samba - Jan 2017 - net ads and wbinfo are painfully slow -- but they work

I just created a windows domain. it is essentially empty except for a
couple of users and an group policy related to windows update.  I then
configured samba to connect using ads.

net ads join took > 5 minutes - but worked fine

net ads testjoin takes ~5 minutes - shows a good join

wbinfo -u takes ~5 minutes and shows the users

During the long wbinfo pause, the log show:  "Starting GENSEC sub
mechanism gse-krb5"

I'm using samba 4.2.14 on FreeBSD 10.3.  Configuration files printed
below and came from the samba wiki [1]. The network is not connected
to the internet.

Can you tell me what is wrong?

Thank you,

Chris

[1] https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

root at nickel:~ # smbd --version
Version 4.2.14

root at nickel:~ # cat /etc/krb5.conf
[libdefaults]
        default_realm = MYDOMAIN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

root at nickel:~ # cat /usr/local/etc/smb4.conf
[global]
  security = ADS
  workgroup = MYDOMAIN
  realm = MYDOMAIN.LOCAL
  disable netbios = yes
  idmap config * : backend = tdb
  idmap config * : range = 3000-19999
  username map = /usr/local/etc/user.map
  log file = /var/log/samba4/log.%U
  log level = 10
  include = /usr/local/etc/smb4.%U.conf
  store dos attributes = yes
  local master = no
  directory name cache size = 0
  domain master = no
  preferred master = no
  # Workaround kqueue bug (pcbsd bug 4728, samba 11063)
  kernel change notify = no

On Tue, 31 Jan 2017 08:59:02 -0800
Chris Stankevitz via samba <samba at lists.samba.org> wrote:
> I just created a windows domain. it is essentially empty except for a
> couple of users and an group policy related to windows update.  I then
> configured samba to connect using ads.
> 
> net ads join took > 5 minutes - but worked fine
> 
> net ads testjoin takes ~5 minutes - shows a good join
> 
> wbinfo -u takes ~5 minutes and shows the users
> 
> During the long wbinfo pause, the log show:  "Starting GENSEC sub
> mechanism gse-krb5"
> 
> I'm using samba 4.2.14 on FreeBSD 10.3.  Configuration files printed
> below and came from the samba wiki [1]. The network is not connected
> to the internet.
> 
> Can you tell me what is wrong?
> 
> Thank you,
> 
> Chris
> 
> [1]
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> root at nickel:~ # smbd --version
> Version 4.2.14
> 
> root at nickel:~ # cat /etc/krb5.conf
> [libdefaults]
>         default_realm = MYDOMAIN.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> root at nickel:~ # cat /usr/local/etc/smb4.conf
> [global]
>   security = ADS
>   workgroup = MYDOMAIN
>   realm = MYDOMAIN.LOCAL
>   disable netbios = yes
>   idmap config * : backend = tdb
>   idmap config * : range = 3000-19999
I know you say that you followed the wiki and I can see that the above
two 'idmap config' lines were copied from the wiki, but did you miss or
not understand the info directly below where the two lines came from ?
What I am trying to get at, is it obvious that you need to click on one
of the links ?

I would also expect to see at least something like this:

    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999

Rowland

On Tue, 31 Jan 2017 12:06:14 -0800
Chris Stankevitz <chrisstankevitz at gmail.com> wrote:
> On Tue, Jan 31, 2017 at 9:22 AM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > I would also expect to see at least something like this:
> >
> >     idmap config SAMDOM : backend = rid
> >     idmap config SAMDOM : range = 10000-999999
> 
> Rowland,
> 
> Thank you.  I corrected the mistake you identified by adding a rid
> backend and range for my domain.
> 
> However, some operations are still outrageously slow.  For example,
> "net ads testjoin" takes 5 minutes to complete.  The logs imply
the
> slowdown is at or soon after "Starting GENSEC sub mechanism
gse-krb5".
> 
> Do you know of a way I can methodically identify the source of the
> slowdown?  If not, does your instinct lead you to suspect my new samba
> setup or my new Windows Server 2012R2 domain (or perhaps my network or
> DNS)?
> 
> Thank you again,
> 
> Chris
That is very very slow ;-)

time net ads testjoin
Join is OK

real	0m0.476s
user	0m0.108s
sys	0m0.008s

Is the Windows AD DC running a dns server ?
Does the Unix client have the AD DC as its nameserver ?

I would also look at the ethernet cables, switches etc

Can you post your /etc/resolv.conf and /etc/hosts

It might also help if you can upgrade to a later version of Samba.

Rowland

On Tue, Jan 31, 2017 at 12:36 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 31 Jan 2017 12:06:14 -0800
> Chris Stankevitz <chrisstankevitz at gmail.com> wrote:
>
>> On Tue, Jan 31, 2017 at 9:22 AM, Rowland Penny via samba
>> <samba at lists.samba.org> wrote:
>> > I would also expect to see at least something like this:
>> >
>> >     idmap config SAMDOM : backend = rid
>> >     idmap config SAMDOM : range = 10000-999999
>>
>> Rowland,
>>
>> Thank you.  I corrected the mistake you identified by adding a rid
>> backend and range for my domain.
>>
>> However, some operations are still outrageously slow.  For example,
>> "net ads testjoin" takes 5 minutes to complete.  The logs
imply the
>> slowdown is at or soon after "Starting GENSEC sub mechanism
gse-krb5".
>>
>> Do you know of a way I can methodically identify the source of the
>> slowdown?  If not, does your instinct lead you to suspect my new samba
>> setup or my new Windows Server 2012R2 domain (or perhaps my network or
>> DNS)?
>>
>> Thank you again,
>>
>> Chris
>
> That is very very slow ;-)
>
> time net ads testjoin
> Join is OK
>
> real    0m0.476s
> user    0m0.108s
> sys     0m0.008s
Yes, I know... I have a similar setup (same version of samba, same
hardware, same OS but a different windows domain on a different
network) that is working fine.
>
> Is the Windows AD DC running a dns server ?
> Does the Unix client have the AD DC as its nameserver ?
>
> I would also look at the ethernet cables, switches etc
>
> Can you post your /etc/resolv.conf and /etc/hosts
>
> It might also help if you can upgrade to a later version of Samba.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Tue, Jan 31, 2017 at 12:36 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> time net ads testjoin
> Join is OK
>
> real    0m0.476s
> user    0m0.108s
> sys     0m0.008s
Yes, I know... I have a similar setup (same version of samba, same
hardware, same OS but a different windows domain on a different
network) that is working fine.
> Is the Windows AD DC running a dns server ?
> Does the Unix client have the AD DC as its nameserver ?
Yes and yes.  If I didn't have that, I'm not sure how samba could have
joined the domain given my configuration.  (But I don't understand
what is going on under the hood.)
> Can you post your /etc/resolv.conf and /etc/hosts
Config files posted below.  But first an exciting hint:

When I try to ssh into the box while samba utilities (like "net ads"
and "wbinfo") are frozen -- the ssh login is also frozen until
everything is released.  Maybe nsswitch I fouled.


/etc/resolv.conf:
root at nickel:~ # cat /etc/resolv.conf
nameserver 192.168.11.5
nameserver 192.168.1.4
domain mydomain.local


/etc/hosts:
127.0.0.1               localhost localhost.mydomain.local
192.168.11.3            nickel.mydomain.local nickel
192.168.1.2             iron.mydomain.local iron

/etc/nsswitch.conf:
# default
#group: compat
#group_compat: nis
#passwd: compat
#passwd_compat: nis

# 20170131 samba setup
group: files winbind
passwd: files winbind

hosts: files dns
networks: files
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files





Thanks again,

Chris