SMB Slow Logon... Found why, but not how to fix...

We have been experiencing the same problem for over a year. Applecare told us it was a bug that would be fixed in 10.4. We're skeptical. Anyone see this resolved in 10.4?

G5 running 10.3.9 server.

Are your clients Windows XP machines?

If so, have you tried to regedit the HKEY LOCALMACHINE\SYSTEM\CurrentControlSet\Services\Netlogon parameters?

Using SAMBA (O'Reilly) indicates setting the "requiresignorseal" DWORD value to "0" (default should be "1"), followed by log off/on could be a factor.

I will try this on a XP machine at work tomorrow.

The are, and we haven't--everyone has been looking at the server. Looking forward to the results.

Well, there was some improvement changing sign or seal but not much, I would estimate around 2 seconds. It now takes 13 seconds for a login to succeed on my setup.

I'm using Server 10.4.2 so I have the added bonus of the PDC somehow getting a SIGTERM and shutting down the smbd and nmbd processes.

I guess it's about time to post a bug on Apple's radar.

We tried it too but didn't see a difference.

Hi,

In our case login is instantaneous, (OS X 10.3.9 as PDC)
Can you post your smb.conf?

Sorry to hijack your thread, but since I'm experiencing similar problems, here's my smb.conf:

[global]
encrypt passwords = yes
log level = 2
display charset = UTF-8-MAC
security = user
deadtime = 5
guest account = unknown
add machine script = /usr/bin/opendirectorypdbconfig -c create computer
account -r %u -n "/LDAPv3/127.0.0.1"
add user script = /usr/bin/opendirectorypdbconfig -c create useraccount
-r %u -n "/LDAPv3/127.0.0.1"
client ntlmv2 auth = no
preferred master = yes
defer sharing violations = no
winbind separator = +
allow trusted domains = no
netbios name = Example
lanman auth = NO
vfs objects = darwin_acls
wins support = yes
time server = yes
interfaces = en1
brlm = yes
max smbd processes = 0
server string = Mac OS X
logon drive = H:
os level = 64
domain logons = yes
passdb backend = opendirectorysam guest
dos charset = CP437
unix charset = UTF-8-MAC
socket options = TCP_NODELAY IPTOS_LOWDELAY
auth methods = guest opendirectory
local master = yes
domain master = yes
map to guest = Never
use spnego = yes
printer admin = @admin, @staff
logon path = \\%N\profiles\%u
ntlm auth = YES
workgroup = MYWORKGROUP
[netlogon]
path = /etc/netlogon
oplocks = yes
strict locking = no
write list = @admin
browseable = no
[homes]
browseable = no
root preexec = /usr/sbin/inituser %U
create mode = 0750
read only = no
comment = User Home Directories
[Groups]
oplocks = 0
map archive = no
vfs objects = darwin_acls
path = /Groups
read only = no
strict locking = 1
inherit permissions = 0
comment = macosx
create mask = 0644
guest ok = 0
directory mask = 0755
[Public]
oplocks = 0
map archive = no
vfs objects = darwin_acls
path = /Shared Items/Public
read only = no
strict locking = 0
inherit permissions = 0
comment = macosx
create mask = 0644
guest ok = 0
directory mask = 0755
[Users]
oplocks = 0
map archive = no
vfs objects = darwin_acls
path = /Users
read only = no
strict locking = 1
inherit permissions = 0
comment = macosx
create mask = 0644
guest ok = 0
directory mask = 0755
[profiles]
path = /Users/Profiles
oplocks = yes
strict locking = no
read only = no
browseable = no
[printers]
printable = yes
path = /tmp

OK, here is an idea:

I noticed that the defaults for the smbd configuration in /usr/share/servermgrd/bundles/servermgr smb.bundle/Contents/Resources/servermgr_smbdefaults.plist lists the following order for authorization
<key>auth methods</key>
<string>guest opendirectory</string>

Perhaps things would speed up if we execute

sudo serveradmin settings smb:"auth methods" = "opendirectory guest"

instead of accepting the defaults.

Again, will check in the A.M.

here's mine (it's working without any problems):
workgroup = YOUR DOMAIN_GOESHERE
display charset = UTF-8-MAC
print command = /usr/sbin/PrintServiceAccess printps %p %s
lprm command = /usr/sbin/PrintServiceAccess remove %p %j
security = user
guest account = unknown
encrypt passwords = yes
printing = BSD
allow trusted domains = no
preferred master = yes
lppause command = /usr/sbin/PrintServiceAccess hold %p %j
netbios name = xserve1
wins support = yes
add machine script = /usr/bin/opendirectorypdbconfig -c create computeraccount -r %u -n "/LDAPv3/127.0.0.1"
max smbd processes = 0
printcap =
server string = xserve1
lpresume command = /usr/sbin/PrintServiceAccess release %p %j
logon drive = H:
client ntlmv2 auth = no
domain logons = yes
lpq command = /usr/sbin/PrintServiceAccess jobs %p
admin users = @admin
passdb backend = opendirectorysam guest
dos charset = CP437
unix charset = UTF-8-MAC
auth methods = guest opendirectory
local master = yes
domain master = yes
map to guest = Never
use spnego = no
printer admin = @admin, @staff
logon path = \\%N\profiles\%u
defer sharing violations = no
log level = 1

According to the Samba documentation, the "auth methods" configuration should always include "guest" as the first method in the list.

I tried my earlier suggestion to reorder the methods to no avail. I've also tried the "sysctl -w net.inet.tcp.delayed_ack=0" trick, which doesn't help for the slow logon.

As a last resort, I stopped the PDC and moved my smb.conf to smb.conf.20050916. Following this I copied the smb.conf.template back to smb.conf and set the Role in Server Admin to PDC. Surpisingly, this temporarily set the server back to a standalone configuration. I changed the the configuration back to PDC again and it took. During the process, I inspected the changes made to smb.conf by Server Admin.

I never had "map to guest = Never" show up with any other configuration changes as far as I can remember.

Anyway, besides setting some of the socket options, limiting the number of users, and changing "use spnego" to "no" via the serveradmin settings smb CLU, these are the new smb.conf settings provided by removing the old configuration file:

[global]
encrypt passwords = yes
workgroup = myworkgroup
display charset = UTF-8-MAC
security = user
deadtime = 5
guest account = unknown
add machine script = /usr/bin/opendirectorypdbconfig -c create computeraccount -r %u -n "/LDAPv3/127.0.0.1"
add user script = /usr/bin/opendirectorypdbconfig -c create useraccount -r %u -n "/LDAPv3/127.0.0.1"
client ntlmv2 auth = no
preferred master = yes
defer sharing violations = no
allow trusted domains = no
netbios name = mynetbiosname
lanman auth = YES
vfs objects = darwin_acls
wins support = yes
brlm = yes
max smbd processes = 20
server string = Mac OS X
logon drive = H:
os level = 20
domain logons = yes
passdb backend = opendirectorysam guest
dos charset = CP437
unix charset = UTF-8-MAC
socket options = TCP_NODELAY IPTOS_LOWDELAY
auth methods = guest opendirectory
local master = yes
domain master = yes
map to guest = Never
use spnego = no
printer admin = @admin, @staff
logon path = \\%N\profiles\%u
ntlm auth = YES
log level = 0

I left out the other sections for brevity. Now I will have to wait until Monday to check whether it has any affect.

Well, login from Win9x machines is now next to instantaneous, although logon and logoff to WinXP machines has slowed considerably. I think the slowdowns may have something to do with ACL's or possibly roaming profiles. There are now errors during the login/logoff stage from XP machines.

Browsing the network shares is better across the board though.

I think the "map to guest" line did the trick for the older computers.

Now, to figure out what the other hold-ups were.

FWIW, this is what I am using to trace the traffic to and from the PDC:
sudo tcpdump -s 255 -vv -l -i en1 port 137 or port 138 or port 139 >sambadump.txt

Make sure the interface matches your hardware.

OK. Try this out: http://docs.info.apple.com/article.html?artnum=300257

And if you are allowing guest connections in your smb.conf file (the guest user will be mapped to 'Bad User') try turning that off in the Server Admin. Double check the /etc/smb.conf file once you save your Windows services settings. If the settings took, it should say "map to guest = NEVER".

Last but not least, make sure you followed the procedure for setting your XP boxes for domain login (page 33 of Windows Services 10.4).

Good night, and good luck

Finally, after much struggling:

Being used to the client version of Mac OS X, I changed the IP of the server without using changeip from the command line first. I followed the directions given in "man changeip" INCLUDING THE HOSTNAME:

changeip /LDAPv3/127.0.0.1 <myOldServerIp> <myNewServerIp> myhostname myhostname

It would not work any other way. In fact, it almost hosed my system the first time I used this script, because I didn't know that it would toy with the input administrator and directory administrator names/passwords so much. To make a long story short, I input my root admin login info, BECAUSE IT ASKS YOU TO PERFORM THIS AS ROOT, and it subsequently changed my root password type to Open Directory (AKKK!). Luckily I had a backup admin account lying around, and a ssh configured to do authentication based on authorized_keys so I could mess up the administrator account and still have some chance of getting everything working again.

In defiance of the manual page, I did not change my network settings before doing the changeip the second time, and it worked!

YMMV (I'm using 10.4.2). Here's my process:
execute the following from the command line from an administrative root account-

sudo -s
<theAdminPassword>
changeip /LDAPv3/127.0.0.1 <myOldIpAddress> <myNewIpAddress> <myHostName> <myHostNameRepeatedAgainBecauseThisScriptWontWorkUnlessIPutAnotherHostNameHere>

you will then be prompted for your admin name and password (on 10.4.2 this is your directory administrative name/password for the OpenDirectory master).

You should see some line confirming that stuff is going to be done

You should see no errors.

When everything is done, assuming the script didn't fail you utterly the way it did me the first time, you should execute:
reboot

And then hopefully everything will be okay your end.

Over and out