Slow first login to a AD-joined Samba box Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!winbindd: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realmAD group membership changes not reflected in winbind informationSamba with Active Directory - shares are readonly, NT_STATUS_MEDIA_WRITE_PROTECTEDWindows clients unable to access Samba share on AD joined Linux box every 7 dayswinbind from samba 3.6.3 on Linux works but does not integrate with OS?Samba Ignoring POSIX ACLsSamba authentication of user with wbinfo -asamba authentication issue for one specific user accountSet up Samba with Active Directory and local user authenticationcan't set permissions from AD on samba share on hostwinbind authentication through apache slow
Do you forfeit tax refunds/credits if you aren't required to and don't file by April 15?
Can a non-EU citizen traveling with me come with me through the EU passport line?
What makes black pepper strong or mild?
Using et al. for a last / senior author rather than for a first author
What is a Meta algorithm?
How do I keep my slimes from escaping their pens?
Output the ŋarâþ crîþ alphabet song without using (m)any letters
Should gear shift center itself while in neutral?
Doubts about chords
Is the address of a local variable a constexpr?
Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?
If Jon Snow became King of the Seven Kingdoms what would his regnal number be?
Should I discuss the type of campaign with my players?
Is there a concise way to say "all of the X, one of each"?
How to draw this diagram using TikZ package?
Storing hydrofluoric acid before the invention of plastics
The logistics of corpse disposal
Is 1 ppb equal to 1 μg/kg?
If a contract sometimes uses the wrong name, is it still valid?
How to bypass password on Windows XP account?
What is this single-engine low-wing propeller plane?
Can Pao de Queijo, and similar foods, be kosher for Passover?
How can players work together to take actions that are otherwise impossible?
When is phishing education going too far?
Slow first login to a AD-joined Samba box
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!winbindd: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realmAD group membership changes not reflected in winbind informationSamba with Active Directory - shares are readonly, NT_STATUS_MEDIA_WRITE_PROTECTEDWindows clients unable to access Samba share on AD joined Linux box every 7 dayswinbind from samba 3.6.3 on Linux works but does not integrate with OS?Samba Ignoring POSIX ACLsSamba authentication of user with wbinfo -asamba authentication issue for one specific user accountSet up Samba with Active Directory and local user authenticationcan't set permissions from AD on samba share on hostwinbind authentication through apache slow
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have joined my first Debian box to an Active Directory (2008 R2). It works, I can log in with AD credentials, browse Samba shares.
There is just a problem with the time it takes for someone to log in via ssh (the only way to log into the headless servers). It takes about 30 to 45 seconds to get a prompts, the subsequent logins are immediate for a few minutes, then again it takes a long time to log in (and so on).
- Same thing with a
sudo
. - However (authenticated) browsing the shares is fast, no delays.
The AD structure is quite large, it takes about 3 minutes to get a wbinfo -u
, which is 365k entries.
I have noted in the logs a succession of these pairs of entries:
winbindd[3701]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
winbindd[3701]: [2014/03/31 11:00:38.393016, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
klist
shows a proper list, though, and /etc/krb.conf
is exactly as listed in the Samba Wiki.
The `/etc/samba/smb.conf` is quite standard:
[global]
realm = DOMAIN.EXAMPLE.COM
workgroup = DOMAIN
netbios name = MYDEBIAN
security = ADS
encrypt passwords = yes
wins server = adserver.example.com
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
preferred master = no
valid users = @it.security
admin users = @it.security
printing = bsd
printcap name = /dev/null
The entries related to login in /etc/nsswitch.conf
:
passwd: files winbind
group: files winbind
shadow: files
Is it likely to be a cache misconfiguration?
Should the login be fast with no caching (in other words - is the login configuration itself incorrect and some caching mechanism just helps in my case but hides the real problem?)
linux active-directory ssh samba
add a comment |
I have joined my first Debian box to an Active Directory (2008 R2). It works, I can log in with AD credentials, browse Samba shares.
There is just a problem with the time it takes for someone to log in via ssh (the only way to log into the headless servers). It takes about 30 to 45 seconds to get a prompts, the subsequent logins are immediate for a few minutes, then again it takes a long time to log in (and so on).
- Same thing with a
sudo
. - However (authenticated) browsing the shares is fast, no delays.
The AD structure is quite large, it takes about 3 minutes to get a wbinfo -u
, which is 365k entries.
I have noted in the logs a succession of these pairs of entries:
winbindd[3701]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
winbindd[3701]: [2014/03/31 11:00:38.393016, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
klist
shows a proper list, though, and /etc/krb.conf
is exactly as listed in the Samba Wiki.
The `/etc/samba/smb.conf` is quite standard:
[global]
realm = DOMAIN.EXAMPLE.COM
workgroup = DOMAIN
netbios name = MYDEBIAN
security = ADS
encrypt passwords = yes
wins server = adserver.example.com
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
preferred master = no
valid users = @it.security
admin users = @it.security
printing = bsd
printcap name = /dev/null
The entries related to login in /etc/nsswitch.conf
:
passwd: files winbind
group: files winbind
shadow: files
Is it likely to be a cache misconfiguration?
Should the login be fast with no caching (in other words - is the login configuration itself incorrect and some caching mechanism just helps in my case but hides the real problem?)
linux active-directory ssh samba
The problem can also be in pam configuration. For example, you can have pam set in way that failing system login will cause a delay before continuing pam stack
– Aroly7
Apr 10 at 14:54
add a comment |
I have joined my first Debian box to an Active Directory (2008 R2). It works, I can log in with AD credentials, browse Samba shares.
There is just a problem with the time it takes for someone to log in via ssh (the only way to log into the headless servers). It takes about 30 to 45 seconds to get a prompts, the subsequent logins are immediate for a few minutes, then again it takes a long time to log in (and so on).
- Same thing with a
sudo
. - However (authenticated) browsing the shares is fast, no delays.
The AD structure is quite large, it takes about 3 minutes to get a wbinfo -u
, which is 365k entries.
I have noted in the logs a succession of these pairs of entries:
winbindd[3701]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
winbindd[3701]: [2014/03/31 11:00:38.393016, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
klist
shows a proper list, though, and /etc/krb.conf
is exactly as listed in the Samba Wiki.
The `/etc/samba/smb.conf` is quite standard:
[global]
realm = DOMAIN.EXAMPLE.COM
workgroup = DOMAIN
netbios name = MYDEBIAN
security = ADS
encrypt passwords = yes
wins server = adserver.example.com
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
preferred master = no
valid users = @it.security
admin users = @it.security
printing = bsd
printcap name = /dev/null
The entries related to login in /etc/nsswitch.conf
:
passwd: files winbind
group: files winbind
shadow: files
Is it likely to be a cache misconfiguration?
Should the login be fast with no caching (in other words - is the login configuration itself incorrect and some caching mechanism just helps in my case but hides the real problem?)
linux active-directory ssh samba
I have joined my first Debian box to an Active Directory (2008 R2). It works, I can log in with AD credentials, browse Samba shares.
There is just a problem with the time it takes for someone to log in via ssh (the only way to log into the headless servers). It takes about 30 to 45 seconds to get a prompts, the subsequent logins are immediate for a few minutes, then again it takes a long time to log in (and so on).
- Same thing with a
sudo
. - However (authenticated) browsing the shares is fast, no delays.
The AD structure is quite large, it takes about 3 minutes to get a wbinfo -u
, which is 365k entries.
I have noted in the logs a succession of these pairs of entries:
winbindd[3701]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
winbindd[3701]: [2014/03/31 11:00:38.393016, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
klist
shows a proper list, though, and /etc/krb.conf
is exactly as listed in the Samba Wiki.
The `/etc/samba/smb.conf` is quite standard:
[global]
realm = DOMAIN.EXAMPLE.COM
workgroup = DOMAIN
netbios name = MYDEBIAN
security = ADS
encrypt passwords = yes
wins server = adserver.example.com
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
preferred master = no
valid users = @it.security
admin users = @it.security
printing = bsd
printcap name = /dev/null
The entries related to login in /etc/nsswitch.conf
:
passwd: files winbind
group: files winbind
shadow: files
Is it likely to be a cache misconfiguration?
Should the login be fast with no caching (in other words - is the login configuration itself incorrect and some caching mechanism just helps in my case but hides the real problem?)
linux active-directory ssh samba
linux active-directory ssh samba
edited Mar 31 '14 at 9:11
WoJ
asked Mar 31 '14 at 8:34
WoJWoJ
1,46032646
1,46032646
The problem can also be in pam configuration. For example, you can have pam set in way that failing system login will cause a delay before continuing pam stack
– Aroly7
Apr 10 at 14:54
add a comment |
The problem can also be in pam configuration. For example, you can have pam set in way that failing system login will cause a delay before continuing pam stack
– Aroly7
Apr 10 at 14:54
The problem can also be in pam configuration. For example, you can have pam set in way that failing system login will cause a delay before continuing pam stack
– Aroly7
Apr 10 at 14:54
The problem can also be in pam configuration. For example, you can have pam set in way that failing system login will cause a delay before continuing pam stack
– Aroly7
Apr 10 at 14:54
add a comment |
2 Answers
2
active
oldest
votes
Check your /etc/krb5.conf
file, make sure you set the following values under
[libdefaults]
default_realm = DOMAIN.EXAMPLE.COM
[realms]
kdc = DC FQDN
admin_server = DC FQDN
[domain realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
Also, in your smb.conf
file - add the following:
password server = DC IP or FQDN
See my blogpost for more detailed instructions: https://monklinux.blogspot.com/2017/09/how-to-samba-4-file-server-as-member.html
New contributor
add a comment |
Your reported delay of 30 - 45 seconds falls in line with potential DNS name resolution issues. Make sure that this machine can resolve the FQDN of your directory server, and that it doesn't have to try FQDN, fail on a timeout, then fall back to using IP.
You should be able to test this by simply pinging the FQDN of your directory server from this problem client. You can also use the "host" command to resolve hostnames without the use of ICMP (in case ICMP is restricted via a firewall or similar):
# host domain.example.com
If you do have issues with DNS resolution, make sure that this machine is configured to search in the correct domain and that the order of nameservers is correct (it should probably be trying the directory nameserver first if that's what your intended target is, for example).
As for specifics regarding those configs, it really matters what version of Debian you're running - newer versions use different technology for name resolution than older ones.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f585577%2fslow-first-login-to-a-ad-joined-samba-box%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Check your /etc/krb5.conf
file, make sure you set the following values under
[libdefaults]
default_realm = DOMAIN.EXAMPLE.COM
[realms]
kdc = DC FQDN
admin_server = DC FQDN
[domain realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
Also, in your smb.conf
file - add the following:
password server = DC IP or FQDN
See my blogpost for more detailed instructions: https://monklinux.blogspot.com/2017/09/how-to-samba-4-file-server-as-member.html
New contributor
add a comment |
Check your /etc/krb5.conf
file, make sure you set the following values under
[libdefaults]
default_realm = DOMAIN.EXAMPLE.COM
[realms]
kdc = DC FQDN
admin_server = DC FQDN
[domain realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
Also, in your smb.conf
file - add the following:
password server = DC IP or FQDN
See my blogpost for more detailed instructions: https://monklinux.blogspot.com/2017/09/how-to-samba-4-file-server-as-member.html
New contributor
add a comment |
Check your /etc/krb5.conf
file, make sure you set the following values under
[libdefaults]
default_realm = DOMAIN.EXAMPLE.COM
[realms]
kdc = DC FQDN
admin_server = DC FQDN
[domain realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
Also, in your smb.conf
file - add the following:
password server = DC IP or FQDN
See my blogpost for more detailed instructions: https://monklinux.blogspot.com/2017/09/how-to-samba-4-file-server-as-member.html
New contributor
Check your /etc/krb5.conf
file, make sure you set the following values under
[libdefaults]
default_realm = DOMAIN.EXAMPLE.COM
[realms]
kdc = DC FQDN
admin_server = DC FQDN
[domain realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
Also, in your smb.conf
file - add the following:
password server = DC IP or FQDN
See my blogpost for more detailed instructions: https://monklinux.blogspot.com/2017/09/how-to-samba-4-file-server-as-member.html
New contributor
edited Apr 10 at 14:45
New contributor
answered Apr 10 at 14:42
user44038user44038
112
112
New contributor
New contributor
add a comment |
add a comment |
Your reported delay of 30 - 45 seconds falls in line with potential DNS name resolution issues. Make sure that this machine can resolve the FQDN of your directory server, and that it doesn't have to try FQDN, fail on a timeout, then fall back to using IP.
You should be able to test this by simply pinging the FQDN of your directory server from this problem client. You can also use the "host" command to resolve hostnames without the use of ICMP (in case ICMP is restricted via a firewall or similar):
# host domain.example.com
If you do have issues with DNS resolution, make sure that this machine is configured to search in the correct domain and that the order of nameservers is correct (it should probably be trying the directory nameserver first if that's what your intended target is, for example).
As for specifics regarding those configs, it really matters what version of Debian you're running - newer versions use different technology for name resolution than older ones.
add a comment |
Your reported delay of 30 - 45 seconds falls in line with potential DNS name resolution issues. Make sure that this machine can resolve the FQDN of your directory server, and that it doesn't have to try FQDN, fail on a timeout, then fall back to using IP.
You should be able to test this by simply pinging the FQDN of your directory server from this problem client. You can also use the "host" command to resolve hostnames without the use of ICMP (in case ICMP is restricted via a firewall or similar):
# host domain.example.com
If you do have issues with DNS resolution, make sure that this machine is configured to search in the correct domain and that the order of nameservers is correct (it should probably be trying the directory nameserver first if that's what your intended target is, for example).
As for specifics regarding those configs, it really matters what version of Debian you're running - newer versions use different technology for name resolution than older ones.
add a comment |
Your reported delay of 30 - 45 seconds falls in line with potential DNS name resolution issues. Make sure that this machine can resolve the FQDN of your directory server, and that it doesn't have to try FQDN, fail on a timeout, then fall back to using IP.
You should be able to test this by simply pinging the FQDN of your directory server from this problem client. You can also use the "host" command to resolve hostnames without the use of ICMP (in case ICMP is restricted via a firewall or similar):
# host domain.example.com
If you do have issues with DNS resolution, make sure that this machine is configured to search in the correct domain and that the order of nameservers is correct (it should probably be trying the directory nameserver first if that's what your intended target is, for example).
As for specifics regarding those configs, it really matters what version of Debian you're running - newer versions use different technology for name resolution than older ones.
Your reported delay of 30 - 45 seconds falls in line with potential DNS name resolution issues. Make sure that this machine can resolve the FQDN of your directory server, and that it doesn't have to try FQDN, fail on a timeout, then fall back to using IP.
You should be able to test this by simply pinging the FQDN of your directory server from this problem client. You can also use the "host" command to resolve hostnames without the use of ICMP (in case ICMP is restricted via a firewall or similar):
# host domain.example.com
If you do have issues with DNS resolution, make sure that this machine is configured to search in the correct domain and that the order of nameservers is correct (it should probably be trying the directory nameserver first if that's what your intended target is, for example).
As for specifics regarding those configs, it really matters what version of Debian you're running - newer versions use different technology for name resolution than older ones.
answered Apr 10 at 15:51
SpoolerSpooler
6,1091127
6,1091127
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f585577%2fslow-first-login-to-a-ad-joined-samba-box%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The problem can also be in pam configuration. For example, you can have pam set in way that failing system login will cause a delay before continuing pam stack
– Aroly7
Apr 10 at 14:54