[Samba] Linux Workstation x SMB4 DC

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 5 19:58:47 UTC 2015 

On 05/08/15 20:40, Volker Lendecke wrote:
> On Wed, Aug 05, 2015 at 08:13:52PM +0100, Rowland Penny wrote:
>>> # ./exec.sh  |grep ^real
>>> real    0m1.944s
>>> real    0m0.051s
>>> real    0m1.843s
>>> real    0m1.798s
>>> real    0m18.236s
>>> real    0m1.756s
>>> real    0m1.769s
>>> real    0m2.092s
>>> real    0m1.952s
>>> real    0m1.954s
>>> real    0m17.588s
>>> real    0m4.841s
>>> real    1m48.618s
>>> real    1m38.985s
>>> real    2m1.186s
>>> real    1m17.514s
>>> real    1m43.024s
>>> real    1m27.757s
>>> real    1m29.072s
>>>
>> That is not slow, it is glacial :-)
>>
>> >From a certain moment, all workstation have increased response
>>> time. At this moment, you believe in a problem on workstation
>>> configuration?
>>>
>> There is something definitely wrong, but what ?
> I've seen "id <username>" enumerate all groups in certain
> circumstances. Just matching the /etc/group model of group memberships,
> for the /etc/group *file* you have to scan the whole thing to find the
> memberships. There are nss API calls to improve this for other backends,
> but you should make sure you're not running into that for your case.
>
> By the way, "id <username>" is not reliable to list group memberships and
> can't ever be. Windows AD just does not allow winbind to list this. The
> *only* reliable way to figure out group memberships is to successfully
> log into your AD account, either with Kerberos or with NTLM.  For this
> successfully logged in account the group memberships are precise. Nothing
> else will work.
>
> I've had many discussions over this, too many. Here I'd very boldly say to
> "just trust me on this".
>
> Volker
>
Hi Volker, I think I understand what you are saying, to find a users 
groups, first the users record is examined and any groups the user is a 
member off is obtained, then these group records are examined to see if 
the group is a member of another group and if so, this group is examined 
and so on until there are no more groups to examine. This will all take 
time, the more groups, the more time, this was what sort of along the 
lines I was thinking.

So the way to speed up obtaining the users groups, is to not obtain the 
users groups :-)

Rowland

More information about the samba mailing list