Making Winbind Efficient for 15,000 users

Mon Nov 19 14:32:10 GMT 2001

You might also want to try running the name service caching daemon (nscd).
This should speed things up significantly.

----- Original Message -----
From: "DICKENS,CARY (HP-Loveland,ex2)" <cary_dickens2 at hp.com>
To: "'Mike Papper'" <mike at digitalpipe.net>;
<samba-technical at lists.samba.org>
Sent: Monday, November 19, 2001 11:59 AM
Subject: RE: Making Winbind Efficient for 15,000 users

> Mike,
>
> Try adding "winbind enum users = no" and "winbind enum groups = no" to
your
> smb.conf file.  This helped me clear up a problem similar to your login
> issue.
>
> Good luck,
>
> Cary
>
> > -----Original Message-----
> > From: Mike Papper [mailto:mike at digitalpipe.net]
> > Sent: Monday, November 19, 2001 9:38 AM
> > To: samba-technical at lists.samba.org
> > Subject: Making Winbind Efficient for 15,000 users
> >
> >
> > I am using the following components to monitor the set or
> > users and groups
> > (and what users are in what groups) for a given NT PDC:
> >
> > linux with nsswitch set to use winbind
> > samba with smbd, nmbd and winbind (samba 2.2.2)
> > C library system calls "getpwent" and "getgrent" which are
> > similar to the
> > linux commands "getent passwd" and "getent group".
> >
> > This allows me to get a list of all users, all groups and for
> > each group,
> > the set of users int hat group as seen by the host linux
> > machine. Since the
> > linux box is running winbind etc. the list of users on the
> > system mirrors
> > those in a given NT PDC box (which in our case is a real NT box).
> >
> > The problem occurs when there are, say 15,000 users and 250
> > groups. Each
> > call to these functions takes a long time. In many cases
> > logging in as root
> > takes so long that we cannot login.
> >
> > I am relying on winbind to provide a list of users and groups
> > through the
> > linux system calls getpwent and getgrent. I am simulating the
> > PDCs list of
> > users and groups in a SQL database. So I need to keep the DB
> > consistent with
> > the PDC. To do this I have a C program that calls getpwent
> > and getgrent
> > every time a root user logs in (because the root user
> > requires consistent
> > up-to-date user-group info). Each time I do this it takes
> > quite a while to
> > come back to me - and I think were hitting the PDC quite hard
> > too. To solve
> > this problem I thought I would build an in-memory cache of
> > the user/group DB
> > and periodically calling getgrent (for a specific group instead of all
> > groups) - possibly every 30 seconds or so - rather than
> > getting the list of
> > all users and groups at one time, I periodically poll for a
> > single group
> > (and its users).
> >
> > Instead of polling the PDC continously, it would be much more
> > efficient to
> > get events from the PDC when any of the user/group info was
> > updated.What I
> > would then need is a way to get "events" from the PDC that
> > tell me when
> > there is any of the following:
> > 1) a user was added or removed from the system
> > 2) a group was added or removed from the system
> > 3) the set of users in a group changed
> >
> > Anyone know of a way to do this? I think this requires some
> > functions that
> > notify on these changes from the PDC.
> >
> > Since I know not very much how samba really works, I am wondering if:
> > 1) someone can explain how smbd et al communicates with the
> > PDC - really, I
> > see 0 documentation on any of this
> > 2) if there are samba API calls that do some sort of notify
> > 3) if I can add new functions to linux to augment the
> > getpwent/getgrent
> > calls for this kind of notify mechainsm
> > 4) or if the NT PDC keeps a version number around and chnages
> > this number
> > when the user/group status chnages - therby replacing the
> > polling of users
> > and groups with polling of the version number.
> > 5) what if the linux box was setup as a BDC, would it autmatically get
> > user/group updates from the PDC - and so hitting this BDC
> > from winbind would
> > be more efficient than going over the wire to the real PDC?
> >
> > ----------------------
> > Also, barring any of the above, I have another, simple
> > polling strategy to
> > keep my local user DB in sync with the PDC, heres what I do -
> > I would love
> > to get any criticism etc. about this methodology:
> > 1) 1 process that calls "get all groups" every 20 mins or so
> > - this takes a
> > while
> > 2) a process that calls "get all users in a given group"
> > every 18 seconds?
> > (or slower or faster) for a single group. Cycle through all
> > the groups over
> > a period of time.
> >
> > By polling groups I can cover all users and avoid having to
> > get a list of
> > all users (since there are many more users than groups). This
> > assumes that
> > every user belongs to at least one group.
> >
> > Ideally this kind of caching would be built into
> > winbind...although I have
> > no idea of how to investigate this or to modify its code or to submit
> > changes.
> >
> > Mike Papper
> > mike at bodaro.com
> > 415-584-8449
> >
> >
> >
>