[Samba] Strange LDAP query

Adam Tauno Williams awilliam at whitemice.org
Thu Oct 8 07:29:17 MDT 2009 

On Thu, 2009-10-08 at 14:21 +0200, Julio Gómez Belmonte wrote:
> Hi 
> 
> We have a large installation consisting of many Citrix servers using 2
> Samba servers as domain controllers, using 2 LDAP 389 Directory
> Servers as user database. Also, there are workstations using the Samba
> servers. These LDAP servers have around 30000 user accounts, and we
> have detected that Samba servers make this ldap search: 

You should really [always] specify query size limits on the DSA.

For example -
limits anonymous
  size.soft=512 size.hard=1024 size.unchecked=32767
  time.soft=10 time.hard=60
limits group="cn=Administrators,ou=Entities,ou=Access
Control,dc=rss,dc=nw"
  size.soft=unlimited size.hard=unlimited size.unchecked=unlimited
  time.soft=60 time.hard=120
limits dn.exact="uid=syncrepl,ou=Entities,ou=Access
Control,dc=rss,dc=nw"
  size.soft=unlimited size.hard=unlimited size.unchecked=unlimited
  time.soft=unlimited time.hard=unlimited
limits users
  size.soft=1024 size.hard=2048 size.unchecked=32767
  time.soft=15 time.hard=60

I'm fairly certain AD imposes query size limits;  the client can page
the results if they need to exceed the limit.  Since Samba works with AD
I assume it will page results.  This makes like much easier for the DSA.

[I assume your Samba servers are not binding to the DSA with the admin
DN.]


> [07/ Oct /2009:13:54:06 +0200] conn=46 op=13 SRCH
> base="dc=domain,dc=my" scope=2
> filter="(&(uid=*)(objectClass=sambaSamAccount))" attrs="uid sambaSID
> displayName description sambaAcctFlags" 
> So Samba is trying to retrieve the 30000 user accounts, making the
> LDAP servers freeze. We don't what is happening to make this big
> query, I think that this query results of running the "net user"
> command from a Windows or Linux machine, but I cannot find which
> machine is executing that command. Is there any way to obtain which
> host is running this command, or which host is the responsible of make
> Samba make that LDAP query? 

Enable logging on the DSAs.  Maybe "loglevel 768" if I recall correctly,
that should give you statistics for operations (256) and results (512).

> If not, is there any way to make Samba apply an additional filter when
> obtaining accounts? I would like to make the query like
> (&(uid=*)(objectClass=sambaSamAccount)(&(objectClass=myOwnClass)(ou:dn:=People))).

How would that help?  Wouldn't it retrieve the same number of objects?

We designed our Dit so that all the Samba and NSS stuff [users & groups]
were beneath ou=SAM, so we have 

ou=SAM,
ou=Entities,ou=SAM,
ou=People,ou=Entities,ou=SAM,
ou=System Accounts,ou=Entities,ou=SAM,
ou=Groups,ou=Entities,ou=SAM,

which keeps Samba and other systems out of the rest of the Dit.  [Of
course that will all have to be restructured for Samab4/AD].   Sadly
the, rather retarded, PADL conversion scripts created almost a
convention of

,
ou=Groups,
ou=People,

which is a rather crappy design.

More information about the samba mailing list