Le 21/11/2018 à 10:13, Rowland Penny via samba a écrit :> On Wed, 21 Nov 2018 09:34:45 +0100 > Julien TEHERY via samba <samba at lists.samba.org> wrote: > >> Hi there >> >> I set up a POC domain with multiple DCs, multiple remote sites and >> samba shares. This POC is a simulation of a whole samba3 domain >> migration. Users, and groups have been imported from the older domain >> to the new one. >> >> Here's the setup: >> ("Remote sites" are actually different subnets on the same location >> for the POC) > I take it 'POC' = Proof Of ConceptYes it is :)>> *Main Site*: >> DC1 (RHEL7 - samba 4.6.4) > Where did you get the Samba 4.6.4 packages from, they cannot be the > standard RHEL7 ones, as you cannot provision an AD DC using the standard > RHEL Samba packages. >That's right, they have been compiled from source with ads support>> DC2 (RHEL7 - samba 4.6.4) >> DC3 (RHEL7 - samba 4.6.4) >> SMB1 (Ubuntu 14 - samba 4.3.11+dfsg-0ubuntu0.14.04.14) > Why have you used Ubuntu 14.04 ? > Not knocking Ubuntu here, but 14.04 goes EOL next April and Samba 4.3.x > is already EOL as far as Samba is concerned.Correct. The fact is that I informed those in charge of the former domain that they should upgrade their OS first, but sadly they don't intend to do it for now. I have to deal with this..>> Here is the thing: >> >> If I try to access to an SMB1 share: absolutely no problem (fast >> access, no acls problems) >> If I try to access to an SMB2 or SMB3 share from a win7 client: >> access is ok but extremely slow (acls are fine too) >> Same access to SMB2 or SMB3 with smbclient is fine. >> >> So..what can cause the win7 client to be very slow with only SMB2 and >> SMB3 ? > I have no idea, please post the smb.conf from the Ubuntu machines. > I would also urge you to upgrade from 14.04 to 18.04, this will get you > a Samba 4.7.x version and you could then use Louis Van Belle's repo, > which would get you 4.9.2 > > Your problem could be being caused by your old versions of Samba. > > Rowland >All SMB Servers have the same exact smb.conf: [global] workgroup = MYDOMAIN security = ADS realm = MYDOMAIN.LAN netbios name = SMBSERVER1 encrypt passwords = yes winbind separator = + idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config MYDOMAIN:backend = rid idmap config MYDOMAIN:range = 10000-70000 winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes winbind trusted domains only = no winbind use default domain = yes printcap cache time = 60 printcap name = cups printing = cups rpc_server:spoolss = external rpc_daemon:spoolssd = fork username map = /etc/samba/user.map log level = 10 vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes include = /etc/samba/shares.conf
On Wed, 21 Nov 2018 11:34:40 +0100 Julien TEHERY via samba <samba at lists.samba.org> wrote:> >> DC1 (RHEL7 - samba 4.6.4) > > Where did you get the Samba 4.6.4 packages from, they cannot be the > > standard RHEL7 ones, as you cannot provision an AD DC using the > > standard RHEL Samba packages. > > > That's right, they have been compiled from source with ads supportWhy did you use an EOL version of Samba then ?> >> SMB1 (Ubuntu 14 - samba 4.3.11+dfsg-0ubuntu0.14.04.14) > > Why have you used Ubuntu 14.04 ? > > Not knocking Ubuntu here, but 14.04 goes EOL next April and Samba > > 4.3.x is already EOL as far as Samba is concerned. > Correct. The fact is that I informed those in charge of the former > domain that they should upgrade their OS first, but sadly they don't > intend to do it for now. > I have to deal with this..No, they have to deal with this, you have my permission to tell them that I think they are stupid. From next May, Ubuntu 14.04 will no longer be supported and with it the support for Samba 4.3.x, as I have already said, 4.3.x is already EOL as far as Samba is concerned.> > Your problem could be being caused by your old versions of Samba. > > > > Rowland > > > All SMB Servers have the same exact smb.conf: > > [global] > workgroup = MYDOMAIN > security = ADS > realm = MYDOMAIN.LAN > netbios name = SMBSERVER1 > encrypt passwords = yes > winbind separator = + > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config MYDOMAIN:backend = rid > idmap config MYDOMAIN:range = 10000-70000 > winbind enum users = yes > winbind enum groups = yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > winbind trusted domains only = no > winbind use default domain = yes > printcap cache time = 60 > printcap name = cups > printing = cups > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > username map = /etc/samba/user.map > log level = 10 > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > include = /etc/samba/shares.confJust a few comments on the smb.conf: The default domain '*' is meant for the Well Known SID's and users & groups outside the 'MYDOMAIN' domain. There are less than 200 hundred Well Known SID's, do you really expect nearly 10000 users from outside the 'MYDOMAIN' domain to connect ? the usage of the 'winbind enum' lines can slow things down and are only required for testing purposes. You might want to look carefully at the smb.conf, there are duplicate lines. Rowland
Le 21/11/2018 à 12:22, Rowland Penny via samba a écrit :> On Wed, 21 Nov 2018 11:34:40 +0100 > Julien TEHERY via samba <samba at lists.samba.org> wrote: > >>>> DC1 (RHEL7 - samba 4.6.4) >>> Where did you get the Samba 4.6.4 packages from, they cannot be the >>> standard RHEL7 ones, as you cannot provision an AD DC using the >>> standard RHEL Samba packages. >>> >> That's right, they have been compiled from source with ads support > Why did you use an EOL version of Samba then ?I'm gonna upgrade to 4.8.5 on the RHEL DCs>>>> SMB1 (Ubuntu 14 - samba 4.3.11+dfsg-0ubuntu0.14.04.14) >>> Why have you used Ubuntu 14.04 ? >>> Not knocking Ubuntu here, but 14.04 goes EOL next April and Samba >>> 4.3.x is already EOL as far as Samba is concerned. >> Correct. The fact is that I informed those in charge of the former >> domain that they should upgrade their OS first, but sadly they don't >> intend to do it for now. >> I have to deal with this.. > No, they have to deal with this, you have my permission to tell them > that I think they are stupid. From next May, Ubuntu 14.04 will no > longer be supported and with it the support for Samba 4.3.x, as I have > already said, 4.3.x is already EOL as far as Samba is concerned.Ok then I'll spread the word for you! I'm gonna test with ubuntu18/ and samba >= 4.7 and will let you know> >>> Your problem could be being caused by your old versions of Samba. >>> >>> Rowland >>> >> All SMB Servers have the same exact smb.conf: >> >> [global] >> workgroup = MYDOMAIN >> security = ADS >> realm = MYDOMAIN.LAN >> netbios name = SMBSERVER1 >> encrypt passwords = yes >> winbind separator = + >> idmap config *:backend = tdb >> idmap config *:range = 70001-80000 >> idmap config MYDOMAIN:backend = rid >> idmap config MYDOMAIN:range = 10000-70000 >> winbind enum users = yes >> winbind enum groups = yes >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> winbind trusted domains only = no >> winbind use default domain = yes >> printcap cache time = 60 >> printcap name = cups >> printing = cups >> rpc_server:spoolss = external >> rpc_daemon:spoolssd = fork >> username map = /etc/samba/user.map >> log level = 10 >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> include = /etc/samba/shares.conf > Just a few comments on the smb.conf: > > The default domain '*' is meant for the Well Known SID's and users & > groups outside the 'MYDOMAIN' domain. There are less than 200 hundred > Well Known SID's, do you really expect nearly 10000 users from outside > the 'MYDOMAIN' domain to connect ? > > the usage of the 'winbind enum' lines can slow things down and are only > required for testing purposes. > > You might want to look carefully at the smb.conf, there are duplicate > lines. > > RowlandI removed useless lines and commnted out the enum options, but it's not better