[Samba] Is nss_winbind required?

Andrew Bartlett abartlet at samba.org
Thu May 9 02:56:43 MDT 2013

On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote:
> On 09/05/2013 04:00, Andrew Bartlett wrote:
> > On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote:
> >> Hi all,
> >>
> >> Is it a necessity to use the winbind nss module?
> >> I have run a few tests and having it enabled creates a massive
> >> bottleneck. It's not nss_winbind itself that is the bottleneck but
> >> something in the background (I'm guessing uid/rid->username code).
> >> If I disable winbind in nsswitch.conf what impact will it have? Will the
> >> system continue to work?
> >> Please note this last test shows that it is not the nss_winbind module
> >> that it slow it is something 'behind the scenes'.
> >> Also note that this is not just applicable to the sysvolreset (it was
> >> just a convenient method of testing). Copying a directory consisting of
> >> many small files (eg a windows roaming profile) can be excruciatingly
> >> slow! 50s+ for a 50mb folder!
> >> I am sure that it is not a network or drive limitation, copying the
> >> folder locally and via NFS happen very quickly and copying the same
> >> folder from a standalone S3 install on the same hardware is 'fast' also.
> > The issue is that the winbind in the Samba 4.0 AD DC is incredibly
> > inefficient.  It is required for the [homes] share to work, but we try
> > to avoid needing it for other things.
> >
> > I understand this is incredibly frustrating, but what this highlights is
> > that we really, really need to start on the project to replace it with
> > running the winbindd code from source3.  The challenge is that this is a
> > lot of work, which will cause disruption in other parts of the system as
> > we generalise stuff and add the plugins we need to hook into the AD DC.
> >
> > I'm increasingly of the view that this will need to be a priority soon,
> > but it's still hard to get stuck into this stuff.
> >
> > Andrew Bartlett
> >
> I see, I had figured it would be something along those lines. I for one, 
> would love to see this pushed up the todo list! It seems like quite a 
> large issue!
> So, are you saying that I can split the system into one AD DC serving 
> home directories (with nss_windbind enabled) and all other files being 
> served from a different AD DC with nss_winbind disabled. I appreciate 
> this makes seeing permissions on linux that bit more tricky, but seeing 
> as there aren't any real tools for manipulating them yet it's only a 
> nicety. Would it make much of a difference?

Making it a member server and a DC would be the better combination.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list