DRSUAPI_DRS_GET_ANC and timeouts

Andrew Bartlett abartlet at samba.org
Thu Jan 12 09:14:07 UTC 2017 

On Thu, 2017-01-12 at 21:55 +1300, Andrew Bartlett wrote:
> On Thu, 2017-01-12 at 09:44 +0100, Stefan Metzmacher wrote:
> > 
> > I'd just take this patch
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=8d156d0
> > 88
> > 5e31ad6b80c1979efdfa7cfee075215
> > which works for ours customers just fine and do further
> > improvements
> > on top of it.
> 
> Which SerNet samba.plus RPMs include this patch? (my customers are
> also
> your customers ;-)
> 
> I'll work with Bob tomorrow to understand better where his work and
> yours intersect, so we can move towards merging something with tests.
>  
> 
> I'll see if Bob can re-work his patches to be on top of your patch. 
> Aside from where we add the ancestors, is there anything else major
> outstanding I should be aware of?

BTW, I should mention what I'm chasing.  Our client is seeing timeouts
attempting a domain join of a reasonably large domain (something like
10,000+ objects).  They only see it with Samba 4.5 as the client, and
the big difference with 4.5 is that we send DRSUAPI_DRS_GET_ANC.  

This triggers:
-               } else if (req10->replica_flags & DRSUAPI_DRS_GET_ANC) {
-                       LDB_TYPESAFE_QSORT(changes,
-                                          getnc_state->num_records,
-                                          getnc_state,
-                                          site_res_cmp_anc_order);

This shouldn't be particularly slow, but we have seen in the other work
we have done that LDB DN operations is that the ldb_dn_compare(), which
calls ldb_dn_explode() can be expensive if done too often, eg on the
whole domain or many links.

Anyway, we will prove that soon I hope (the above is my working
assumptions, but I need to set up a testing domain to prove it), and be
able to make progress getting a proper, agreed fix for this in.

I'll also see if we can just up the timeout for now.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list