speeding up samba by backing up
play

Speeding up Samba by backing up Experiences in implementing and - PowerPoint PPT Presentation

Jul 28, 2023 •555 likes •1.06k views

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory features in Samba What has been done in the last year? Samba 4.9 Password and membership change auditing LMDB back-end (semi-experimental)

  1. Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory features in Samba

  2. What has been done in the last year?

  3. Samba 4.9 ● Password and membership change auditing ● LMDB back-end (semi-experimental) ● Fine grained password policies ● Domain backup, restore and rename tools ● Better DRS partner visualization ● Automatic DNS site coverage ● DNS scavenging support ● Improved trust support and more...

  4. Samba 4.10 ● GPO import and export ● KDC and NETLOGON prefork (default in 4.11) ● (Prefork) improvements for restarting services automatically ● Changes to LDAP paged results to save memory ● Offmine domain backup ● Python 3 support ● Audit logging with MS event IDs and more...

  5. A content slide Join

  6. A content slide Modify

  7. A content slide Search

  8. Performance, performance, performance Replication improvements, linked attribute performance, rename performance, large scale improvements, ... as well as other things like schema updates

  9. Traffic replay runner

  10. Basic steps for replaying traffic   Traffic model  (optional) Network trace Create a statistical Run wireshark and model for generating Traffic summary get a pcap output proportionally similar Anonymize the traffj c and traffj c pick out important details to replay

  11. Basic steps for replaying traffic   Play traffic Run either the Analyze the results summary or the model fjle Successes or failures, th median, mean, max, 95

  12. Basic steps for replaying traffic  That’s it! We’re fast, 100,000  users, no problems! Play traffic Run either the Analyze the results summary or the model fjle Successes or failures, th median, mean, max, 95

  13. Naive traffic runner results (2 vCPU, 8GB RAM) v4.6 – 1 13 operations / second v4.7 – 94 operations / second (changes to LDAP multi-process) v4.8 – 154 operations / second (only in new prefork process mode) v4.9 – 157 operations / second (only in prefork mode) v4.10 – Same as 4.8 and 4.9 Git master (prefork is default) – possibly 160? Traffj c sample is largely DNS, name resolution, LDAP bind, NETLOGON

  14. So... backing up?

  15. Domain backup A new method of backing up an AD Domain in Samba 4.9 + 4.10

  16. Why? ● Existing samba_backup script had a number of problems ● With a running DC it wasn’t certain to produce a valid copy ● It was safer than a standard copy , but didn’t respect lock ordering ● Might have caused deadlocks, corrupt or inconsistent (secrets) data ● Single source of truth of the domain data (multi-master replication) ● Forcing a pristine backup to override corrupt data elsewhere is non-trivial ● Restoring into competing data, might look replicated due to old versioning ● Avoid some database inconsistencies by creating a replication (online) backup

  17. Offline and online DC Database copy Re-join DC Offmine DC DC DC Seed RPC/ DRSUAPI DC Network Online EXAMPLE.COM EXAMPLE.COM samba-tool domain backup restore samba-tool domain backup [online|offline] T ar fjle https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC

  18. Issues to resolve? ● The tool doesn’t exactly replace samba_backup (despite being removed) ● samba-tool domain backup can’t restore to the same DC name ● samba-tool domain backup can’t restore to the same install location ● Copying of sysvol still seems buggy from the mailing list ● For those who re-deploy in a certain way , it’s the (almost) ideal tool ● For those who know to re-join or re-sync (often not perfectly but perhaps in cases where it isn’t that critical) it’s a new hassle ● Backup of a domain, or backup of a domain controller?

  19. Domain rename Create testing environments and lab domains (without passwords and secrets)

  20. Rename DC Re-join DC Rewrites to renamed.com DC Must supply new domain details in backup! DC DC Seed RPC/ DRSUAPI DC Network Online RENAMED.COM EXAMPLE.COM samba-tool domain backup restore samba-tool domain backup rename T ar fjle https://wiki.samba.org/index.php/Create_a_samba_lab-domain

  21. Benefits and Caveats ● Much less worries about production and pre-production interacting ● Firewalling should be more straightforward ● Experimenting with load and load testing difg erent hardware ● No explicit secrets (or close to it) isn’t anonymized or secret-free ● The data in the domain means it can still serve the old DNS records ● Rebuilding the sites and subnets is still a job on its own (automation?) ● Use in production is debateable...

  22. Benefits and Caveats (custom DC testenv) BACKUP_FILE=backup-offline.tar.bz2 SELFTEST_TESTENV=customdc make testenv ● Reproducible testing is easier, upgrade testing is easier ● Testing under difg erent conditions is much easier ● Having a clean DC before every test is possible

  23. Linux Namespaces Running under socket_wrapper (default test-bed for samba testing), we fjnd a 10-20% performance hit when using LMDB. ● Why not leave the network faking to the kernel? ● Why not fake our hostnames and override DNS resolution using the kernel? Completely isolated test-bed using ‘real’ network interfaces that can still be made to interact with the real system and virtual machines. Unfortunately still problems with UID fakery (apparently Docker is hard), but it works.

  24. GPO import/export A new way of copying over a SYSVOL that functions (ish) across domains Exports to XML with XML entities Ideal with domain rename (pre-prod)

  26. MS-GPOL MS-GPOD

  27. fdeploy1.ini MS-GPOL MS-GPOD audit.csv GptTmpl.inf

  28. fdeploy1.ini MS-GPOL .xml registry.pol MS-GPOD .aas audit.csv GptTmpl.inf

  29. fdeploy1.ini MS-GPOL .xml User/Documents & Settings registry.pol MS-GPOD Machine/Microsoft/Windows NT/SecEdit .aas audit.csv GptTmpl.inf

  30. MS-GPNRPT MS-GPFR fdeploy1.ini MS-GPWL MS-GPOL .xml MS-GPSCR User/Documents & Settings MS-GPREG registry.pol MG-GPFAS MS-GPOD MS-GPAC Machine/Microsoft/Windows NT/SecEdit MS-GPSI .aas MS-GPDPC audit.csv MS-GPPREF GptTmpl.inf MS-GPSB MS-GPIPSEC MS-GPREF

  31. Using GPO Import/Export samba-tool gpo backup samba-tool gpo restore samba-tool gpo backup --generalize --entities=$OUT_PATH samba-tool gpo restore --entities=$IN_PATH <!ENTITY SAMBA____USER_ID_____7b7bc2512ee1fedcd76bdc68926d4f7b__ "Guest"> https://wiki.samba.org/index.php/GPO_Backup_and_Restore

  32. Automation Actually running the traffjc runner for real (making it reproducible and periodic)

  33. Automation ● Virtual machines → cloud (sometimes too slow) ● Openstack HEAT templates, Bash scripts ● Ansible playbooks Still has its problems, but we now have a mostly re-usable and composable set of playbooks (modules) for difg erent AD environments using YAML fjles. This work has led to upstream automation work, bootstrap code to simplify package installations across difg erent platforms (more natural fjt in the source tree).

  34. Automation DC DC DC

  35. Automation DC RODC DC DC DC DC

  36. Automation DC RODC DC DC DC DC MACH Seed AD domain from a backup

  37. Automation ● GUI → YAML ● Backed by Docker or Vagrant instead of Openstack ● How do we integrate the self-test system? ● Can we use this infrastructure to run against Windows regularly? Useful for development, probably overkill (or not a great fjt) for production: https://gitlab.com/catalyst-samba ansible-role-samba-dc ansible-role-samba-common

  38. Replicating... forever After joining a new domain controller to a restored domain, ongoing replication would never end. Why doesn’t it only take as long as the join (30 minutes)?

  39. CPU Flame graphs (Linux perf)

  40. Callgrind

  41. Print debugging top (htop/iotop) trial and error basic arithmetic gdb (attach to pid) perf top luck

  42. Lessons ● It turns out there was a bug in the backup code, but it found real performance issues that we then fjxed ● Replication seems to retrigger despite having just joined (still) ● Accidentally doing the wrong thing means running out of memory quickly with a large database. ● Piecemeal growth ≠ dealing with everything at once ● LMDB behaves completely difg erently (copy-on-write)

  43. Re-indexing Example of an operation where our tooling failed and SIZE MATTERS

  44. Re-indexing timings (mm:ss.ss) 100,000 users approx 230,000 records. 20x improvement Hash size re-index time 1,000 14:42.06 Basically a one line 10,000 1:59.56 change 100,000 39.92 200,000 37.48 300,000 43.16 50,000 users approx 110,000 records. Hash size re-index time 1,000 3:46:93 10,000 37:29 100,000 18.95

  45. Traffic runner on a 50k user DC (with many links) v4.9 – T argeting 80 operations / second (actual 32 success ops / second) Protocol Op Code Description Count Failed Mean Median 95% Range Max ldap 0 bindRequest 863 23 4.528840 0.563014 15.961734 203.778658 203.910120 Master – T argeting 80 operations / second (no failures + 2x throughput) ldap 0 bindRequest 3450 0 0.505355 0.143523 2.496425 9.502704 9.546165

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org jeremy.allison@hp.com Where we are now : Samba 2.2 The current Samba is a credible replacement for a Windows server providing file and

529 views • 19 slides
Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat / Samba Team) About Samba and RedHat Currently 7 Samba Team members inside RedHat Creators and users of Samba technology for authentication

836 views • 45 slides
Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp ddiss@samba.org Agenda Clustered Samba Witness Protocol Demo Outlook Clustered Samba Samba File and print server SMB / CIFS, SMB2

428 views • 40 slides
Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org Agenda Reasons to move to Python3 What is supported in what release Some history of the porting effort Challenges Lessons learned

815 views • 19 slides
The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba

The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba

The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/ Topics Windows Domains, Forests and Trusts Netlogon Secure

497 views • 34 slides
SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP - 2016-05-11 Introduction SMB - mini history SMB: created around 1983 by Barry Feigenbaum, IBM SMB in Lan Manager: around 1990 SMB in Windows for

1.29k views • 58 slides
Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May 21, 2015 We use a lot of VMs and containers for testing and building Samba. The setup and maintenance of these machines requires a lot of work. How

351 views • 20 slides
Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me Andrew Bartlett Samba T eam member since 2001 Working on the AD DC since 2006 These views are my own, but I do with to thank:

856 views • 36 slides
Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017 Introductions Introductor a t i o n a r y e s q u e n e s s e si s m Me: Samba Team Elder SMB Wizard with: The opinions expressed are my

874 views • 21 slides
Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team / SerNet 2012-09-17 Hi there! Oh ... ... please interrupt with questions! Michael Adam SMB2+ in Samba (3 / 20) SMB2 in Samba Only SMB 2.0

1.35k views • 75 slides
Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP 2017 Andrew Bartlet Samba developer since 2001 Working on the AD DC since soon afuer the start of the 4.0 branch, since 2004! Driven to

664 views • 44 slides
Speeding Up Your Mac A Joe ON Tech Guide Speeding Up Your Mac Basics Three factors affect

Speeding Up Your Mac A Joe ON Tech Guide Speeding Up Your Mac Basics Three factors affect

Speeding Up Your Mac A Joe ON Tech Guide Speeding Up Your Mac Basics Three factors affect your Macs performance more than anything else: CPU power. Most Macs dont have upgradable CPUs, but you can compensate by reducing the amount

292 views • 12 slides
A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / / June 2018 Samba is a member project of the Sofuware Freedom Conseraancy Andrew Bartlet and Catalysts Samba Team Samba Deaeloper since 2001

436 views • 30 slides
Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The Samba4 torture suite is an extensive, general purpose CIFS test suite. It is not Samba specific. All CIFS vendors should take advantage of it to

377 views • 21 slides
MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner &lt;gd@samba.org&gt; Red Hat May 21th, 2015 Andreas Schneider &lt;asn@samba.org&gt; G

1.17k views • 29 slides
New printing protocols in Samba Gnther Deschner &lt;gd@samba.org&gt; Agenda MS16-087

New printing protocols in Samba Gnther Deschner &lt;gd@samba.org&gt; Agenda MS16-087

New printing protocols in Samba Gnther Deschner &lt;gd@samba.org&gt; Agenda MS16-087 RPRN and PAR PAR support detection Print Driver Packages Driver Signing Core Printer Drivers Current state of PAR in

579 views • 45 slides
Stakeholder Engagement in Real World Evidence in Oncology CAPT 2018 Conference October 22, 2018

Stakeholder Engagement in Real World Evidence in Oncology CAPT 2018 Conference October 22, 2018

Stakeholder Engagement in Real World Evidence in Oncology CAPT 2018 Conference October 22, 2018 10:45 a.m. 12:00 noon 1 Panelists Barry Stein Alexandra Chambers President &amp; CEO Director pCODR Colorectal Cancer Canada CADTH

908 views • 76 slides
PAN 2010 Results Uncovering Plagiarism, Authorship, and Social Software Misuse

PAN 2010 Results Uncovering Plagiarism, Authorship, and Social Software Misuse

PAN 2010 Results Uncovering Plagiarism, Authorship, and Social Software Misuse Bauhaus-Universitt Weimar Martin Potthast, Benno Stein Andreas Eiselt, Teresa Holfeld Universidad Politcnica de Valencia Alberto Barrn-Cedeo, Paolo

538 views • 25 slides
Meeting New Challenges in Health Center Board Governance Tess Kuenning, CSN, MS, RN President

Meeting New Challenges in Health Center Board Governance Tess Kuenning, CSN, MS, RN President

Meeting New Challenges in Health Center Board Governance Tess Kuenning, CSN, MS, RN President and Chief Executive Officer Bi-State Primary Care Association David Reynolds, DrPH Health Policy Analyst and Founder of Vermonts First Federally

656 views • 46 slides
Introduction Welcome! Who am I? Who are you? A brief history of robotics COMP 150:

Introduction Welcome! Who am I? Who are you? A brief history of robotics COMP 150:

Introduction Welcome! Who am I? Who are you? A brief history of robotics COMP 150: Probabilistic Robotics for Human-Robot Interaction Instructor: Jivko Sinapov www.cs.tufts.edu/~jsinapov Syllabus Who am I? The course

136 views • 13 slides
Please Stand By Training Webinar will begin shortly For audio, please call 1-800-369-1820

Please Stand By Training Webinar will begin shortly For audio, please call 1-800-369-1820

SPARS Training- NSSP and Zero Suicide Please Stand By Training Webinar will begin shortly For audio, please call 1-800-369-1820 Conference Number PMXW7155346 Audience Pass code 2352660 If you are experiencing technical difficulties, please

958 views • 67 slides
Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories

Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories

FERMILAB-SLIDES-19-031-CD Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories Information Technology Summit 2019 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No.

714 views • 27 slides
Building Blocks for PRU Development Overview Embedded Processing Agenda PRU Hardware Overview

Building Blocks for PRU Development Overview Embedded Processing Agenda PRU Hardware Overview

Building Blocks for PRU Development Overview Embedded Processing Agenda PRU Hardware Overview PRU Firmware Development Linux Drivers Introduction PRU Hardware Overview Building Blocks for PRU Development ARM SoC Architecture ARM

555 views • 32 slides
Laudit des GPO Aurlien Bordes SSTIC 5 juin 2019 /49 Rappels et contexte Les GPO (

Laudit des GPO Aurlien Bordes SSTIC 5 juin 2019 /49 Rappels et contexte Les GPO (

Laudit des GPO Aurlien Bordes SSTIC 5 juin 2019 /49 Rappels et contexte Les GPO ( Group Policy Object ) : Sont apparues avec Windows 2000 et lActive Directory Permet dappliquer des paramtres de configuration Sont

830 views • 49 slides

More recommend