[Samba] winbind normalize names = yes disable winbind cache mechanism and cause LDAP heavy load / poor performances

Patrick Nomblot pnomblot at besancon.parkeon.com
Thu Aug 9 02:34:29 MDT 2012 

Context :

client linux Ubuntu 12.04 SSO authentification against Microsoft 2008 AD 
server, Winbind 3.6.3 (Ubuntu 12.04 LTS, Linux 3.2.0-27-generic, winbind 
2:3.6.3-2ubuntu2.3 )


I'have discovered that setting option "winbind normalize names = yes" 
cause winbind client to send LDAP search for each username/group 
resolution even those in cache. Setting this option to "No" makes 
winbind use cache, setting winbind in offline mode works fine too 
(smbcontrol winbind offline). This behavior cause heavy load on 
client/server if resolving a full tree files or simply slow down apache 
SSO authentification based on winbind as each web object read will cause 
multiple LDAP search before serving.

How to reproduce :

running shell command

# id pnomblot

will makes winbind send 3 LDAP search to solve pnomblot alias (can be 
checked with wireshark)

for i in {0..10}; do id pnomblot ;done

cause 30 ldap search to be send to ldap server to solve the same id.



My smb.conf :

[global]
         workgroup = nomblot.org
         realm = nomblot.org
         security = ads
         domain master = no
         local master = no
         allow trusted domains = no
         socket options = TCP_NODELAY
         template homedir = /home/%U
         template shell = /bin/bash
         kerberos method = secrets and keytab
         password server = *
         client ntlmv2 auth = yes
         idmap config NOMBLOT:backend = ad
         idmap config NOMBLOT:default = yes
         idmap config NOMBLOT:schema_mode = rfc2307
         idmap config NOMBLOT:range = 500 - 300000000
         idmap config *:backend = ad
         idmap config *:range = 500 - 300000000
         idmap cache time = 1209600
         idmap negative cache time = 1209600
         username map cache time = 300
         winbind cache time = 300
         winbind expand groups = 10
         winbind use default domain = yes
         winbind refresh tickets = yes
         winbind nss info = rfc2307
         winbind offline logon = yes
         winbind enum users = no
         winbind enum groups = no
         winbind nested groups = yes
         winbind reconnect delay = 5
         winbind normalize names = yes
         dns proxy = no
         log file = /var/log/samba/log.%m
         log level = 0 idmap:0 winbind:1
         max log size = 1000
         obey pam restrictions = yes
         pam password change = yes
         name resolve order = host
         create krb5 conf = no
         private dir = /var/lib/samba
         state directory = /var/lib/samba
         cache directory = /var/cache/samba
         lock directory = /var/lib/samba
         pid directory = /var/run
         dos charset = ASCII
         unix charset = UTF8
         display charset = UTF8
         invalid users = root daemon bin sys sync games man lp ...
#end of smb.conf


Hope this can help samba project,

Any usefull comment is appreciated.

Thank's

Patrick.






-- 

	Patrick Nomblot
Systems & Networks Engineer
Parkeon

	Parc Lafayette - 6 rue Isaac Newton
25075 Besancon - Cedex 9 - France
Phone +33(0) 381 545 212
Mobile +33(0) 633 323 423
Fax +33(0) 381 527 638
pnomblot at parkeon.com <mailto:pnomblot at parkeon.com>
www.parkeon.com <http://www.parkeon.com>

More information about the samba mailing list