[Samba] Samba limitations at scale (was: Re: Join Samba without GC role)

Andrew Bartlett abartlet at samba.org
Tue Nov 17 18:33:31 UTC 2015

On Tue, 2015-11-17 at 12:44 +0000, Luchko Dmitriy wrote:
> Andrew, thank for answer!
> We understand about  limitation subdomains on Samba but we suggested
> that is one cause of current problem.

We can all agree that this is a current limitation.

> May be you know why python process can hung with 100%  CPU ? Does
> samba have limitation of groups or OU hierarchy? 
> p.s. May be our questions too strange but we don’t have full
> documentation, about samba limitations and samba architecture.

There are many limitations in Samba's AD Domain Controller.  It is
exciting and frustrating in equal measure to see users stretch Samba to
its limits and beyond.  

I say exciting because we never built Samba with explicit limits, and
have not done the testing to determine the limitations, and folks have
successfully deployed Samba in installations and situations far bigger
and more important than I ever would have dreamed!  

On the flip side, we know that Amazon supports a Samba AD DC with their
Simple AD, and it is instructive to note that they sell a service going
up to 20,000 objects[1].

However, I also say frustrating because at a user support level, there
is nothing I can do or suggest that will 'simply' make Samba scale.  We
know there are limits around the number of objects that will fit into a
32 bit database, but strongly suspect that there are many other aspects
of Samba (such as index updates, full-DB searches and transaction
locks) that will degrade well before the 100,000 user case.  These each
need non-trivial investigation, isolation and rework.  

This isn't to say that your situation is helpless - there is much that
can be done.  At a code level, each limitation can be isolated and
resolved by skilled administrators and developers working in close
collaboration, and so we can raise our scalability.  It is however well
beyond what can be achieved by just posting 'it fails' to our user

The next step is to identify specific limitations at a source code
level and make a proposed resolution, and to then present those to the
samba-technical list, or to engage someone to do that for you. 

The use of profiling and debugging tools may assist in that task.

I hope this clarifies things,

Andrew Bartlett

[1] https://aws.amazon.com/directoryservice/pricing/

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Tuesday, November 17, 2015 11:53 AM
> To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
> Subject: Re: [Samba] Join Samba without GC role
> On Tue, 2015-11-17 at 08:27 +0000, Luchko Dmitriy wrote:
> > I created test environment: 1 root domain, 2 subdomain. I created 
> > about 250000 user accounts in subdomain 2 (sub2.company.com)
> > ntds.dit 
> > 14gb. Joining samba in first subdomain (sub1) was without problem.
> >  But in production environment (with a lot of domains and objects) 
> > python process was hung with 100% CPU (after 6 hour we killed hung 
> > process).
> > Why can this happened? This is samba subdomain support limitation,
> > tdb 
> > database limitation, feature works samba with  big active
> > directrory 
> > infrastructure (a lot sites, domains and objects), or is this bug?
> Samba has simply never been designed or tested for use in the
> presence of subdomains, nor for that number of objects.
> We hope to add subdomain support, and I have done some work towards
> that, but it is as you have noticed, unfinished. 
> We would also like to improve Samba to scale up, and to support more
> diverse domain structures, but it isn't a small task.  
> Sorry,
> Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list