Search for 'primary' group members takes a *long* time.

Andrew Bartlett abartlet at
Sun May 30 06:40:01 GMT 2004

In evaluating an upgrade to Samba 3.0.4 at my site, I noticed that for
every domain logon, the client would ask for the list of administrators
on the domain.

Not a particularly hard problem - just a simple LDAP query, or even
getgrgid call, right?

Well, the way get_memberuids() works, we enumerate *all* users, and then
look for people in that group via their primary gid.  

On my 2000 account LDAP server, over the network to my test server, this
took 15 seconds.  This is not a cached operation, so I can imagine it
only gets worse with concurrent domain logons.  (Hint:  In a school,
that happens a lot!).

While I understand why this was added, how we can continue to claim to
scale for 10000/500000 users with this kind of lookup...?

In the short term, I just intend not to upgrade Samba at Hawker, but we
are going to need to fix this - probably by adding 'ldap trust ids'
back, and making pdb_ldap perform an indexed search for the group
members (assuming they are all in LDAP).

On a positive note - in Samba4, this is all handled very easily, and
indexed, by ldb, our self-contained SAM and database backend.  We just
don't need to mess with this posix account stuff anymore... ;-)

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list