On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D wrote:> I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my password and > sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this......> I have turned the debug level of winbind up to 10 and have some very > extensive logs showing what is going on. Unfortunately, I cannot > interpret all of this myself. Can anyone help me with this issue?Sure, could you please send those logs (offlist if too large for the list) and tell us a little more about your local configuration? Guenther -- G?nther Deschner GPG-ID: 8EE11688 Novell / SUSE LINUX gd@suse.de Samba Team gd@samba.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20060504/a9360e91/attachment.bin
Trimble, Ronald D wrote:> I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my password and > sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this... >You may want to look at the DNS/DHCP server. If there is a 2003 DC and it is not the DNS/DHCP server then things can slow down. I believe it is a reverse DNS issue. -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc. http://www.Drouillard.ca
I have already gone this route. Our DC is also a DNS server and the entries are all there. What's really interesting that through all of the requests, the DC acks every single one. -----Original Message----- From: Gerald Drouillard [mailto:gerrylist@drouillard.ca] Sent: Thursday, May 04, 2006 12:53 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons Trimble, Ronald D wrote:> I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my passwordand> sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this... >You may want to look at the DNS/DHCP server. If there is a 2003 DC and it is not the DNS/DHCP server then things can slow down. I believe it is a reverse DNS issue. -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc. http://www.Drouillard.ca
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trimble, Ronald D wrote:> I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my password and > sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this... > As you can imagine, we see millions of these over the 4 to 5 minutes it > takes to log on. On the Windows side, the domain controller does not > report any errors in the logs. >You mention LDAP traffic but you say nothing about what the traffic is actually doing nor do you give any details of how you server is configured. You could be using nss_ldap for all I know. Just gazing into my crystal ball, I would ask whether or not you have set 'winbind enum users = no' and 'winbind enum groups = no'? If not, then do this first. Then it would helpful to know more about your server.> ... Can anyone help me with this issue? This > issue is very quickly making us think twice about continuing > to use Samba.That's your call. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEWkJUIR7qMdg1EfYRAmwXAJ4sP/Xfo/iVNppMH7LiZDWyWR9ZWQCgzAs1 apb03AgWO5h+/NTuTZy0Bds=LeHR -----END PGP SIGNATURE-----
Your crystal ball must be pretty good because changing the winbind enum user and group entries to "no" did the trick. The man page isn't very specific about this change. Are they any downsides to this setting? -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Thursday, May 04, 2006 2:05 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trimble, Ronald D wrote:> I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my passwordand> sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this... > As you can imagine, we see millions of these over the 4 to 5 minutesit> takes to log on. On the Windows side, the domain controller does not > report any errors in the logs. >You mention LDAP traffic but you say nothing about what the traffic is actually doing nor do you give any details of how you server is configured. You could be using nss_ldap for all I know. Just gazing into my crystal ball, I would ask whether or not you have set 'winbind enum users = no' and 'winbind enum groups = no'? If not, then do this first. Then it would helpful to know more about your server.> ... Can anyone help me with this issue? This > issue is very quickly making us think twice about continuing > to use Samba.That's your call. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEWkJUIR7qMdg1EfYRAmwXAJ4sP/Xfo/iVNppMH7LiZDWyWR9ZWQCgzAs1 apb03AgWO5h+/NTuTZy0Bds=LeHR -----END PGP SIGNATURE-----
In any event thanks for your help! -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Friday, May 05, 2006 10:54 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trimble, Ronald D wrote:> Your crystal ball must be pretty good because changing > the winbind enum user and group entries to "no" did > the trick.I thought that might help. Which is why are changing the default in 3.0.23 :-)> The man page isn't very specific about this change. > Are they any downsides to this setting?It disables support for setpwent()/getpwent()/endpwent() functionality. So apps that try to enumerate all users or groups will break. Running 'id user' will fail. But running 'id' as the user will work. Most apps just use getpwnam() or getgrnam() anyways. The NSS interface is a little too narrow for real searching. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEW2cKIR7qMdg1EfYRAvCPAKDQRytsJR4CCgMgjHbRMlcC/csPfQCfZvgV oR/BWRwRwutM63DjfxW2hzE=9dHG -----END PGP SIGNATURE-----