[Samba] samba w/ ldap - groups scalability and performance

Marlys Nelson Marlys.A.Nelson at uwrf.edu
Sun Sep 19 15:09:23 GMT 2004

I am having problems with samba and ldap as concerns groups.  We have two 
central LDAP servers which we use for authentication for many different 
applications, samba being just one of those. The LDAP servers are Solaris 
servers running Directory Server v5.2.

Our PDC is running samba 3.0.7 on linux.  There are several file servers, but 
the main ones are running samba 3.0.7 on solaris and all authentication goes 
through the PDC with ldapsam backend.

The problem first appeared for us with 3.0.6 this fall, though we might have 
been noticing the start of this problem with 3.0.4 last May but never isolated 
it before all our users left for the summer.

The PDC appears to request ALL groups from LDAP, using the search 
(objectclass=sambaGroupMapping).  In our case, this is nearly 14,000 entries 
and it can take almost 10 minutes to retrieve those from LDAP when there are 
hundreds trying at once.  Indexing doesn't help in this case because samba is 
asking for ALL groups.

Our first day of class here was very VERY BAD as hundreds of users tried to 
login to our labs each hour :(

As a stop-gap measure, I modified samba to request only groups where the 
gidNumber was less than 1000 - the LDAP filter is now 
(&(objectclass=sambaGroupMapping)(gidNumber<=999)).  My rationale is that 
groups above 1000 are the individual user private groups, ala Red Hat style. 
And, it's not likely one would want to setup permissions on windows shares 
using that, the user could be used instead.  Groups under 1000 are true groups 
as unix has traditionally used them.

This resolved our login issues and got our labs functional again but now I'm 
getting the message:

get_domain_user_groups: primary gid of user [gray-00] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that

in the logs.  This is correct because I'm no longer allowing samba to find the 
users primary group.  It's not clear to me yet that this is really a problem 
as nothing's been noticed.  But, it does concern me, plus it's extra noise in 
the log files.

Is there any way to make samba do a more targeted lookup of groups, perhaps 
only those groups where the user is a member?

Marlys A. Nelson                      Sr. Network Specialist
Information Technology Services       Network Services
University of Wisconsin - River Falls 715/425-4357
410 South Third Street                Email: Marlys.A.Nelson at uwrf.edu
River Falls  WI  54022                http://www.uwrf.edu/

More information about the samba mailing list