Hello Everyone, Thanks for your inputs I have followed whats here https://wiki.freeradius. org/guide/Active-Directory-direct-via-winbind . Apart from the different location for the directories. I have added the recommended options in samba. However I cannot see why this would make a difference to performance. The guide for setting up a samba domain member seems more to be aimed at the whole samba stack I only need winbind is that not correct? Apologies I'm new to samba. Many Thanks Arnab On Fri, Sep 1, 2017 at 11:53 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 1 Sep 2017 10:52:44 +0100 > Arnab Roy via samba <samba at lists.samba.org> wrote: > > > Hi Louis, > > > > Yes of course that would help duh! apologies the OS is fedora 25 Samba > > version samba-4.5.10-0.fc25.x86_64 > > > > smb.conf > > > > server string = Samba Server MY-NETWORKS > > hosts allow = 127. > > log file = /var/log/samba/log-MY-NETWORKS.%m > > log level = 0 > > max log size = 50 > > > > security = ads > > encrypt passwords = yes > > passdb backend = tdbsam > > load printers = no > > cups options = raw > > printcap name = /dev/null > > allow trusted domains = yes > > ntlm auth = yes > > > > WORKGROUP=MY-NETWORKS > > REALM=my-networks.com > > password server = x.x.x.x y.y.y.y > > pid directory = /var/run/samba/my-networks.com > > lock directory = /var/cache/samba/my-networks.com > > private dir = /var/cache/samba/my-networks.com > > winbindd socket directory = /var/cache/samba/my-networks.com > > winbindd privileged socket directory = /var/cache/samba/ > > my-networks.com/winbindd_privileged > > smb passwd file = /var/cache/samba/my-networks.com > > state directory = /var/cache/samba/my-networks.com > > cache directory = /var/cache/samba/my-networks.com > > ntp signd socket directory = /var/cache/samba/my-networks.com > > winbind offline logon = true > > > > socket options = TCP_NODELAY IPTOS_LOWDELAY > > getwd cache winbind > > max domain connections = 250 > > winbind max clients = 5000 > > > > My question can I cache the logins or do something to speed things > > up ? > > > > You could try setting up Samba correctly, even allowing for the fact > you are using sssd (not supported by Samba), there is a lot there that > shouldn't be there, see here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2017-Sep-02 00:42 UTC
[Samba] Advice on Winbindd and NTLM Auth Performance
On Fri, 2017-09-01 at 23:30 +0100, Arnab Roy via samba wrote:> Hello Everyone, > > Thanks for your inputs I have followed whats here https://wiki.freeradius. > org/guide/Active-Directory-direct-via-winbind . Apart from the different > location for the directories. I have added the recommended options in samba. > > However I cannot see why this would make a difference to performance.To be clear, what options do you now have set? Have you set the options I recommended? TheĀ winbind max domain connections = 10 option should make a major difference, as it allows multiple authentications to occur in parallel. If Samba is also the AD DC, then newer Samba versions (Samba 4.7 in particular) make the sever-side process (NETLOGON) parallel as well. Thanks, Andrew Bartlett -- Andrew Bartlett-- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Fri, 1 Sep 2017 23:30:53 +0100 Arnab Roy <arniekol at gmail.com> wrote:> Hello Everyone, > > Thanks for your inputs I have followed whats here > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind > Apart from the different location for the directories. I have added > the recommended options in samba.That howto seems to have been dated even when it was written and you haven't added all the 'recommended options'. The howto tells you to add these lines: idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 These were marked as deprecated on 3.6 and you should be using lines like these: idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 Without these lines, winbind doesn't know who your users & groups are. Or are you using sssd ? If so, then Samba isn't doing authentication. Rowland
Hi Rowland, The only thing I'm using is winbindd the smbd and nmbd daemons are disabled. However I have now found the bottleneck is because freeradius is calling the ntlm_auth binary and effectively forking out. The guys at freeradius wrote a direct client libwbclient however their is no way of specifying the winbind privileged path using that method as it's hardcoded during compile time. Why does samba hardcode this on all client applications is beyond my little knowledge :( Many Thanks Arnab On 3 Sep 2017 12:48 pm, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Fri, 1 Sep 2017 23:30:53 +0100 > Arnab Roy <arniekol at gmail.com> wrote: > > > Hello Everyone, > > > > Thanks for your inputs I have followed whats here > > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind > > Apart from the different location for the directories. I have added > > the recommended options in samba. > > That howto seems to have been dated even when it was written and you > haven't added all the 'recommended options'. > The howto tells you to add these lines: > > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > > These were marked as deprecated on 3.6 and you should be using lines > like these: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-999999 > > Without these lines, winbind doesn't know who your users & groups are. > > Or are you using sssd ? > If so, then Samba isn't doing authentication. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba