[Samba] Winbindd has still bottlenecks when used with interdomain trusts.

Harald Strack harry at code.de
Thu Mar 8 22:24:10 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am already making tests with samba 3.0.25pre1 but because of this core
dump problem, I tell you more about my stuff concerning the older samba
versions, because I think there is a main design
problem in winbindd.
>
> So you basically want the apache prefork model to be able to have a
poll of children to answer application requetssts for a domain.  Correct ?
>
Exactly!
> Is is specifically the idmap lookups that are causing you pain ?  I've
having a hard time understanding exactly what your problem is.
>
No. The functions that are called on the trusting domain are most of the
time (3.0.14a):

winbindd_gid_to_sid

and

check_ntlm_password

This means my problem seems to be idmapping AND the authentication.

In fact these functions are called for every authentication request and
they are executed one after the other. Imagine: 30 users, everyone
accessing netlogon, profiles and two shares these functions
are called 120 times, each call executed one after the other using one
winbindd connection to the trusted domain... that is causing huge delays
when people logging in and sometimes the users cannot
login at all!

If we had multiple winbindd workers the problem would be eliminated. I
will send you personally a graphical exposition of the problem (about
100Kb). For it is in german, but you will understand it
(if not, tell me and I am going to create an english version)

I did also a test with 3.0.24a:

there occurs only

check_ntlm_password

for each request, but also serialized. That is indeed a great
improvement but will still cause problems when too many users performing
any kind of interdomain trust authentication (logon, mounting,
profiles...) at the same time. It is THE BOTTLENECK!

Do you think it would be good idea to work on an parallelized
improvement of winbindd for these
check_ntlm_passwod calls?

Best regards

Harald Strack





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFF8I0JczpSApoeLSQRAh1lAJsH1jCsCFvSrvLwLPBC6znZwiJZzgCeOeYp
aiodwry/fP9LF0aSG2g9kh8=
=CD7g
-----END PGP SIGNATURE-----

More information about the samba mailing list