Testing Samba for Bigger Environments Samba / Linux / OpenLDAP at the german federal parliament



Similar documents
Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Samba as an Active Directory Domain Controller

Open Source Terminal Server Architecture for Enterprise Environment

Setting up a DNS MX Record for mail.corp.com p. 327 Installing Fedora on the Front-End Mail Server with the Postfix and SpamAssassin Packages

Implementing Active Directory Hurdles, Obstacles, and the Finish Line. Jim McDonough Samba Team IBM Linux Technology Center April 6, 2004

Samba's AD DC: Samba 4.2 and Beyond. Presented by Andrew Bartlett of Catalyst //

Firewall, Mail and File server solution

Scalable NAS Cluster With Samba And CTDB Source Talk Tage 2010

SOGo. Open Source Groupware at the University of Konstanz

<Samba status report>

Installing GFI LANguard Network Security Scanner

Kangaroot SUSE TechUpdate Interoperability SUSE Linux Enterprise and Windows

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Course Agenda: Managing Active Directory with NetIQ Directory and Resource Administrator and NetIQ Exchange Administrator

LDAP connectivity to the REDDOXX-Appliance

Collax Active Directory

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

How To - Implement Single Sign On Authentication with Active Directory

Enabling Active Directory Authentication with ESX Server 1

Samba 4 AD + Fileserver

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

Using Samba to play nice with Windows. Bill Moran Potential Technologies

Integrating UNIX and Linux with Active Directory. John H Terpstra

LinuxCon North America

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Samba in the Enterprise : Samba 3.0 and beyond

SerNet. Samba Status Update. Munich 13. March Volker Lendecke SerNet Samba Team. Network Service in a Service Network

SUSE LINUX School Server

Integration with Active Directory. Jeremy Allison Samba Team

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features

Applied Network Services. Janet Services for Resilience. Andrew Davis Network Services Coordinator

What is included in the ATRC server support

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

nitrobit group policy

Scenarios for Univention Corporate Server

White Paper. Software version: 5.0

INTRODUCING SAMBA 4 NOW, EVEN MORE AWESOMENESS

1. Installation Overview

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Download/Install IDENTD

Open Cloud Alliance. Choice and Control for the Cloud. Open Cloud Alliance

Very Large Enterprise Network, Deployment, Users

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

Implementing SAM replication in Samba 3

Network operating systems typically are used to run computers that act as servers. They provide the capabilities required for network operation.

Installation Logon Recording Basis. By AD Logon Name AD Logon Name(recommended) By Windows Logon Name IP Address

DIGIPASS Authentication for Windows Logon Product Guide 1.1

Common Internet File System

Windows Server 2003 Active Directory: Perspective

Other documents in this series are available at: servernotes.wazmac.com

Installation Overview

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

SerNet. Samba Status Update. Linuxkongress Hamburg October 10, Volker Lendecke SerNet Samba Team. Network Service in a Service Network

Installing GFI Network Server Monitor

Red Hat Identity Management

Univention Corporate Server. Extended domain services documentation

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Step by step guide for connecting PC to wired LAN at dormitories of University of Pardubice

Windows Active Directory. DNS, Kerberos and LDAP T h u r s d a y, J a n u a r y 2 7, 2011 INLS 576 Spring 2011

REQUIREMENTS LIVEBOX.

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Novell Open Workgroup Suite

Windows XP Exchange Client Installation Instructions

SchoolBooking SSO Integration Guide

Apple Pro Training Series. OS X Server. Essentials. Arek Dreyer. and Ben Greisler

IIS SECURE ACCESS FILTER 1.3

Implementing Linux Authentication and Authorisation Using SSSD

SUSE Manager 1.2.x ADS Authentication

Migration Strategies and Tools for the HP Print Server Appliance

Office of Information Technologies (OIT) Network File Shares

CAC AND KERBEROS FROM VISION TO REALITY

Very Large Enterprise Network Deployment, 25,000+ Users

Functions of NOS Overview of NOS Characteristics Differences Between PC and a NOS Multiuser, Multitasking, and Multiprocessor Systems NOS Server

Configure Outlook 2013 to connect to Hosted Exchange

Pearl Echo Installation Checklist

Open-Xchange Hosted Edition Directory Integration

Bring Linux into Microsoft s ADS

MailEnable Installation Guide

OpenVMS Update & OpenVMS Common Internet File System based on SAMBA

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Migration guide. Business

Transparent fileservices for Windows, Unix and Mac

SMALL BUSINESS OUTSOURCING

Install Guide Linux Ubuntu LTS (Lucid Lynx) Desktop

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

(june > this is version 3.025a)

From centralized to single sign on

University of Maine System Active Directory Services - RFP# ADDENDUM #01

# Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = no

Transcription:

Peter H. Ganten ganten@univention.de Testing Samba for Bigger Environments Samba / Linux / OpenLDAP at the german federal parliament

Agenda 1. Advertisment for the speakers company (very short, I promise) 2. History and general conditions of the MigOS project at the german federal parliament 3. The crash 4. The race towards a functional setup 5. Behavior and performance of the final setup 6. Conclusion and questions

Univention GmbH Founded in 2002 Manufactorer of Univention Corporate Server (UCS) and Univention Groupware Server (UGS) UCS: a complete infrastructure solution based on Debian GNU/Linux, with an integrated infrastructure and identity management system (iims) build on top of OpenLDAP, Heimdal Kerberos, Samba and other components UGS: a complete Groupware solution based on Kolab 2 and UCS

Some References [...]

The MigOS project of the german federal parliament In 2002 the german federal parliament (Deutscher Bundestag) decided to migrate: its Windows NT 4.0 based clients to Windows XP its Windows NT 4.0 based servers to Linux / Samba / OpenLDAP Reasons: Microsoft announced to discontinue support for Windows NT Windows based clients promised better compatibility to extern partners and existing applications independence, higher flexibility and higher transperancy were the main reasons to select OSS for the servers

The challange migrate an environment with approx. 5.000 clients, 120 servers and 8.000 user accounts from a single Windows NT 4.0 Domain to a Samba / OpenLDAP domain keep effects on users as low as possible keep availability during migration as high as possible Integrate Samba with an OpenLDAP directory, which is used to manage DHCP, DNS, Mail and other services, too develop tools for an integrated administration The order for the migration was won by Computacenter

Tests and Preparation a complete, separate test environment was established migration of the account database and data was tested for all applications, compatibility tests were done performance tests were done by means of smbclient scripts, which tested among others: authentication against the samba servers opening connections to specific shares (netlogon and home share) copying files from the logon server (the content of the netlogon share) copying the users profile data from a file server using NT file servers with Samba logon servers

The breakdown the productive environment was migrated to Samba on the weekend 9 th and 10 th of october 2004. in the morning of monday the 11 th the server reached critical load and were unable to process logon requests at 2:00 p.m. the fall back plan was executed and the NT servers were put in place, again bad headlines for Linux, OpenLDAP and Samba : (

Clearing up After the crash the parliament charged a group of four companies (Gonicus, PSI, lt ec and Univention) with: planing and building a test environment to: reproduce the crash test improved setups find possible reasons for the crash as well as to propose an optimized setup

The test environment consisted of three groups of systems: test systems load generators control systems the test system were the systems, which previously failed in the productive environment we had about 30 load generators, among them 8 strong servers, on all Windows 2003 terminal services was installed (up to 6.000 sessions possible) 3 servers were used as control systems

Why Windows Terminal Server sessions? obviously a terminal server can do more logons than a XP client at the same time : ) using Windows 2003 terminal server sessions has a high face validity when simulating Windows XP sessions (makes the client to believe in the test results) Windows 2003 terminal server sessions behave very similar to Windows XP sessions (very similar sequence of requests, same load on the samba server, same load on the OpenLDAP servers)

The control systems linux based were running several VNC sessions several rdesktop sessions inside each VNC session (because only a limited number of windows were possible inside one X session) about 3.000 sessions were possible from a single server with 4 Xeon CPUs and 16 GB RAM the test scripts were started and stopped from a standard PC via SSH

Planing the test a log file of a Windows Server was availabe to reconstruct the number of logon request during the morning of the crash day (approx 6.500 logon attampts, usually approx. 4.000 logons) 550 500 450 400 350 300 250 200 150 100 50 0-05:15-05:45-06:15-06:45-07:15-07:45-08:15-08:45-09:15-09:45-10:15-10:45-11:15-11:45-12:15-05:30-06:00-06:30-07:00-07:30-08:00-08:30-09:00-09:30-10:00-10:30-11:00-11:30-12:00

Usual logon requests

Results of the crash reproduction (1) Lastentwicklung Load 20 18 16 14 12 10 8 6 4 2 0 PD C B D C Zeit Samba-Prozesse smbd 600 500 400 300 200 100 0 PD C B D C Zeit

Results of the crash reproduction (2) logon requests took up to 30 minutes (!) out of approx. 6.500 logon request, only approx. 2.100 requests succeeded at all in the log files: smbd: can't contact ldap server slapd: too many open files

Some reasons and possible improvements OpenLDAP was used with the ldbm database backend The OpenLDAP ACLs were not optimized The handling of group memberships was very inefficient (The code tested for group membership in every mapped group and the domain had several thousend groups); this was fixed by Andrew Bartlett one day before (!) the first migration attempt was done. NSCD was not configured to efficiently cache user and group data While we found and evaluated these improvements, Sernet developed further improvements in the Samba code (ldapsam:trusted=yes, getpwnam Cache and more)

Results of the improvements (1) Lastentwicklung Load 3 2,5 2 1,5 1 0,5 0 PD C B D C LD A P M ast er LD A P Slave Zeit Samba-Prozesse smbd 100 90 80 70 60 50 40 30 20 10 0 PD C B D C Zeit

Results of the improvements (2) the domain was succesfully migrated in summer 2005 Better press for Linux, OpenLDAP and Samba : )

Conclusion In a Samba 3.0 / OpenLDAP based domain both components should be seen (and tested) as one Unit Tests should be as realistic as possible (smbclient could not be used to simulate Windows XP logon requests; logon scripts can cause high loads) Samba (>= 3.0.7) / OpenLDAP (with the bdb backend) and Linux proved themselves as a efficient and performant replacement of Windows NT

Thank you! Questions?