[PATCH] Remove fstring from wb_acct_info

Andrew Bartlett abartlet at samba.org
Thu Nov 1 06:20:01 UTC 2018 

On Thu, 2018-11-01 at 08:00 +0200, Uri Simchoni via samba-technical
wrote:
> On 10/31/18 6:45 PM, Samuel Cabrero via samba-technical wrote:
> > Hi,
> > 
> > the attached patch removes two fstrings from wb_acct_info struct. The
> > reason for this change is because the winbindd group enumeration
> > backend functions (ADS in particular) try to allocate an array of
> > wb_acct_info as long as the number of groups in the domain, which may
> > result in a huge chunk of memory for domains with a large number of
> > groups.
> > 
> > Branch:
> > https://gitlab.com/samuelcabrero/samba/commits/winbind_enum_grp_nomem
> > 
> > CI:
> > https://gitlab.com/samuelcabrero/samba/pipelines/34956873
> > 
> > 
> > Please review and push if you agree.
> > 
> 
> A bit off-topic, but having been bitten in the past by this issue of
> winbindd group enumeration and large domains:
> 
> 1. No matter how optimized the memory layout, if your domain has 100K
> groups you're going to lose. The sheer number of round-trips required to
> fetch all those groups would make it unfeasible.

BTW, I did have to work this out recently: the ratio is 1200 per
EnumDomainGroups call.  

> 2. Large domains also tend to have non-out-of-the-box security
> configuration. The server computer account, which winbindd uses, doesn't
> always have the best authorization for making those queries.
> 
> For both those reasons I wouldn't use this API in a product that aims
> large enterprize domains. Straight ldap searches (with a filter,
> limiting the number of returned results, possibly with vlv control) are
> better suited for that.

Given that the default LDAP page size is also 1000, do we really win?

> I think it was proposed in the past to remove that functionality from
> winbindd.

Yes, and we put it back in.  Regardless of the difficulties, people,
particularly in small setups, do use this. 

Larger installations are asked to turn it off via the smb.conf, but
still do ask for it and ask for it to be made faster.  (See Gary's soon
to be posted server-side efficiency improvements for exactly this). 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list