[Samba] Winbind lookup performance
Matthew J. Salerno
vagabond_king at yahoo.com
Thu Oct 22 11:19:59 MDT 2009
Redhat 5.2 x86_64
samba-3.0.28-0.el5.8
My system is fully AD integrated, the only issue I have is that when I look up a users group (id, groups, etc.) it takes forever. This is causing issues due to the fact that I have pam policies in place to allow only users from a specific groups to log in, sudo and/or su. When the cache expires, it can take over 2 minutes to perform the lookup. I'm sure it doesn't help that my AD user account is a member of 120 different groups. I would imagine that if I could use a custom, more exclusive LDAP filter for the winbind module I could improve performance, but I don't believe that option is available.
Is there a way for speeding up the lookup process?
Thanks
[global]
workgroup = DOMAIN
realm = DOMAIN.NET
server string = Samba file and print server
security = ADS
log level = 3
max log size = 4192
large readwrite = No
max xmit = 65535
client signing = Yes
server signing = Yes
deadtime = 15
socket options = TCP_NODELAY IPTOS_LOWDELAY TCP_NODELAY
printcap name = cups
preferred master = No
idmap domains = DOMAIN
idmap backend = tdb
idmap alloc backend = tdb
idmap cache time = 302400
idmap negative cache time = 600
template shell = /bin/bash
winbind separator = +
winbind cache time = 1800
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = No
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind normalize names = Yes
idmap config DOMAIN:default = yes
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 5000-9999999
idmap config DOMAINN:cache time = 1800
idmap alloc config:range = 4000 - 4999
More information about the samba
mailing list