[Samba] Is nss_winbind required?

Alex Matthews qoole.samba at lillimoth.com
Thu May 9 05:30:22 MDT 2013

On 09/05/2013 09:56, Andrew Bartlett wrote:
> On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote:
>> On 09/05/2013 04:00, Andrew Bartlett wrote:
>>> On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote:
>>>> Hi all,
>>>> Is it a necessity to use the winbind nss module?
>>>> I have run a few tests and having it enabled creates a massive
>>>> bottleneck. It's not nss_winbind itself that is the bottleneck but
>>>> something in the background (I'm guessing uid/rid->username code).
>>>> If I disable winbind in nsswitch.conf what impact will it have? Will the
>>>> system continue to work?
>>>> Please note this last test shows that it is not the nss_winbind module
>>>> that it slow it is something 'behind the scenes'.
>>>> Also note that this is not just applicable to the sysvolreset (it was
>>>> just a convenient method of testing). Copying a directory consisting of
>>>> many small files (eg a windows roaming profile) can be excruciatingly
>>>> slow! 50s+ for a 50mb folder!
>>>> I am sure that it is not a network or drive limitation, copying the
>>>> folder locally and via NFS happen very quickly and copying the same
>>>> folder from a standalone S3 install on the same hardware is 'fast' also.
>>> The issue is that the winbind in the Samba 4.0 AD DC is incredibly
>>> inefficient.  It is required for the [homes] share to work, but we try
>>> to avoid needing it for other things.
>>> I understand this is incredibly frustrating, but what this highlights is
>>> that we really, really need to start on the project to replace it with
>>> running the winbindd code from source3.  The challenge is that this is a
>>> lot of work, which will cause disruption in other parts of the system as
>>> we generalise stuff and add the plugins we need to hook into the AD DC.
>>> I'm increasingly of the view that this will need to be a priority soon,
>>> but it's still hard to get stuck into this stuff.
>>> Andrew Bartlett
>> I see, I had figured it would be something along those lines. I for one,
>> would love to see this pushed up the todo list! It seems like quite a
>> large issue!
>> So, are you saying that I can split the system into one AD DC serving
>> home directories (with nss_windbind enabled) and all other files being
>> served from a different AD DC with nss_winbind disabled. I appreciate
>> this makes seeing permissions on linux that bit more tricky, but seeing
>> as there aren't any real tools for manipulating them yet it's only a
>> nicety. Would it make much of a difference?
> Making it a member server and a DC would be the better combination.
> Andrew Bartlett

Having re-read your message. Is your suggestion to have an AD DC serving 
home directories and member servers (as described here: 
https://wiki.samba.org/index.php/Samba4/Domain_Member (but skipping the 
enabling nss_winbind step?) serving everything else?



More information about the samba mailing list