Samba under high connection load (2.0.0)

Sat Jan 30 10:53:43 GMT 1999

In article <jeremyF6Anq5.Hvq at netcom.com>,
Jeremy Allison <jeremy at netcom.com> wrote:
>ucs_brf at unx1.shsu.edu (Bob Farmer) writes:
>>We are looking at using Samba for a file server that is currently an NT
>>Server and handles about 1500 connections (users) at a time.  I've done
>>testing with a subset of the total users, about 500 of them, and the main
>>bottleneck seems to be the authentication process. 
>
>>I've tried the "server" authentication method, but it fails at random
>>times, I've assumed this is related to the various bugs on the NT end
>>mentioned in the Samba FAQ, etc.  Unencrypted "user" authentication is
>>unacceptable since NT will always prompt for a password when using that
>>(these connections are made in an automated fashion).  So, I am trying to
>>get things working with encrypted "user" authentication. 
>
>>Each time a user logs in, Samba re-reads through /etc/passwd and
>>/usr/local/samba/private/smbpasswd in sequential fashion, line-by-line
>>(for smbpasswd at least... for /etc/passwd, it uses the system's
>>getpwnam() it appears which I suppose does the same thing...)  This really
>>bogs things down, especially when many users try logging in at the same
>>time, which is very common at times.  At many times, so many users are
>>trying to login that no one can ever get on: they all try, then timeout,
>>then all try again, etc etc.
>
>>I'm wondering if anyone has used Samba in a high-volume environment like
>>this, and if they had similar problems with authentication, or developed
>>any solution...  My thoughts right now are that I will write some routines
>>that build an index for passwd and smbpasswd, and then modify Samba to
>>read those indexes instead of the actual passwd and smbpasswd files... 
>>Before I start on that though, is there anything similar that already
>>exists for Samba that I've overlooked? 
>
>This is on my list of things to add to 2.0.
>If you do it first - I'd *love* to see the patches
>(I'm working on using a gdbm database....).

I added the GDBM database support for both /etc/passwd and
/usr/local/samba/private/smbpasswd on Friday and since then things are
pretty lightning quick, authentication time dropped from around 1-2
seconds to more like a hundredth of a second or less (from Samba's
perspective).  It appears the main bottleneck previously was the reading
of /etc/passwd, not smbpasswd...  Primarily because the Get_Pwnam function
calls getpwnam() so many times trying different letter cases.

What about a configuration option that makes Samba _only_ try usernames in
all lowercase within Get_Pwnam()?  Most people only use lowercase Unix
usernames and this would probably speed things up to an acceptable level
for most people even without the database support.  And Get_Pwnam() is
used in every(?) authentication type so it affects people across the
board, even people using "server" or "domain" authentication...  (I was
originally surprised that "server" authentication was really just as slow
as "user", now I know why...)

Many OS's have database support built into their getpwnam() so it's not
going to be a problem on those in the first place, though... 

Bob

-- 
Bob Farmer                                     ucs_brf at shsu.edu
Computer Services, Sam Houston State University; Huntsville, TX 