Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Winbind Slowness


    I'm running CentOS 5.9 and using winbind for AD authentication for some samba shares. It works just fine, I can authenticate no problem and access everything. The problem is that after sitting for a few hours, logins and sudos can take up to 2 minutes to complete. If I do a "service winbind restart", logins and sudos are instant for a few more hours. Has anybody encountered anything similar to this? Or does anybody have any ideas of steps I can take to diagnose this? I'm pretty much out of ideas at this point...

    Thanks in advance!

  2. #2
    Just Joined!
    Join Date
    Sep 2007
    Silver Spring, MD

    Winbind Performance

    I am thinking about performance could be addressed using a number of sysctl or kernel configuration parameters along with smb.conf (samba file).

    Can you post the smb.conf file so we can look at some of the existing parameters.

    That will help.

    That way I can make recommendations.

    ​socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY

    Make these changes to the smb.conf file.


  3. #3
    Linux Engineer
    Join Date
    Apr 2012
    Virginia, USA
    Make sure you CentOS server's time is set the same as your AD server.

  4. $spacer_open
  5. #4
    #============================ Global Parameters ==============================
    workgroup = <worksgroup name>
    realm = <realm name>
    preferred master = no
    server string = <server hostname>
    security = ADS
    encrypt passwords = Yes
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nested groups = Yes
    winbind separator = +
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash

    #============================ Share Definitions ==============================

    comment = Log Directory
    path = /var/log
    writable = no
    browseable = yes
    valid users = <domain>+<username>

    That's currently what I have in my smb.conf. I had to substitute some of the values with <value> since I can't leave them in. My time is correctly synced with my AD server as well. As far as the values you mentioned in your post above, Samba works fine as far as I can tell... I might just add those values for a potential speed increase later though anyway. Its really just any process that requires authentication that's slow, and not AD authentication, its the local user authentication that's slow.


  6. #5
    Linux Engineer
    Join Date
    Apr 2012
    Virginia, USA
    if you have
    winbind use default domain = Yes
    set, you don't need to include the domain+user convention, you can just use the user names, unless of course the users are from a different domain.

    On my RHEL 6 server, I have the setting
    password server =

    in /etc/krb5.conf, make sure under [realms] you add your domain controllers as well. Make sure you have a kdc entry for each AD server you want to your linux box to talk to.

    I also have the following settings in /etc/krb5.conf under [libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

  7. #6
    Turns out the problem was the winbind enum users and winbind enum groups options. After taking those out the slowness hasn't come back.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts