All,
So, I have a OS X Server 10.3.9 box running Samba 3.0.10. File
sharing is fast and cannot as for much more in the department.
Only slow thing: authentication. We are using the OS X box as the
PDC, and running authentication of all workstations against the PDC.
This works good, but takes 15-30 seconds to take place, which is not
great.
I did a debug level 3 of the samba file server, and took a peek at
the log after trying to log in a user. Now know I am no expert with
Samba authentication, but this is how I think things are going down:
Essentially, there are 2 logon attempts. The first fails (although it
does not report so), waits for about 20 seconds, then the second one
succeeds. Timing wise, the first one fails within a second, and the
second one works with in a second... there is just a stack wait
function that makes the user wait for something like 20 seconds.
SO... at a log level 3 debug, I poured through it and found that both
authentication methods first identify the user as "unknown" as
specified in the smb.conf file, probably because user credientials
haven't been validated yet. Next it identifies the computer by way of
the SID. Both authentication methods get this far.
Now, this is the code where something is different between the
successful authentication and the unsuccessful one:
- Unsuccessful: nt_open_pipe: Known pipe NETLOGON opening.
- Successful: nt_open_pipe: Known pipe lsarpc opening.
From this point, the NETLOGON one essentially does some pushing and
poping, frees the pipe, tries "api_rpcTNP: RPC command: NET_AUTH2,
the a few lines later does:
setting_sec_ctx(0,0) - sec_ctx_stack_ndx = 1
then 20 seconds later
pop_sec_ctx(99,99) - sec_ctx_stack_ndx = 0
Now, it redoes everything it had done before (authentcating as guest
and checking the SID). Now it says the "open_pipe: Known pipe lsarpc
opening.", does the exact same stuff as the NETLOGON method until the
line:
api_rpcTNP: RPC command: LSA_OPENPOLICY2
Then it goes on to authenticate the user within a second.
So, moral of the story: it looks like it is using some NETLOGON
method, then is using LDAP and the LSA_OPENPOLICY2 associated with
'lsarpc'.
My question: how do i skip the NETLOGON method and/or change the
order of authentication here? This would undoubldy fix the problem
and authentication would only take 1 second.
I would like to believe this is something in the opendirectorysam
auth method, not really in Samba. But, I am not sure. Any ideas or
suggestions would be greatly greatly appreciated.
Thank you and have a great day!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
