samba - Jun 2018 - Windows 10 Office 2016 slow accessing samba network shares

I have a to a samba server (4.4.16) on built on Solaris 11 samba pkg. It is a
member of an Active directory domain. Users, for some time, have been
experiencing long (20 -40 second) delays when browsing to, opening and writing a
network share on the server.  Attempts to do any of those results in a dialogue
box being displayed showing:

Contacting server: \\<server-name> \share

Workstations: Windows 10
Application: MS Office 2016

I would appreciate if anyone has suggestions to getting past this hurdle. Here
is a sanitized copy of smb.conf.

# Global parameters
[globals]
   netbios name  = NBNAME
   server string = %L
   workgroup     = DOMAIN_NAME
   browsable     = no
   local master  = no

   allow hosts   = 127.0.0.1 aaa.bbb.10. aaa.bbb.dd.
aaa.bbb.cc.1kk/255.255.255.192 aaa.bbb.cc.ll/255.255.255.224 aaa.bbb.cc.69
aaa.bbb.18.1/255.255.255.224 aaa.bbb.18.30 10.0.2.15 aaa.bbb
.116.0/23

   hosts deny = 0.0.0.0/0

   security      = ADS
   realm         = xx.yy.ca


   machine password timeout = 314496000
   name resolve order = wins lmhosts host bcast

   remote announce = aaa.bbb.nnn.mmm

#   wins support = yes
   wins server = aaa.bbb.x.y aaa.bbb.x.z
   winbind use default domain = true

#  force Samba to bind only to public network
   interfaces    = aaa.bbb.ff.gg/255.255.255.0
   bind interfaces only = yes
   socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
   deadtime     = 0

#  added 20150422
   server signing = auto
   client signing = auto

#  from MIKEY's Readme
   client lanman auth = no
   client ntlmv2 auth = yes
   client plaintext auth = no
   client use spnego = yes
   client schannel = yes
   lanman auth = no
   ntlm auth = no

#  20171101
   server min protocol = SMB2_10
   client min protocol = SMB2
   client max protocol = SMB3


#  Encrypt all passwords stored in /etc/sfw/samba/private/smbpasswd
   encrypt passwords = yes
   username map = /etc/samba/lib/nt-names


#  not allowed to log in
   invalid users = root daemon bin sys adm lp listen sshd\
                   erl webspirs samba rob jan daulton

   writeable     = yes

#  A wormable code-execution bug has lurked in Samba for 7 years -  20170528
# 
https://arstechnica.com/security/2017/05/a-wormable-code-execution-bug-has-lurked-in-samba-for-7-years-patch-now/
   nt pipe support = no

#  Debug Logging information
   log level = 5
   log file = /etc/samba/var/log.%m:%U:%I
   max log size = 2000
   debug timestamp = yes

~~~~~~~~~~~~~~~~~~~~~~~~
Daulton Theodore
Carleton University
Library, Systems Department
Vmail: (613) 520-2600, ext. 8352

On Wed, 7 Feb 2018 19:47:49 +0000
Daulton Theodore via samba <samba at lists.samba.org> wrote:
> I have a to a samba server (4.4.16) on built on Solaris 11 samba pkg.
> It is a member of an Active directory domain. Users, for some time,
> have been experiencing long (20 -40 second) delays when browsing to,
> opening and writing a network share on the server.  Attempts to do
> any of those results in a dialogue box being displayed showing:
> 
> Contacting server: \\<server-name> \share
> 
> Workstations: Windows 10
> Application: MS Office 2016
> 
> I would appreciate if anyone has suggestions to getting past this
> hurdle. Here is a sanitized copy of smb.conf.
> 
> # Global parameters
> [globals]
>    netbios name  = NBNAME
>    server string = %L
>    workgroup     = DOMAIN_NAME
>    browsable     = no
>    local master  = no
> 
>    allow hosts   = 127.0.0.1 aaa.bbb.10. aaa.bbb.dd.
> aaa.bbb.cc.1kk/255.255.255.192 aaa.bbb.cc.ll/255.255.255.224
> aaa.bbb.cc.69 aaa.bbb.18.1/255.255.255.224 aaa.bbb.18.30 10.0.2.15
> aaa.bbb .116.0/23
> 
>    hosts deny = 0.0.0.0/0
> 
>    security      = ADS
>    realm         = xx.yy.ca
> 
> 
>    machine password timeout = 314496000
>    name resolve order = wins lmhosts host bcast
> 
>    remote announce = aaa.bbb.nnn.mmm
> 
> #   wins support = yes
>    wins server = aaa.bbb.x.y aaa.bbb.x.z
>    winbind use default domain = true
> 
> #  force Samba to bind only to public network
>    interfaces    = aaa.bbb.ff.gg/255.255.255.0
>    bind interfaces only = yes
>    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>    deadtime     = 0
> 
> #  added 20150422
>    server signing = auto
>    client signing = auto
> 
> #  from MIKEY's Readme
>    client lanman auth = no
>    client ntlmv2 auth = yes
>    client plaintext auth = no
>    client use spnego = yes
>    client schannel = yes
>    lanman auth = no
>    ntlm auth = no
> 
> #  20171101
>    server min protocol = SMB2_10
>    client min protocol = SMB2
>    client max protocol = SMB3
> 
> 
> #  Encrypt all passwords stored in /etc/sfw/samba/private/smbpasswd
>    encrypt passwords = yes
>    username map = /etc/samba/lib/nt-names
> 
> 
> #  not allowed to log in
>    invalid users = root daemon bin sys adm lp listen sshd\
>                    erl webspirs samba rob jan daulton
> 
>    writeable     = yes
> 
> #  A wormable code-execution bug has lurked in Samba for 7 years -
> 20170528 #
>
https://arstechnica.com/security/2017/05/a-wormable-code-execution-bug-has-lurked-in-samba-for-7-years-patch-now/
> nt pipe support = no
> 
> #  Debug Logging information
>    log level = 5
>    log file = /etc/samba/var/log.%m:%U:%I
>    max log size = 2000
>    debug timestamp = yes
> 
You have everything in there apart from the kitchen sink AND the
'idmap config' lines.

Rowland

On Thu, 21 Jun 2018 19:52:34 +0000
Daulton Theodore <DaultonTheodore at Cunet.Carleton.Ca> wrote:
> Hi Rowland,
> 
> You responded to my post quite  a while ago. I am still chasing a
> resolution to this issue. You mentioned that I had all but the idmap
> config lines in the smb.conf file. I am not familiar with idmap and a
> bit hesitant to experiment on my production server. Before I proceed
> I hope you will not mind if I asked a couple of questions. Would the
> following settings be sufficient:
> 
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # idmap config for the SAMDOM domain
> idmap config MY_DOMAIN:backend = ad
> idmap config MY_DOMAIN:schema_mode = rfc2307
> idmap config MY_DOMAIN:range = 10000-999999
> 
> Do I need the following?
> idmap config MY_DOMAIN:unix_nss_info = yes
> 
> I am using the username map option to map the unix names to AD names.
First STOP doing this, you should only map the Windows 'Administrator'
to the Unix user 'root' in the username map.
You do not need Unix users on a Unix domain member, you just make your
Windows users into Unix users.
> Home directories reside on the Unix server, not in Active Directory.
> Do I need: idmap config MY_DOMAIN:unix_primary_group = yes
> 
> Thanks in advance for your help.
> 
You need to answer some questions first ;-)
Have you added any uidNumber & gidNumber attributes to your users &
groups in AD ?
If you have, are they inside the '10000-999999' range.
NOTE: Domain Users MUST have a gidNumber

If all the above is true, you can use the winbind 'ad' backend

If it isn't and/or you don't want to add anything to AD, you can use
the winbind 'rid' backend.

If you are using the 'ad' backend, there is a further sub-question,
what version of Samba are you using ?

Up to Samba version 4.6.0, you would use these lines:

    winbind nss info = rfc2307
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999

From 4.6.0, it changes to this:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999
    idmap config SAMDOM : unix_nss_info = yes

With these lines, all the available users info will be extracted from
AD and the users Unix primary group would be Domain Users

From 4.6.0, you can also add this line:

    idmap config SAMDOM : unix_primary_group = yes

With this line, the users Unix primary group will be to set to the
group set in the users gidNumber attribute, if this is not present or
is incorrect, it will fall back to Domain Users.

The 'rid' backend is very similar, you just don't add anything to
AD:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999

This will obtain the user or group IDs from AD, these IDs are
calculated from the Windows RID using the lower DOMAIN range.

It will not obtain the users homedir and shell from AD, so you need to
set them with template lines similar to these:

    template shell = /bin/bash
    template homedir = /home/%U

You can also use these lines with the 'ad' backend, where they will
override what is stored in AD.

Rowland