samba - Feb 2017 - net ads and wbinfo are painfully slow -- but they work

On Tue, Jan 31, 2017 at 2:45 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
>> /etc/resolv.conf:
>> root at nickel:~ # cat /etc/resolv.conf
>> nameserver 192.168.11.5
>> nameserver 192.168.1.4
>> domain mydomain.local
>>
>
> I take it at least one of the above nameservers is the AD DC, is the
> other another AD DC ? If it isn't, then remove it. If they are both
> DCs, try changing the order.
They are both DCs.  I will try changing the order.  Is it possible for
me to restrict winbindd so that it attempt to only contact one of the
two DCs?  Once DC is local and another DC is remote (goes through a
firewall and is 80 ms ping time away).
> I would also change the 'domain mydomain.local' to 'search
> mydomain.local'
I will try.
> Is a firewall getting in the way ?
Possibly.  Winbind seems to prefer using the DC that is through a
firewall (see my comment above).
>> /etc/hosts:
>> 127.0.0.1               localhost localhost.mydomain.local
>> 192.168.11.3            nickel.mydomain.local nickel
>> 192.168.1.2             iron.mydomain.local iron
>
> I take it the machine has a fixed IP and as you are relying on dns to
> find the DC (as you should), you do not need the line that starts
> '192.168.1.2'
Yes, I agree.  I will remove it.
> Can you ping the DC from 'nickel', both by IP and name ?
Yes
> Is winbind actually running ?
Yes

Thanks again,

Chris

On Thu, 2 Feb 2017 09:36:28 -0800
Chris Stankevitz <chrisstankevitz at gmail.com> wrote:
> On Tue, Jan 31, 2017 at 2:45 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >> /etc/resolv.conf:
> >> root at nickel:~ # cat /etc/resolv.conf
> >> nameserver 192.168.11.5
> >> nameserver 192.168.1.4
> >> domain mydomain.local
> >>
> >
> > I take it at least one of the above nameservers is the AD DC, is the
> > other another AD DC ? If it isn't, then remove it. If they are
both
> > DCs, try changing the order.
> 
> They are both DCs.  I will try changing the order.  Is it possible for
> me to restrict winbindd so that it attempt to only contact one of the
> two DCs?  Once DC is local and another DC is remote (goes through a
> firewall and is 80 ms ping time away).
You could try adding 'password server = <the nearest DC>' to your
smb.conf and just having that DCs ipaddress as the nameserver.
> 
> > I would also change the 'domain mydomain.local' to 'search
> > mydomain.local'
> 
> I will try.
> 
> > Is a firewall getting in the way ?
> 
> Possibly.  Winbind seems to prefer using the DC that is through a
> firewall (see my comment above).
Hmm, it could just be that winbind is asking for something from the DC
behind the firewall, waiting for an answer, not getting one and then
giving up and trying the other DC.

I have set up freesbsd 11 in a vm and installed samba44 just like I
would on devuan and I get this:

root at freebsd:~ # net cache flush
root at freebsd:~ # time getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
0.000u 0.005s 0:00.01 0.0%	0+0k 5+0io 0pf+0w
root at freebsd:~ # time getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
0.000u 0.001s 0:00.00 0.0%	0+0k 0+0io 0pf+0w

So if all else fails, you could try upgrading ;-)
At least then we could compare like for like.

Rowland

On Thu, Feb 2, 2017 at 9:49 AM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> So if all else fails, you could try upgrading ;-)

Okay, this is solved!  And it feels oh so good.

First: I have two "identical" FreeBSD/samba42 systems.  Both
experienced the problem.

Second: I upgraded to 4.4.8 per Rowland's suggestion.  This fixed
system1 but I still have the problem on system2.  (How the heck can
that be??)

Third: After pounding my head against truss output I discovered the
problem.  System1 hostname was set to "iron".  System2 hostname was
set to "nickel.someotherdomain.local".  The AD domain in my case is
mydomain.local.  After changing System2 hostname to "nickel" the
problem went away.

Thank you all for your help!

Chris