[Samba] Is nss_winbind required?

Alex Matthews qoole.samba at lillimoth.com
Thu May 9 02:48:24 MDT 2013

On 09/05/2013 04:00, Andrew Bartlett wrote:
> On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote:
>> Hi all,
>> Is it a necessity to use the winbind nss module?
>> I have run a few tests and having it enabled creates a massive
>> bottleneck. It's not nss_winbind itself that is the bottleneck but
>> something in the background (I'm guessing uid/rid->username code).
>> If I disable winbind in nsswitch.conf what impact will it have? Will the
>> system continue to work?
>> Please note this last test shows that it is not the nss_winbind module
>> that it slow it is something 'behind the scenes'.
>> Also note that this is not just applicable to the sysvolreset (it was
>> just a convenient method of testing). Copying a directory consisting of
>> many small files (eg a windows roaming profile) can be excruciatingly
>> slow! 50s+ for a 50mb folder!
>> I am sure that it is not a network or drive limitation, copying the
>> folder locally and via NFS happen very quickly and copying the same
>> folder from a standalone S3 install on the same hardware is 'fast' also.
> The issue is that the winbind in the Samba 4.0 AD DC is incredibly
> inefficient.  It is required for the [homes] share to work, but we try
> to avoid needing it for other things.
> I understand this is incredibly frustrating, but what this highlights is
> that we really, really need to start on the project to replace it with
> running the winbindd code from source3.  The challenge is that this is a
> lot of work, which will cause disruption in other parts of the system as
> we generalise stuff and add the plugins we need to hook into the AD DC.
> I'm increasingly of the view that this will need to be a priority soon,
> but it's still hard to get stuck into this stuff.
> Andrew Bartlett
I see, I had figured it would be something along those lines. I for one, 
would love to see this pushed up the todo list! It seems like quite a 
large issue!

So, are you saying that I can split the system into one AD DC serving 
home directories (with nss_windbind enabled) and all other files being 
served from a different AD DC with nss_winbind disabled. I appreciate 
this makes seeing permissions on linux that bit more tricky, but seeing 
as there aren't any real tools for manipulating them yet it's only a 
nicety. Would it make much of a difference?



More information about the samba mailing list