[Samba] Winbind lookup performance

Matthew J. Salerno vagabond_king at yahoo.com
Thu Oct 22 11:19:59 MDT 2009

Redhat 5.2 x86_64

My system is fully AD integrated, the only issue I have is that when I look up a users group (id, groups, etc.) it takes forever.  This is causing issues due to the fact that I have pam policies in place to allow only users from a specific groups to log in, sudo and/or su.  When the cache expires, it can take over 2 minutes to perform the lookup.  I'm sure it doesn't help that my AD user account is a member of 120 different groups.  I would imagine that if I could use a custom, more exclusive LDAP filter for the winbind module I could improve performance, but I don't believe that option is available.

Is there a way for speeding up the lookup process?


        workgroup = DOMAIN
        realm = DOMAIN.NET
        server string = Samba file and print server
        security = ADS
        log level = 3
        max log size = 4192
        large readwrite = No
        max xmit = 65535
        client signing = Yes
        server signing = Yes
        deadtime = 15
        printcap name = cups
        preferred master = No
        idmap domains = DOMAIN
        idmap backend = tdb
        idmap alloc backend = tdb
        idmap cache time = 302400
        idmap negative cache time = 600
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 1800
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = No
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        winbind normalize names = Yes
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:backend = rid
        idmap config DOMAIN:range = 5000-9999999
        idmap config DOMAINN:cache time = 1800
        idmap alloc config:range = 4000 - 4999


More information about the samba mailing list