[Samba] Re: samba w/ ldap - groups scalability and performance

Igor Belyi sambauser at katehok.ac93.org
Tue Sep 21 03:20:36 GMT 2004

Marlys Nelson wrote:
> The PDC appears to request ALL groups from LDAP, using the search 
> (objectclass=sambaGroupMapping).  In our case, this is nearly 14,000 
> entries and it can take almost 10 minutes to retrieve those from LDAP 
> when there are hundreds trying at once.  Indexing doesn't help in this 
> case because samba is asking for ALL groups.
> ...
> Is there any way to make samba do a more targeted lookup of groups, 
> perhaps only those groups where the user is a member?

I think it's possible. As far as I can see the problem is in this 
rpc_server/srv_util.c:get_domain_user_groups implementation which does 
retrieve all groups and then sort them out. Unfortunately, the fix isn't 
that simple since interface to backends (include/passdb.h:struct 
pdb_methods) has only one method to list groups: enum_group_mapping().

The solution could be to introduce another method to the above interface 
(enum_user_groups()?) or to extend enum_group_mapping() to accept an 
extra argument (user account name). The problem with the first solution 
is that this method would repeat almost everything enum_group_mapping 
does for all backends except that in ldapsam backend it will have an 
extra (memberUid=<user>) filter. The problem with the second - all calls 
to enum_group_mapping would need to be altered to accept an extra argument.

I'll try to see what I can do.

More information about the samba mailing list