[Samba] Join Samba without GC role
Luchko Dmitriy
Luchko.D at digdes.com
Tue Nov 17 08:27:10 UTC 2015
I created test environment: 1 root domain, 2 subdomain. I created about 250000 user accounts in subdomain 2 (sub2.company.com) ntds.dit 14gb. Joining samba in first subdomain (sub1) was without problem. But in production environment (with a lot of domains and objects) python process was hung with 100% CPU (after 6 hour we killed hung process).
Why can this happened? This is samba subdomain support limitation, tdb database limitation, feature works samba with big active directrory infrastructure (a lot sites, domains and objects), or is this bug?
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Luchko Dmitriy
Sent: Friday, November 06, 2015 10:55 AM
To: Andrew Bartlett <abartlet at samba.org>; samba at lists.samba.org
Subject: Re: [Samba] Join Samba without GC role
It's strange. We have root domain and a lot subdomain. We try to join Samba to one of subdomain.
Active Directory DB (NTDS.dit) without GC = 1.2 Gb, with GC=16 Gb. When we try to join Samba we have samba DB limit 4Gb.
We see that samba replicate information about all domains in forest:
descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=domain1,DC=oao,DC=company not found under DC=domain1,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 3c4005a3-6aa9-4776-a23a-d0f632d6ebd8 - using CN=DOMAIN6-DC-02,OU=Domain Controllers,DC=domain6,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 5cefb527-31c5-45b3-98e1-473e54b75ac8 - using CN=DOMAIN6-DC-01,OU=Domain Controllers,DC=domain6,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 29d15948-c550-43ec-91bc-9eea9516197e - using DC=domain6,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 01a7952b-a4e1-4e91-b3cd-74b34307a019 - using DC=domain2,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID c9686534-1edb-48ae-8f2d-808320512b71 - using DC=domain3,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID f45fa54a-8512-4af0-9aab-b24b0ae4b868 - using DC=domain4,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 580df24f-20ba-4cc5-8c51-f95e4fe08d6e - using DC=domain5,DC=oao,DC=company
Can we disable GC in Samba before join?
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, November 02, 2015 9:50 PM
To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
Subject: Re: [Samba] Join Samba without GC role
On Mon, 2015-11-02 at 13:07 +0000, Luchko Dmitriy wrote:
> Thanks for the answer!
>
> Is that true if we have Subdomains, Samba write to DB information only
> about join-domain?
Operation in the presence of subdomains is not supported. When we do add it, we will attempt to be a GC and replicate the GC partitions for the whole forest. This information is critical to the correct operation of the DsCrackNames interface.
> And what option --domain-critical-only do? I did not see the
> difference - with or without.
A smaller set of objects is replicated initially, but the whole domain is replicated once Samba starts.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list