[Samba] Samba 3.0.33/3.2.15 AD joined slow initial connect with LDAP backend

Diego Zuccato diego.zuccato at unibo.it
Tue Nov 24 00:59:41 MST 2009 

Hoogstraten, Ton wrote:

> Thank you for your reply. I'm testing with 3.0.33 since that's the latest version Redhat is using in RHEL5 (Redhat has the habbit of holding a version and do backport patching). The 3.2.x version was marked for production and what I saw in FAQ was that the 3.4.x was still to experiment with?
IIUC 3.0 is in "dead" state and nearly unsupported by Samba team. 3.2 is 
in "End of life", 3.4 "current" and 4.x "testing". But I'm not an expert 
and surely someone else is authoritative about it.

> If you mean the 'winbind enum users/groups' setting that has been turned off as suggested in the man pages. If activated it could crash a certain role AD controller. That's not something I can risk. But would that in normal behaviour not fill somekind of cache? If I increase the caching in theory that would perhaps reduce the numer of queries required for a user at a given time. I don't know if it would be a problem setting this to 3 days so the cache could also pass over the weekend. Does not take away why it takes so long to query the AD.
IIUC, the only drawbacks in long lasting caches are related to slowing 
down updates propagation -- if you add a user to a group, it could take 
"too much" to actually apply the change to all domain members.

> Is it always slow to query the AD? Would the 3.0.23d server that I need to upgrade be using more caching then the later versions by default?
As I said, I'm not an expert, but I always noticed it's quite slow.
Just tested: looking up "for the first time" (with 'id') an user in 12 
groups took 49s, immediately rerunning 'id' took 'just' 1s.
Running 'id' on other users (that I'm sure weren't in cache) took up to 
2s, and seems it's just loosely correlated to the number of groups.
So it seems that ust the first query is slow.

Since our AD trees are quite large (more than 20K users in one domain 
and more than 100K in the other... and really a lot more groups, not 
counting "secondary" domains), I don't think the whole trees can be 
cached in 49s with the first query (at least not on a 100Mbit link). 
Actually, if I enable enum users/groups, winbind takes some minutes to 
start up and needs a couple of GB RAM).

-- 
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato at unibo.it

More information about the samba mailing list