SMB Slow Logon... Found why, but not how to fix...
Ok. So, SMB works great speed wise for file transfer as our domain's PDC.
Problem is, logon is SLOW!
I did a log dump of the samba file service log file of a single user logon and i found some interesting things.
Essentially, there are 2 logon attempts. The first fails, waits for about 20 seconds, the the second one succeeds. Timing wise, the first one fails within a second, and the second one works with in a second... there is just a stack wait function that makes the user wait for something like 20 seconds.
SO... at a log level 3 debug, I poured through it and found that both authentication methods first identify the user as "unknown" as specified in the smb.conf file, probably because because user credientials haven't been validated yet. Next it identifies the computer by way of the SID. Both authentication methods get this far.
Now, this is the code where something is different between the successful authentication and the unsuccessful one:
- Unsuccessful: nt openpipe: Known pipe NETLOGON opening.
- Successful: nt openpipe: Known pipe lsarpc opening.
From this point, the NETLOGON one essentially does some pushing and poping, frees the pipe, tries "api_rpcTNP: RPC command: NET_AUTH2, the a few lines later does:
setting secctx(0,0) - sec ctx_stackndx = 1
then 20 seconds later
pop secctx(99,99) - sec ctx_stackndx = 0
Now, it redoes everything it had done before (authentcating as guest and checking the SID). Now it says the "lsarpc opening" thing, does the exact same stuff as the NETLOGON method until the line:
api_rpcTNP: RPC command: LSA_OPENPOLICY2
Then it goes on to authenticate the user within a second.
So, moral of the story: it looks like it is using some NETLOGON method, then is using LDAP and the LSA_OPENPOLICY2 associated with 'lsarpc'.
My question: how do i skip the NETLOGON method and/or change the order of authentication here? This would undoubldy fix the problem and authentication would only take 1 second.
I would like to believe this is something in the opendirectorysam auth method, not really in Samba. But, I am not sure.
Keep in mind I am using OS X Server 10.3.9 on a PowerMac G5.
Thank you in advance for your help and I look forward to figuring this one out!
Problem is, logon is SLOW!
I did a log dump of the samba file service log file of a single user logon and i found some interesting things.
Essentially, there are 2 logon attempts. The first fails, waits for about 20 seconds, the the second one succeeds. Timing wise, the first one fails within a second, and the second one works with in a second... there is just a stack wait function that makes the user wait for something like 20 seconds.
SO... at a log level 3 debug, I poured through it and found that both authentication methods first identify the user as "unknown" as specified in the smb.conf file, probably because because user credientials haven't been validated yet. Next it identifies the computer by way of the SID. Both authentication methods get this far.
Now, this is the code where something is different between the successful authentication and the unsuccessful one:
- Unsuccessful: nt openpipe: Known pipe NETLOGON opening.
- Successful: nt openpipe: Known pipe lsarpc opening.
From this point, the NETLOGON one essentially does some pushing and poping, frees the pipe, tries "api_rpcTNP: RPC command: NET_AUTH2, the a few lines later does:
setting secctx(0,0) - sec ctx_stackndx = 1
then 20 seconds later
pop secctx(99,99) - sec ctx_stackndx = 0
Now, it redoes everything it had done before (authentcating as guest and checking the SID). Now it says the "lsarpc opening" thing, does the exact same stuff as the NETLOGON method until the line:
api_rpcTNP: RPC command: LSA_OPENPOLICY2
Then it goes on to authenticate the user within a second.
So, moral of the story: it looks like it is using some NETLOGON method, then is using LDAP and the LSA_OPENPOLICY2 associated with 'lsarpc'.
My question: how do i skip the NETLOGON method and/or change the order of authentication here? This would undoubldy fix the problem and authentication would only take 1 second.
I would like to believe this is something in the opendirectorysam auth method, not really in Samba. But, I am not sure.
Keep in mind I am using OS X Server 10.3.9 on a PowerMac G5.
Thank you in advance for your help and I look forward to figuring this one out!
