[Samba] samba w/ ldap - groups scalability and performance
Marlys.A.Nelson at uwrf.edu
Sun Sep 19 15:09:23 GMT 2004
I am having problems with samba and ldap as concerns groups. We have two
central LDAP servers which we use for authentication for many different
applications, samba being just one of those. The LDAP servers are Solaris
servers running Directory Server v5.2.
Our PDC is running samba 3.0.7 on linux. There are several file servers, but
the main ones are running samba 3.0.7 on solaris and all authentication goes
through the PDC with ldapsam backend.
The problem first appeared for us with 3.0.6 this fall, though we might have
been noticing the start of this problem with 3.0.4 last May but never isolated
it before all our users left for the summer.
The PDC appears to request ALL groups from LDAP, using the search
(objectclass=sambaGroupMapping). In our case, this is nearly 14,000 entries
and it can take almost 10 minutes to retrieve those from LDAP when there are
hundreds trying at once. Indexing doesn't help in this case because samba is
asking for ALL groups.
Our first day of class here was very VERY BAD as hundreds of users tried to
login to our labs each hour :(
As a stop-gap measure, I modified samba to request only groups where the
gidNumber was less than 1000 - the LDAP filter is now
(&(objectclass=sambaGroupMapping)(gidNumber<=999)). My rationale is that
groups above 1000 are the individual user private groups, ala Red Hat style.
And, it's not likely one would want to setup permissions on windows shares
using that, the user could be used instead. Groups under 1000 are true groups
as unix has traditionally used them.
This resolved our login issues and got our labs functional again but now I'm
getting the message:
get_domain_user_groups: primary gid of user [gray-00] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
in the logs. This is correct because I'm no longer allowing samba to find the
users primary group. It's not clear to me yet that this is really a problem
as nothing's been noticed. But, it does concern me, plus it's extra noise in
the log files.
Is there any way to make samba do a more targeted lookup of groups, perhaps
only those groups where the user is a member?
Marlys A. Nelson Sr. Network Specialist
Information Technology Services Network Services
University of Wisconsin - River Falls 715/425-4357
410 South Third Street Email: Marlys.A.Nelson at uwrf.edu
River Falls WI 54022 http://www.uwrf.edu/
More information about the samba