[Samba] Samba limitations at scale (was: Re: Join Samba without GC role)

Luchko Dmitriy Luchko.D at digdes.com
Wed Nov 18 13:15:40 UTC 2015


Andrew, thank for full answer!

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, November 17, 2015 9:34 PM
To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
Subject: Samba limitations at scale (was: Re: [Samba] Join Samba without GC role)

On Tue, 2015-11-17 at 12:44 +0000, Luchko Dmitriy wrote:
> Andrew, thank for answer!
> 
> We understand about  limitation subdomains on Samba but we suggested 
> that is one cause of current problem.

We can all agree that this is a current limitation.

> May be you know why python process can hung with 100%  CPU ? Does 
> samba have limitation of groups or OU hierarchy?
> p.s. May be our questions too strange but we don’t have full 
> documentation, about samba limitations and samba architecture.

There are many limitations in Samba's AD Domain Controller.  It is exciting and frustrating in equal measure to see users stretch Samba to its limits and beyond.  

I say exciting because we never built Samba with explicit limits, and have not done the testing to determine the limitations, and folks have successfully deployed Samba in installations and situations far bigger and more important than I ever would have dreamed!  

On the flip side, we know that Amazon supports a Samba AD DC with their Simple AD, and it is instructive to note that they sell a service going up to 20,000 objects[1].

However, I also say frustrating because at a user support level, there is nothing I can do or suggest that will 'simply' make Samba scale.  We know there are limits around the number of objects that will fit into a
32 bit database, but strongly suspect that there are many other aspects of Samba (such as index updates, full-DB searches and transaction
locks) that will degrade well before the 100,000 user case.  These each need non-trivial investigation, isolation and rework.  

This isn't to say that your situation is helpless - there is much that can be done.  At a code level, each limitation can be isolated and resolved by skilled administrators and developers working in close collaboration, and so we can raise our scalability.  It is however well beyond what can be achieved by just posting 'it fails' to our user list.

The next step is to identify specific limitations at a source code level and make a proposed resolution, and to then present those to the samba-technical list, or to engage someone to do that for you. 

The use of profiling and debugging tools may assist in that task.

I hope this clarifies things,

Andrew Bartlett

[1] https://aws.amazon.com/directoryservice/pricing/

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Tuesday, November 17, 2015 11:53 AM
> To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
> Subject: Re: [Samba] Join Samba without GC role
> 
> On Tue, 2015-11-17 at 08:27 +0000, Luchko Dmitriy wrote:
> > I created test environment: 1 root domain, 2 subdomain. I created 
> > about 250000 user accounts in subdomain 2 (sub2.company.com) 
> > ntds.dit 14gb. Joining samba in first subdomain (sub1) was without 
> > problem.
> >  But in production environment (with a lot of domains and objects) 
> > python process was hung with 100% CPU (after 6 hour we killed hung 
> > process).
> > Why can this happened? This is samba subdomain support limitation, 
> > tdb database limitation, feature works samba with  big active 
> > directrory infrastructure (a lot sites, domains and objects), or is 
> > this bug?
> 
> Samba has simply never been designed or tested for use in the presence 
> of subdomains, nor for that number of objects.
> 
> We hope to add subdomain support, and I have done some work towards 
> that, but it is as you have noticed, unfinished.
> 
> We would also like to improve Samba to scale up, and to support more 
> diverse domain structures, but it isn't a small task.
> 
> Sorry,
> 
> Andrew Bartlett
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba





More information about the samba mailing list