[Samba] Why is winbind so slow?!

ZIGLIO, Frediano, VF-IT Frediano.Ziglio at vodafone.com
Mon Feb 19 09:45:38 GMT 2007

> On Fri, Feb 16, 2007 at 05:31:05PM +0100, ZIGLIO, Frediano, 
> VF-IT wrote:
> > Hi,
> >   I installed samba on a large Active Directory. All is 
> working, I use
> > winbind in pam and everything is working.
> > However sometime it just hang for a while (say 20 seconds) 
> and then go
> > without problems.
> > Currently I increased "winbind cache time" to mitigate the problem.
> > There are mainly two situation where this hang occur
> > 1- login
> > 2- ls -l
> > 3- groups
> > 
> > I tried to analyze the problem a bit deeply. The hang with 
> case 2 occurs
> > every 2/3 minutes (without "winbind cache time") so I 
> launched a strace
> > on winbind and when ls -l hang I see a lot of ldap query !!! Then I
> > launch tcpdump on ldap port and strace and retry the ls -l test.
> > Now I do a ls -l in my home directory. My user is an AD user of a
> > "DOMAIN\Domain Users" main group so ls -l say something like
> > 
> > -rw-r--r--   1 user Domain Users     1234 Xxx XX  2005 file.txt
> > 
> > ls -ln:
> > 
> > -rw-r--r--   1 16804756 16777217     1234 Xxx XX  2005 file.txt
> > 
> > So ls -l should ask which user is 16804756 and which group 
> is 16777217.
> > Winbind should (IMHO) get SID of 16804756 and 16777217 from 
> local cache
> > then check  if names are updated in cache and update if 
> necessary. The
> > problem is that winbind do not simply check for 16777217 
> name but when
> > group change it dump many other informations like users in 
> the group and
> > then for each user in the group it ask for informations. 
> Now all users
> > in AD (I know is ugly but I don't manage AD) have Domain 
> Users as the
> > main group so it take very long to get all users list and 
> update every
> > users. It would be better (at list for my case) that 
> winbind just get
> > group name and mark "the member list is not correct". 
> > 
> > Is anybody working in this direction? Can I help you in some way?
> We already have fixes for this in the SAMBA_3_0_25 tree.
> If you're willing to experiment then you could try the
> SVN code to see if it fixes the issue.
> Jeremy.

Now it works a lot faster !!!
What I did:
- updated to 3.0.24 (I realized I was using 3.0.23)
- recompiled 3.0.24 rpm
- tried to compile a "3.0.25" package... without success (net doesn't
link), this is the error

Using FLAGS      =  -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32
-march=i586 -fasynchronous-unwind-tables -D_GNU_SOURCE -DLDAP_DEPRECATED
-Iinclude -I./include  -I. -I. -I./lib/replace -I./lib/talloc
-I./tdb/include -I./libaddns -I./librpc -DHAVE_CONFIG_H
      PICFLAG    = -fPIC
      LIBS       = -lcrypt -lcap -lresolv -lresolv -lnsl -ldl
      LDFLAGS    = -pie
      DYNEXP     = -Wl,--export-dynamic
      LDSHFLAGS  = -shared -Wl,-Bsymbolic
      SHLIBEXT   = so
      SONAMEFLAG = -Wl,-soname=
Linking bin/net
libaddns/dnsrecord.o: In function `dns_add_rrec':
libaddns/dnsrecord.c:308: undefined reference to `talloc_move'
libaddns/dnsrecord.o: In function `dns_create_rrec':
libaddns/dnsrecord.c:117: undefined reference to `talloc_move'
libaddns/dnssock.o: In function `dns_tcp_open':
libaddns/dnssock.c:67: undefined reference to `talloc_set_destructor'
libaddns/dnssock.o: In function `dns_udp_open':
libaddns/dnssock.c:117: undefined reference to `talloc_set_destructor'
libaddns/dnsgss.o: In function `dns_negotiate_gss_ctx_int':
libaddns/dnsgss.c:190: undefined reference to `talloc_move'
collect2: ld returned 1 exit status
make: *** [bin/net] Error 1

- replaced/compiled manually these files (after many tests)
- restarted cron, sshd, smb, winbind
I have a problem with "template homedir", it was "/home/winnt/%U". Newer
version does not replace the %U (I tried %u without success). I tried
with "getent passwd user" and it replied with "/home/winnt/%U" as home
directory. Doing some grep I realize that the problem reside in
source/nss_info_template.c cause changing line

  *homedir = talloc_strdup( ctx, lp_template_homedir() );


  *homedir = talloc_strdup( ctx, "/home/winnt/test" );

force "getent passwd test" to return "/home/winnt/test"

  Frediano Ziglio

More information about the samba mailing list