samba - Feb 2016 - Problems after migration from samba 3.5.2 to samba 4.3.1

Hello,


3 months ago, I migrated my domain from samba 3.5.2 (NT4 with LDAP) to
samba 4.3.1 (compiled from source) following classic upgrade instructions
on wiki page. The samba 4.3.1 is using Samba Internal DNS.

20.000 users and 2.800 computers were migrated.

After the migration process, I joined 1 new DC server and 2 File Servers to
domain.

All users can login on domain, but we have some issues.


1 – “wbinfo -u” doesn't show users, but “wbinfo -g” show groups normally

2 – On DC servers, samba process listen ports 135 and 1024 is using 100% of
CPU

3 – On DC servers, samba process listen ports 464 and 88 are using ~ 50% of
CPU

4 – On File Servers, run a “ls -l” on directories with user/groups
permissions from domain is very slow

5 – Sometimes, file servers lost connections to winbind process.

wbinfo -t

checking the trust secret for domain UEL.BR via RPC calls failed

failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE

Could not check secret


I have tried to find wath is wrong, but not found the solution yet.


Can someone help me ?

On 15/02/16 12:40, Fernando Favero wrote:
> Hello,
>
>
> 3 months ago, I migrated my domain from samba 3.5.2 (NT4 with LDAP) to
> samba 4.3.1 (compiled from source) following classic upgrade instructions
> on wiki page. The samba 4.3.1 is using Samba Internal DNS.
>
> 20.000 users and 2.800 computers were migrated.
>
> After the migration process, I joined 1 new DC server and 2 File Servers to
> domain.
>
> All users can login on domain, but we have some issues.
>
>
> 1 – “wbinfo -u” doesn't show users, but “wbinfo -g” show groups
normally
>
> 2 – On DC servers, samba process listen ports 135 and 1024 is using 100% of
> CPU
>
> 3 – On DC servers, samba process listen ports 464 and 88 are using ~ 50% of
> CPU
>
> 4 – On File Servers, run a “ls -l” on directories with user/groups
> permissions from domain is very slow
>
> 5 – Sometimes, file servers lost connections to winbind process.
>
> wbinfo -t
>
> checking the trust secret for domain UEL.BR via RPC calls failed
>
> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
>
> Could not check secret
>
>
> I have tried to find wath is wrong, but not found the solution yet.
>
>
> Can someone help me ?
We can certainly try, but it will probably help if you can post your 
smb.conf files from the various Samba machines.

Rowland

My smb.conf files.
The OS is a CentOS 7

DC Server 1
-------------------------------
[global]
        workgroup = EXAMPLE.COM
        realm = campus.example.com
        netbios name = DC-SERVER1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 8.8.8.8
        dsdb:schema update allowed = true
        winbind max clients = 2000
        bind interfaces only = yes
        interfaces = eth0

        log file = /var/log/samba/%m.log
        log level = 1

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


DC Server 2
-------------------------------
[global]
        workgroup = EXAMPLE.COM
        realm = campus.example.com
        netbios name = DC-SERVER2
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 8.8.8.8
        dsdb:schema update allowed = true
        winbind max clients = 2000
        bind interfaces only = yes
        interfaces = eth0

        log file = /var/log/samba/%m.log
        log level = 1

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


FileServer1
-------------------------------
[global]
        netbios name = FileServer1
        server string = FileServer1
        security = ADS
        workgroup = EXAMPLE.COM
        realm = CAMPUS.EXAMPLE.COM
        bind interfaces only = yes
        interfaces = lo eth0
        winbind request timeout = 90

        log file = /var/log/samba/%m.log
        log level = 1

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = yes
        winbind max clients = 2000

        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes

        idmap config *:backend = tdb
        idmap config *:range = 1000-50000

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        acl allow execute always = true


FileServer2
-------------------------------
[global]
        netbios name = FileServer2
        server string = FileServer2
        security = ADS
        workgroup = EXAMPLE.COM
        realm = CAMPUS.EXAMPLE.COM
        bind interfaces only = yes
        interfaces = lo eth0
        winbind request timeout = 90

        log file = /var/log/samba/%m.log
        log level = 1

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = yes
        winbind max clients = 2000


        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes

        idmap config *:backend = tdb
        idmap config *:range = 1000-50000

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        acl allow execute always = true


On Mon, Feb 15, 2016 at 11:13 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 15/02/16 12:40, Fernando Favero wrote:
>
>> Hello,
>>
>>
>> 3 months ago, I migrated my domain from samba 3.5.2 (NT4 with LDAP) to
>> samba 4.3.1 (compiled from source) following classic upgrade
instructions
>> on wiki page. The samba 4.3.1 is using Samba Internal DNS.
>>
>> 20.000 users and 2.800 computers were migrated.
>>
>> After the migration process, I joined 1 new DC server and 2 File
Servers
>> to
>> domain.
>>
>> All users can login on domain, but we have some issues.
>>
>>
>> 1 – “wbinfo -u” doesn't show users, but “wbinfo -g” show groups
normally
>>
>> 2 – On DC servers, samba process listen ports 135 and 1024 is using
100%
>> of
>> CPU
>>
>> 3 – On DC servers, samba process listen ports 464 and 88 are using ~
50%
>> of
>> CPU
>>
>> 4 – On File Servers, run a “ls -l” on directories with user/groups
>> permissions from domain is very slow
>>
>> 5 – Sometimes, file servers lost connections to winbind process.
>>
>> wbinfo -t
>>
>> checking the trust secret for domain UEL.BR via RPC calls failed
>>
>> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
>>
>> Could not check secret
>>
>>
>> I have tried to find wath is wrong, but not found the solution yet.
>>
>>
>> Can someone help me ?
>>
>
> We can certainly try, but it will probably help if you can post your
> smb.conf files from the various Samba machines.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>