Any subnets or WAN links in your network topology? From http://us1.samba.org/samba/docs/man/winbind.html: "Winbind uses various MSRPC calls to enumerate domain users and groups..." MS RPCs over WAN links (in my experience) are dreadfully slow.
>From the same page: "Over time, winbind will have mapped all Windows NT users and groups to UNIX user ids and group ids." and "User or group information returned by a PDC is cached by winbind along with a sequence number also returned by the PDC.". So, doesn't sound like Winbind should be enumerating all accounts for every request. Have you specified a user account with which to map the network drive (e.g. MY-DOMAIN\RToole => "Connect using a different user name." link => Map Network Drive dialog)? Again, from the Winbind page: "The only obvious indication that Winbind is being used is that user and group names take the form DOMAIN\user and DOMAIN\group. This is necessary as it allows Winbind to determine that redirection to a domain controller is wanted for a particular lookup and which trusted domain is being referenced." Do you have multiple NT domains (resource or account domains)? That would account for some network costing if the NT Domain Controller needs to be found each time. Windows 2000 Active Directory uses DNS for locating a DC, but I don't recall off the top of my head the exact procedure for NT 4.0. Again, I'm a little shy on details. Sorry. It's been awhile since I worked with legacy, legacy systems. :-) Keep me posted, if not the list. Winbind looks like a very valuable tool for sysadmins forced to live in a legacy environment, and I for one would love to learn more about it. Thanks, Curtis -----Original Message----- From: Robert Toole [mailto:[EMAIL PROTECTED] Sent: August 26, 2003 7:32 PM To: [EMAIL PROTECTED] Subject: Re: (clug-talk) Samba + Winbind Very slow inital connection Curtis Sloan wrote: > I wonder if it is a user/group permissions token issue then. When you > connect via Network Neighborhood, is there a delay when you first connect to > the network or the domain (i.e. Microsoft Windows Network or My-Domain)? > > Again, this is off the top of my head. It's been awhile since I studied the > internals of SMB (which packets are sent first and why, what the packets > look like). So, sorry I can't provide more expert assistance at the moment. > I am interested to know what's causing the delay, though. > > Curtis > > -----Original Message----- > From: Toole, Robert [mailto:[EMAIL PROTECTED] > Sent: August 26, 2003 8:57 AM > To: '[EMAIL PROTECTED]' > Subject: RE: (clug-talk) Samba + Winbind Very slow inital connection > > > Curtis, > > The delay is the same whether I use the IP address or the name, about 10 to > 20 seconds. > > If I browse to it in net-neighborhood, there is no delay. Weird. > > WINS is set up and working properly and I checked the WINS db, the Samba > server is registered properly. > > All nodes are set as hybrid in DHCP. > > The samba box is listed in DNS as well, and Name resolution works for name > and IP, from both client looking for server, and server looking for client. > > Checked the logs in /var/log/samba - appears to be nothing unusual > > Using: RH 9.0, Samba 2.2.7a, winbind. > > Smb.conf: (actual domain and user names edited for security) > > # Global parameters > [global] > workgroup = my-domain > netbios name = sambabox > server string = Calgary Samba Server > security = DOMAIN > encrypt passwords = Yes > obey pam restrictions = Yes > password server = my-domain controller > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > unix password sync = Yes > log file = /var/log/samba/%m.log > max log size = 0 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = No > wins server = 192.168.1.60 > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind separator = + > winbind cache time = 360 > winbind enum users = No > winbind enum groups = No > admin users = my-domain+admin1 etc... > read list = @"my-domain+Domain Users" > write list = @"my-domain+Domain Admins" > printing = cups > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > [software] > comment = Calgary Software > path = /data/software > admin users = my-domain+admin etc... > read only = No > inherit permissions = Yes > inherit acls = Yes > > [knll] > comment = KNLL Users > path = /data/KNLL > valid users = +"my-domain+Domain Admins" > admin users = my-domain+admin_user etc... > read list = > read only = No > create mask = 0770 > security mask = 0770 > directory mask = 0770 > directory security mask = 0770 > inherit permissions = Yes > inherit acls = Yes > > > > -----Original Message----- > From: Curtis Sloan [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 24, 2003 5:47 PM > To: [EMAIL PROTECTED] > Subject: RE: (clug-talk) Samba + Winbind Very slow inital connection > > Does it work faster if you use directed IP (e.g. \\192.168.0.333\share)? > > I'm wondering if it is a NetBIOS name resolution issue. Have you specified > a WINS server? Are you running nmbd? What resolution node type is the WINS > server running (i.e. broadcast)? These are just off the top of my head. > > Curtis > > -----Original Message----- > From: Robert Toole [mailto:[EMAIL PROTECTED] > Sent: August 23, 2003 4:45 PM > To: [EMAIL PROTECTED] > Subject: (clug-talk) Samba + Winbind Very slow inital connection > > > All, > > I have set up a Samba box as a member of an NT4 domain, Using winbind. > Everything works quite well except for one annoying thing, > > When you initially try to connect to to the Samba box from Win2K or XP, > by typing in \\sambabox\share in windows explorer, It can take up to 20 > seconds for the share to be displayed. (Haven't tried from Network > Neighborhood, I just set this up on friday) > > Once a connection has been established, it's smooth sailing. > > I've checked DNS, and reverse DNS, the clients and server can all > resolve both hostnames and IP addreses. > > I've tried turning off the enum groups and users options for winbind, > and also upped the cache time to 360 seconds from 15 in smb.conf > > Our NT User database has about 3000 users and 400 groups, but winbind > queries a local domain controller (No WAN Links) and I'd think that it > is not too big. > > If anyone has any ideas or suggestions I'd appreciate it.. I can post > relevant config files and other info if requested. (Don't have easy > access to the box from home) > > Thanks. > -- > Robert Toole > [EMAIL PROTECTED] > No, the rest of the Domain / Network is good, only the Samba box. I have a strong suspicion that it is winbind maybe enumerating the entire user database from the domain controller before allowing access? <guessing here...> At home, I use Samba as my domain controller, there is no winbind involved, and no delays ever. it works fantastic. If I have time tomorrow, I'll fire up ethereal and see what there is to see. I'll keep you posted.. Thanks for the help, -- Robert Toole [EMAIL PROTECTED]
