[Samba] Samba 3.0.6 and OpenLDAP performance problem

Andrew Bartlett abartlet at samba.org
Fri Oct 8 13:01:24 GMT 2004

On Wed, 2004-10-06 at 21:06, Tomasz Finke wrote:
> Hello,
> I'm running Samba 3.0.6 PDC with OpenLDAP 2.1.25 backend on a Linux
> machine with RedHat 3.0 ES installed.  This is a large installation
> with separate Samba BDC and 2 file servers.  The BDC server uses a 
> replica LDAP server, working as slave for the master LDAP server
> installed at PDC.  The number of domain accounts is about 1850 and
> at the moment about 500 machines are added to the Samba domain.  The
> number of machines increased slowly since April and for the last few
> weeks we observed large delays during the domain logons.
> The logon process for some Windows machines takes as much as 10-20
> minutes (!)  For most of the users these times are of course
> unacceptable.

I looked at deploying Samba 3.0.6 at my site, and found that I could not
upgrade past the particular Samba 3.0.3 pre-release that we had at the

I found that certain windows clients would want to know who was in
certain groups, and if there were a lot of people in those groups, then
all hell broke loose.  On the samba-technical list, we have been looking
at one potential solution, but I think the patch needs more work to make
it robust.

Part of the problem is that it looked for 'primary' group members, by
scanning the entire password database.  This, and possibly the gid->sid
lookups, cause the performance issues.

At one point I thought that get_sid_list_of_group() in groupdb/mapping.c
was the problem, but it's unused now, so you could try current SVN. 
Really, we need to look at the incoming SMB requests, and what LDAP
traffic it produces.  With that data, we should be able to pin down
what's killing things at your site (which may very well be different to
what my problems were).

Andrew Bartlett

Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041008/87b80e83/attachment.bin

More information about the samba-technical mailing list