We have a strange bug that happens at 10 hour intervals (after restarting the
Samba processes) on our fileservers (serving around 200 concurrent users).
After exactly 10 hours we often see about a 1 minute “hickup” where the Samba
daemons will refuse new client connections. And then things will run smoothly
again.
My guess is that this is due to the 10 hour lifespan of the Kerberos service
tickets from the AD servers and that things take time when Samba has to get a
new one, but can something be done to fix this? Or atleast get a much shorter
“downtime”?
(https://technet.microsoft.com/en-us/library/jj852188(v=ws.11).aspx
<https://technet.microsoft.com/en-us/library/jj852188(v=ws.11).aspx> - 600
minutes = 10 hours)
System:
6 Microsoft Windows AD servers (latest version I think)
6 FreeBSD 11.1 servers running Samba 4.7.0 that each bind to one of the AD
servers
Around 200 (at peak hour) concurrent SMB users.
I’ve been trying to debug this issue for some time now, and have been trying to
tweak the smb.conf settings in order to find a combination that works better,
but I’m running out of ideas.
smb.conf (parts of it)
security = ADS
kerberos method = system keytab
winbind use default domain = yes
winbind max clients = 1000
winbind max domain connections = 5
min protocol = SMB2
smb encrypt = auto
client ldap sasl wrapping = seal
I’m also wondering a bit about the “winbind max domain connections”. I found
some Microsoft technet article that talks about “MaxConnectionsPerUser” that by
default is limited to 5. Are these settings related and thus one shouldn’t go
much above 5?
(We have around 100k users in the AD systems and many groups so Winbind takes
some time at startup….)
—
[Lı.U] System Administrator ITI-NET IT.LiU.SE +46-13-28 2786