Hai, This is how i run my squid + winbind for auth. It's a very stable setup, i suggest have a good look and test it. First, strip you smb.conf: [global] # Auth-Only setup with winbind. ( no Shares ) workgroup = NTDOM security = ADS realm = YOUR.REALM netbios name = HOSTNAME preferred master = no domain master = no host msdfs = no dns proxy = yes # change eth0 to your interface name (route -n|grep UG|awk {'print $NF'}) interfaces = eth0 lo bind interfaces only = yes log level = 1 # Add and Update TLS Key ( own certs use not the by samba generated.) # ! I published my own Root CA with GPO for SSO (kerberos) works with SQUID. tls enabled = yes tls keyfile = /etc/ssl/private/hostname.key.pem tls certfile = /etc/ssl/certs/hostdname.cert.pem tls cafile = /etc/ssl/certs/company-ca.crt ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 2000-9999 ## Enable one of these 2. ( RID or AD ) # Backend RID setup idmap config NTDOM : backend = rid idmap config NTDOM : range = 10000-3999999 ## Backend AD setup. ## map ids from the domain and (*) the range may not overlap ! ##idmap config NTDOM : backend = ad ##idmap config NTDOM : schema_mode = rfc2307 ##idmap config NTDOM : range = 10000-3999999 ## 4.6+ ( get primary group from AD ) ## idmap config NTDOM : unix_nss_info = yes ## 4.6+ ( get primary group from unix primary group ) ## idmap config NTDOM : unix_primary_group = yes ########### kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes # We strip the domain (NTDOM\username) to username # ! Normaly not adviced winbind use default domain = yes # use: getent passwd username to check. # enabled slows down you samba. winbind enum users = no winbind enum groups = no # enable offline logins #winbind offline logon = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershares creating usershare path = # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For ACL support on member servers with shares vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes ######## NO SHARE DEFINITIONS ################ ############################################################### For squid auth, ( tested from squid 4.1 upto 4.8 ) I use : # Keytab creation: export KRB5_KTNAME=FILE:/etc/squid/HTTP-squid.keytab # kinit Administrator # net ads keytab CREATE # net ads keytab ADD HTTP/$(hostname -f) # net ads keytab ADD HTTP/SOMEALIAS ( only if needed.) # Verify the new keytab : klist -ke /etc/squid/HTTP-squid.keytab # unset KRB5_KTNAME # chgrp proxy /etc/squid/HTTP-squid.keytab # chmod g+r /etc/squid/HTTP-squid.keytab # ! Server must have A and PTR record for a correct kerberos auth to work. # If your not able to set a correct A and PTR, use ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth \ -k /etc/squid/HTTP-squid.keytab \ -s HTTP/hostname.your.dnsdomain.tld@YOUR.REALM \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM auth_param negotiate children 30 startup=5 idle=5 auth_param negotiate children 10 auth_param negotiate keep_alive on # Optional # If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn. # If you serve multiple Kerberos realms add a HTTP/fqdn [at] REALM service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth. ### pure ntlm authentication #auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM #auth_param ntlm children 10 #auth_param ntlm keep_alive on auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 -b "dc=your,dc=dnsdomain,dc=tld" \ -D ldap-bind@xxxxxxxxxxxxxxxxxx -W /etc/squid/user-pass -f sAMAccountName=%s \ -H ldaps://dc1.your.dnsdomain.tld \ -H ldaps://dc2.your.dnsdomain.tld auth_param basic children 5 startup=1 idle=1 auth_param basic children 10 auth_param basic realm Internet Proxy Autorisation auth_param basic credentialsttl 1 hours authenticate_cache_garbage_interval 2 hour authenticate_ttl 2 hour authenticate_ip_ttl 2 hour ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED # you acls. Etc.. # setup a caching + forwardig DNS. # Optional: force to use the ipv4 to resolve dns first. dns_v4_first on dns_nameservers 127.0.0.1 ## BIND # add the forwarding forward zone to for "internal.dnsdomain.tld" to you ad-dc's # add a forwarding reverse zone to you internal in-arpa zone. # add the proxy user the the winbind_priv group. gpasswd -a proxy winbindd_priv Test the setup. Still slow. Try upgrading you samba AND squid ;-) wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add - echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list echo "deb http://apt.van-belle.nl/debian buster-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list echo "deb http://apt.van-belle.nl/debian buster-squid48 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list My squid packages are as compatible as the normal debian squid packages. You can install them, test them, if you dont like them, remove the repo line and reinstall offcial again. I only enabled ssl also in my packages, i wanted to test the ssl bumping. Works great :-) You dont need NMBD to run. My timings: time getent group "domain users" domain users:x:10000: real 0m0.005s user 0m0.002s sys 0m0.000s time getent passwd username username:*:10002:10000:L.P.H. van Belle:/home/users/username:/bin/bash real 0m0.006s user 0m0.000s sys 0m0.003s time nslookup $(hostname -d) Server: 127.0.0.1 Address: 127.0.0.1#53 .. real 0m0.016s user 0m0.010s sys 0m0.005s time nslookup dc1.your.dnsdomain.tld Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: dc1.your.dnsdomain.tld Address: 192.168.249.211 real 0m0.014s user 0m0.005s sys 0m0.009s time wbinfo -r username ... GID'S HERE .... real 0m0.021s user 0m0.013s sys 0m0.004s So as far i can see, im at almost every point twice as fast as your setup. Im running in VM: model name : AMD Opteron(tm) Processor 4386 With 4GB ram 4 vCPU's assigned for this server. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens > Zbynek via samba > Verzonden: dinsdag 13 augustus 2019 10:25 > Aan: samba@xxxxxxxxxxxxxxx > Onderwerp: winbind - frequent high CPU utilization > > > Hi. > > I use winbind + squid on Debian Buster to authenticate users > + authorize > them based on groups they are in. It all works, well, good, > but winbind's > CPU utilization peaks can reach up to 100%. The same solution > ran OK on > Debian Jessie with up to 20% CPU utilization at most. > > > The configuration of Buster must have been updated based on the samba > version leap/shift compared to Jessie. > > On Buster I encountered this error: https://serverfault.com/questions/ > 789532/winbindd-gss-init-sec-context-failed-with-unspecified-g ss-failure > > Thus, I set "winbind rpc only = yes". May this info serve you > as a hints. > > > > > > Current config: > > Debian 10 (Buster), 2CPU, 4GB RAM, 64bit > > winbind - 4.9.5+dfsg-5 > > > samba - 4.9.5+dfsg-5 > > Connection information for squid (4.6): > Number of clients accessing cache: 443 > > > > > Additional info is here: https://pastebin.com/U5idtgsv > > > > > Thank you for hints. > > Zbynek > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba