samba - Mar 2020 - Samba slow AD authentication eventually succeed

Hello,

I have a customer that complains about slow AD authentication when 
accessing the share, eventually succeed (Samba is a DC memer)
In the logs I can see the following errors:

[2020/02/24 14:11:16.775884,? 1] 
../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
 ? Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
[2020/02/24 14:11:16.775902,? 3] 
../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
 ? Reopening ads connection to realm 'PFIN.CH' after error Time limit 
exceeded

[2020/02/25 09:01:20.292903,? 3] 
../source3/libads/ldap.c:1001(ads_do_paged_search_args)
 ? ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) 
-> Time limit exceeded
[2020/02/25 09:01:20.292930,? 3] 
../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
 ? Reopening ads connection to realm 'PFIN.CH' after error Time limit 
exceeded

So I'm wondering what Samba exactly is doing when the error is logged 
and if it could be related to my customer issue.
Hereafter the smb.conf:

[global]
allow trusted domains = yes
client ldap sasl wrapping = plain
dedicated keytab file = /etc/krb5.keytab
disable spoolss = yes
host msdfs = no
idmap config * : backend = tdb
idmap config * : range = 30000-40000
idmap config * : schema_mode = rfc2307
idmap config PFIN : backend = rid
idmap config PFIN : range = 1000000-3000000
idmap config PFIN : schema_mode = rfc2307
idmap config POST : backend = rid
idmap config POST : range = 3000001-5000000
idmap config POST : schema_mode = rfc2307
kerberos method = secrets and keytab
load printers = no
local master = no
log file = /opt/samba/log/%m.log
log level = 3
map acl inherit = Yes
map to guest = bad user
netbios name = H002N7
os level = 3
preferred master = no
realm = PFIN.ch
security = ads
server string = Data %h
store dos attributes = Yes
vfs objects = zfsacl
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 4
winbind normalize names = no
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind use default domain = no
workgroup = PFIN

[hyperfile_test$]
available = yes
browsable = yes
hf:volume = t_hyperfile_01
nfs4: acedup = merge
nfs4: mode = special
path = /t_hyperfile_01
read only = no
vfs objects = hf_vss hf_offline zfsacl


Thanks
Andrea

On Mon, 2020-03-02 at 09:08 +0100, Andrea Cucciarre' via samba
wrote:
> Hello,
> 
> I have a customer that complains about slow AD authentication when 
> accessing the share, eventually succeed (Samba is a DC memer)
> In the logs I can see the following errors:
> 
> [2020/02/24 14:11:16.775884,  1] 
> ../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
>    Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
> [2020/02/24 14:11:16.775902,  3] 
> ../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
>    Reopening ads connection to realm 'PFIN.CH' after error Time
limit
> exceeded
I added the "Reducing LDAP page size" logic to Samba, but it really
should only trigger if Samba is used over a very slow VPN.  I had to
put a "sleep" in Samba's AD DC to simulate it for testing!

You have a number of options that would increase traffic to the DC,
like "winbind enum users/groups", which if the DC is very slow would
clog up winbindd pretty well.

If the login is over Kerberos we shouldn't even need to talk to AD
again, but you haven't indicated if that is in use and some of the non-
default options selected will need an active connection.

Try with a more default smb.conf and then add back in only the settings
you need.

I hope this helps!

Andrew Bartlett
> [2020/02/25 09:01:20.292903,  3] 
> ../source3/libads/ldap.c:1001(ads_do_paged_search_args)
>    ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) 
> -> Time limit exceeded
> [2020/02/25 09:01:20.292930,  3] 
> ../source3/libads/ldap_utils.c:102(ads_do_search_retry_internal)
>    Reopening ads connection to realm 'PFIN.CH' after error Time
limit
> exceeded
> 
> So I'm wondering what Samba exactly is doing when the error is logged 
> and if it could be related to my customer issue.
> Hereafter the smb.conf:
> 
> [global]
> allow trusted domains = yes
> client ldap sasl wrapping = plain
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = yes
> host msdfs = no
> idmap config * : backend = tdb
> idmap config * : range = 30000-40000
> idmap config * : schema_mode = rfc2307
> idmap config PFIN : backend = rid
> idmap config PFIN : range = 1000000-3000000
> idmap config PFIN : schema_mode = rfc2307
> idmap config POST : backend = rid
> idmap config POST : range = 3000001-5000000
> idmap config POST : schema_mode = rfc2307
> kerberos method = secrets and keytab
> load printers = no
> local master = no
> log file = /opt/samba/log/%m.log
> log level = 3
> map acl inherit = Yes
> map to guest = bad user
> netbios name = H002N7
> os level = 3
> preferred master = no
> realm = PFIN.ch
> security = ads
> server string = Data %h
> store dos attributes = Yes
> vfs objects = zfsacl
> winbind enum groups = yes
> winbind enum users = yes
> winbind expand groups = 4
> winbind normalize names = no
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind use default domain = no
> workgroup = PFIN
> 
> [hyperfile_test$]
> available = yes
> browsable = yes
> hf:volume = t_hyperfile_01
> nfs4: acedup = merge
> nfs4: mode = special
> path = /t_hyperfile_01
> read only = no
> vfs objects = hf_vss hf_offline zfsacl
> 
> 
> Thanks
> Andrea
> 
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 02/03/2020 08:08, Andrea Cucciarre' via samba
wrote:
> Hello,
>
> I have a customer that complains about slow AD authentication when 
> accessing the share, eventually succeed (Samba is a DC memer) 
You have a couple of things that could slow things down:

winbind enum groups = yes
winbind enum users = yes

and

winbind expand groups = 4

You also have default lines and lines that will do nothing on Unix 
domain member using the 'rid' backend, try this smb.conf:

[global]
netbios name = H002N7
workgroup = PFIN
realm = PFIN.ch
security = ads
server string = Data %h
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

client ldap sasl wrapping = plain
host msdfs = no
idmap config * : backend = tdb
idmap config * : range = 30000-40000
idmap config PFIN : backend = rid
idmap config PFIN : range = 1000000-3000000
idmap config POST : backend = rid
idmap config POST : range = 3000001-5000000

load printers = no
disable spoolss = yes
local master = no
preferred master = no
log file = /opt/samba/log/%m.log
log level = 3

vfs objects = zfsacl
map acl inherit = Yes
store dos attributes = Yes

winbind refresh tickets = Yes

[hyperfile_test$]
hf:volume = t_hyperfile_01
nfs4: acedup = merge
nfs4: mode = special
path = /t_hyperfile_01
read only = no
vfs objects = hf_vss hf_offline zfsacl

Rowland