[Samba] Samba 3.0.33/3.2.15 AD joined slow initial connect with LDAP backend

Hoogstraten, Ton Ton.Hoogstraten at ingram.nl
Mon Nov 23 05:45:53 MST 2009 

Diego,

Thank you for your reply. I'm testing with 3.0.33 since that's the latest version Redhat is using in RHEL5 (Redhat has the habbit of holding a version and do backport patching). The 3.2.x version was marked for production and what I saw in FAQ was that the 3.4.x was still to experiment with?

If you mean the 'winbind enum users/groups' setting that has been turned off as suggested in the man pages. If activated it could crash a certain role AD controller. That's not something I can risk. But would that in normal behaviour not fill somekind of cache? If I increase the caching in theory that would perhaps reduce the numer of queries required for a user at a given time. I don't know if it would be a problem setting this to 3 days so the cache could also pass over the weekend. Does not take away why it takes so long to query the AD.

What do you mean with:

Looking up group names is really slow (up to a couple of minutes when using "id user.name" or "groups user.name").

Is it always slow to query the AD? Would the 3.0.23d server that I need to upgrade be using more caching then the later versions by default?

To answer your last question. Yes, the ldap is running on the local system for the idmaps. In production I have one samba server running a master ldap idmap backend and the other samba server configured as slave.

Kind regards,

Ton


-----Original Message-----
From: Diego Zuccato [mailto:diego.zuccato at unibo.it] 
Sent: maandag 23 november 2009 12:42
To: Hoogstraten, Ton
Subject: Re: [Samba] Samba 3.0.33/3.2.15 AD joined slow initial connect with LDAP backend

Hoogstraten, Ton wrote:

> However on the test 3.0.33 system I'm experiencing a problem that I
Why are you using such an ancient version? What about 3.4.x ?

> I think the explanation for the difference in slowness per user is based
> on the group membership of that user. For example an user that is only a
> member of Domain Users takes about 10 seconds to display the shares
> (still to slow in my opinion). For testing purpose I've reduced the
> cache for winbind and idmap so the server needs to keep looking up the
> user and SID information.
Looking up group names is really slow (up to a couple of minutes when 
using "id user.name" or "groups user.name").

Have you tried playing with enum users/groups ? If activated on large AD 
trees, it could impact performances a lot!

>         idmap alloc config:ldap_url     = ldap://127.0.0.1/
Are you using a locally running (on localhost!) ldap server?

-- 
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato at unibo.it

More information about the samba mailing list