[Samba] winbind + samba limits with large AD?

Michael Adam ma at sernet.de
Tue Jul 10 21:04:00 GMT 2007 

Hi Ralf,

I assume that you are using "security = ads" and I assume that
your AD setup has groups with lots of members?

This is a known problem then that has been fixed in current 
samba (SAMBA_3_2 as of today): The ads version of the function 
lookup_groupmem (used to retrieve the members of a given group) 
showed poor performance on large groups. I recently improved
the performance of this call (starting with svn revisions r23070
and r23072). This is in SAMBA_3_2 and in SAMBA_3_2_0, so it will 
be in the next release (3.2.0). 

There is no way to improve the performance significantly with
3.0.24 (except patching). So I suggest that you grab the latest 
sources with svn (see http://www.samba.org/samba/devel/), you 
can also get the upcoming release branch SAMBA_3_2_0 here) or 
get the unpacked sources with rsync like so:
"rsync -avSH samba.org::ftp/pub/unpacked/samba_3_2/ ./samba_3_2"
and then compile it yourself.

The reason why lookup_groupmem gets used in "ls -l" at all is
that the getgrgid library call is used to resolve the gids into
names, and this call returns not only the name but the whole 
group structure, including the list of members.

So to confirm my assumptions above, you could compare the
runtime of "ls -l" to that of "ls -ln": The latter should be
much faster! 

Cheers, Michael

On Di, Jul 10, 2007 at 10:08:00 +0200, Ralf Gross wrote:
> Hi,
> 
> a few months ago I tried to setup samba + winbind (debian etch,
> amd64, samba 3.0.24). I followed the howto and got the authentication
> running. But I had not much success with winbind. I disabled the
> user/group enumeration, but this didn't change it. A simple 'ls -l' in
> a directory with 10-20 files took minutes to return the list and most
> of the time winbindd just stopped working an no connection to the
> samba shares were possible. I had to kill the daemon.
> 
> I'm only responsible for a couple of linux workstations, but our AD is
> quite large (>100000 or more entries). Before I start a new attempt to
> get winbindd working, I would like to know if this is possible at all
> without any further patches or "secret" tweaks?
> 
> Ralf

-- 
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE

More information about the samba mailing list