Slow first login to a AD-joined Samba box

I have joined my first Debian box to an Active Directory (2008 R2). It works, I can log in with AD credentials, browse Samba shares.

There is just a problem with the time it takes for someone to log in via ssh (the only way to log into the headless servers). It takes about 30 to 45 seconds to get a prompts, the subsequent logins are immediate for a few minutes, then again it takes a long time to log in (and so on).

  • Same thing with a sudo.
  • However (authenticated) browsing the shares is fast, no delays.

The AD structure is quite large, it takes about 3 minutes to get a wbinfo -u, which is 365k entries.

I have noted in the logs a succession of these pairs of entries:

winbindd[3701]:   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
winbindd[3701]: [2014/03/31 11:00:38.393016,  0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)

klist shows a proper list, though, and /etc/krb.conf is exactly as listed in the Samba Wiki.

The `/etc/samba/smb.conf` is quite standard:
[global]
realm = DOMAIN.EXAMPLE.COM
workgroup = DOMAIN
netbios name = MYDEBIAN
security = ADS
encrypt passwords = yes
wins server =  adserver.example.com
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
preferred master = no
valid users = @it.security
admin users = @it.security
printing = bsd
printcap name = /dev/null

The entries related to login in /etc/nsswitch.conf:

passwd:         files winbind
group:          files winbind
shadow:         files
  • Is it likely to be a cache misconfiguration?

  • Should the login be fast with no caching (in other words - is the login configuration itself incorrect and some caching mechanism just helps in my case but hides the real problem?)


Solution 1:

Check your /etc/krb5.conf file, make sure you set the following values under

[libdefaults]

default_realm = DOMAIN.EXAMPLE.COM

[realms]

kdc = DC FQDN

admin_server = DC FQDN

[domain realm]

.domain.example.com = DOMAIN.EXAMPLE.COM

domain.example.com = DOMAIN.EXAMPLE.COM

Also, in your smb.conf file - add the following:

password server = DC IP or FQDN

See my blogpost for more detailed instructions: https://monklinux.blogspot.com/2017/09/how-to-samba-4-file-server-as-member.html