Irtsgbr

I have joined my first Debian box to an Active Directory (2008 R2). It works, I can log in with AD credentials, browse Samba shares.

There is just a problem with the time it takes for someone to log in via ssh (the only way to log into the headless servers). It takes about 30 to 45 seconds to get a prompts, the subsequent logins are immediate for a few minutes, then again it takes a long time to log in (and so on).

• Same thing with a sudo.


• However (authenticated) browsing the shares is fast, no delays.

The AD structure is quite large, it takes about 3 minutes to get a wbinfo -u, which is 365k entries.

I have noted in the logs a succession of these pairs of entries:

winbindd[3701]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
winbindd[3701]: [2014/03/31 11:00:38.393016, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)

klist shows a proper list, though, and /etc/krb.conf is exactly as listed in the Samba Wiki.

The `/etc/samba/smb.conf` is quite standard:
[global]
realm = DOMAIN.EXAMPLE.COM
workgroup = DOMAIN
netbios name = MYDEBIAN
security = ADS
encrypt passwords = yes
wins server = adserver.example.com
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = no
winbind enum groups = no
winbind nested groups = false
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
preferred master = no
valid users = @it.security
admin users = @it.security
printing = bsd
printcap name = /dev/null

The entries related to login in /etc/nsswitch.conf:

passwd: files winbind
group: files winbind
shadow: files

• Is it likely to be a cache misconfiguration?




• Should the login be fast with no caching (in other words - is the login configuration itself incorrect and some caching mechanism just helps in my case but hides the real problem?)

Check your /etc/krb5.conf file, make sure you set the following values under

[libdefaults]

default_realm = DOMAIN.EXAMPLE.COM

[realms]

kdc = DC FQDN

admin_server = DC FQDN

[domain realm]

.domain.example.com = DOMAIN.EXAMPLE.COM

domain.example.com = DOMAIN.EXAMPLE.COM

Also, in your smb.conf file - add the following:

password server = DC IP or FQDN

See my blogpost for more detailed instructions: https://monklinux.blogspot.com/2017/09/how-to-samba-4-file-server-as-member.html

Your reported delay of 30 - 45 seconds falls in line with potential DNS name resolution issues. Make sure that this machine can resolve the FQDN of your directory server, and that it doesn't have to try FQDN, fail on a timeout, then fall back to using IP.

You should be able to test this by simply pinging the FQDN of your directory server from this problem client. You can also use the "host" command to resolve hostnames without the use of ICMP (in case ICMP is restricted via a firewall or similar):

# host domain.example.com

If you do have issues with DNS resolution, make sure that this machine is configured to search in the correct domain and that the order of nameservers is correct (it should probably be trying the directory nameserver first if that's what your intended target is, for example).

As for specifics regarding those configs, it really matters what version of Debian you're running - newer versions use different technology for name resolution than older ones.