[Samba] winbind authentication performance: lookup_groupmem in large sites

SERGEYS Filip Filip.SERGEYS at post.be
Tue Jun 26 09:14:53 GMT 2007


I have set up winbind to authenticate linux pc's to a windows 2003 AD.
The authentication works, but the performance is not good (takes over 5 minutes)

OS: ubuntu 7.04
Samba: 3.0.24
AD: windows 2003

After analyzing the log.winbindd file in log level 10, I can see three major parts

1) lookup and authenticate the user -> performance OK
[2007/06/25 14:31:50, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn GETPWNAM
[2007/06/25 14:31:50, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336)
  [    0]: getpwnam sergeyf
[2007/06/25 14:31:50, 10] sam/idmap_util.c:idmap_sid_to_uid(70)
  idmap_sid_to_uid: sid = [S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx]
  internal_get_id_from_sid: record S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx -> UID 87023

2) list all groups this user is member of. -> performance OK
[2007/06/25 14:31:54, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn GETGROUPS
[2007/06/25 14:31:54, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1017)
  [    0]: getgroups sergeyf
internal_get_id_from_sid: ID_GROUPID fetching record S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxx -> GID 10513
... (more than 50 groups)

3) Per group list all members of that group -> BOTTLENECK
[2007/06/25 17:18:02, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1665)
  lookup_groupmem: [Cached] - doing backend query for info for domain XXXX
[2007/06/25 17:18:02, 10] nsswitch/winbindd_ads.c:lookup_groupmem(879)
  ads: lookup_groupmem POST sid=S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx

Step 3 is the one causing the delay because each group has about a 1000 users
If I interrupt the login, I actually see I am logged in, but in the background the process of listing the groups continues.

After I found this, I thought the problem had to be related to one of these settings:
        winbind expand groups = 0
        winbind nested groups =  no
Both settings where default settings first (1 and yes respectively), but after setting them to the values 0 and no, winbind still performed the lookup group members .

I also found this mailpost: http://archives.free.net.ph/message/20070613.052201.64562430.en.html
It mentions that this step should actually be asynchronous. When will that be implemented?

This is my question to the list: Is there a workaround or what settings do I need to apply.

Thanks in advance,

Filip Sergeys

This message may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies.

Dit bericht is enkel bestemd voor de aangeduide ontvangers en kan vertrouwelijke informatie bevatten. Als u niet de ontvanger bent, dan mag u de inhoud van dit bericht niet bekendmaken noch kopiëren. Als u dit bericht per vergissing ontvangen heeft, gelieve er de afzender of De Post onmiddellijk van op de hoogte te brengen en het bericht vervolgens te verwijderen.

Ce message est uniquement destiné aux destinataires indiqués et peut contenir des informations confidentielles. Si vous n'êtes pas le destinataire, vous ne devez pas révéler le contenu de ce message ou en prendre copie. Si vous avez reçu ce message par erreur, veuillez en informer l'expéditeur, ou La Poste immédiatement, avant de le supprimer.

More information about the samba mailing list