[Samba] Samba limitations at scale (was: Re: Join Samba without GC role)
Luchko.D at digdes.com
Fri Nov 20 11:29:48 UTC 2015
Can I ask about other Samba limitation in this theme?
In Samba 4.3.0 I read about subdomain limitation: "It's not possible to add users/groups of a trusted domain into domain groups". Can you explain what does that mean, why this happened, and what plans for this functionaly?
Also I read about DRS limitation here https://wiki.samba.org/index.php/Samba4/DRS_TODO_List. Is this information relevant(actuality)?
Can you explain, in details about RID master implementation, Phantom objects implementation, and RODC support.
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Luchko Dmitriy
Sent: Wednesday, November 18, 2015 4:16 PM
To: Andrew Bartlett <abartlet at samba.org>; samba at lists.samba.org
Subject: Re: [Samba] Samba limitations at scale (was: Re: Join Samba without GC role)
Andrew, thank for full answer!
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, November 17, 2015 9:34 PM
To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
Subject: Samba limitations at scale (was: Re: [Samba] Join Samba without GC role)
On Tue, 2015-11-17 at 12:44 +0000, Luchko Dmitriy wrote:
> Andrew, thank for answer!
> We understand about limitation subdomains on Samba but we suggested
> that is one cause of current problem.
We can all agree that this is a current limitation.
> May be you know why python process can hung with 100% CPU ? Does
> samba have limitation of groups or OU hierarchy?
> p.s. May be our questions too strange but we don’t have full
> documentation, about samba limitations and samba architecture.
There are many limitations in Samba's AD Domain Controller. It is exciting and frustrating in equal measure to see users stretch Samba to its limits and beyond.
I say exciting because we never built Samba with explicit limits, and have not done the testing to determine the limitations, and folks have successfully deployed Samba in installations and situations far bigger and more important than I ever would have dreamed!
On the flip side, we know that Amazon supports a Samba AD DC with their Simple AD, and it is instructive to note that they sell a service going up to 20,000 objects.
However, I also say frustrating because at a user support level, there is nothing I can do or suggest that will 'simply' make Samba scale. We know there are limits around the number of objects that will fit into a
32 bit database, but strongly suspect that there are many other aspects of Samba (such as index updates, full-DB searches and transaction
locks) that will degrade well before the 100,000 user case. These each need non-trivial investigation, isolation and rework.
This isn't to say that your situation is helpless - there is much that can be done. At a code level, each limitation can be isolated and resolved by skilled administrators and developers working in close collaboration, and so we can raise our scalability. It is however well beyond what can be achieved by just posting 'it fails' to our user list.
The next step is to identify specific limitations at a source code level and make a proposed resolution, and to then present those to the samba-technical list, or to engage someone to do that for you.
The use of profiling and debugging tools may assist in that task.
I hope this clarifies things,
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Tuesday, November 17, 2015 11:53 AM
> To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
> Subject: Re: [Samba] Join Samba without GC role
> On Tue, 2015-11-17 at 08:27 +0000, Luchko Dmitriy wrote:
> > I created test environment: 1 root domain, 2 subdomain. I created
> > about 250000 user accounts in subdomain 2 (sub2.company.com)
> > ntds.dit 14gb. Joining samba in first subdomain (sub1) was without
> > problem.
> > But in production environment (with a lot of domains and objects)
> > python process was hung with 100% CPU (after 6 hour we killed hung
> > process).
> > Why can this happened? This is samba subdomain support limitation,
> > tdb database limitation, feature works samba with big active
> > directrory infrastructure (a lot sites, domains and objects), or is
> > this bug?
> Samba has simply never been designed or tested for use in the presence
> of subdomains, nor for that number of objects.
> We hope to add subdomain support, and I have done some work towards
> that, but it is as you have noticed, unfinished.
> We would also like to improve Samba to scale up, and to support more
> diverse domain structures, but it isn't a small task.
> Andrew Bartlett
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the
More information about the samba