[Samba] samba4 ldap high load and port queue overflow

Thu Nov 26 19:08:20 UTC 2015

On Thu, 2015-11-26 at 11:43 +0300, Yuriy Tabolin wrote:

> Thanks for answer.
> I had found that high load to ldap was generated by nss on mail
> server. 
> During resolving one user,  nss asks ldap for information about all 
> groups user consist and then all users of this groups. This generates
> many queris to ldap. openldap (which I used early) works fine with
> this 
> load, samba ldap has some problem. Now I switch nss on mail server
> back 
> to my old openldap and it works well. If I cann't resolve problem
> with 
> performance samba ldap, I try to use nscd for caching nss queries or 
> something else.

I would suggest joining the mail server to the Samba domain, and using
nss_winbind (set 'winbind use default domain = yes' and if required 
'winbind enum users = yes') or perhaps sssd.  In short anything by
nss_ldap, which by it's nature has no ability to make a persistent
connection to the AD DC.

> Interesting, when I had a problem with samba ldap I try to load 
> balancing DCs and send all nss queries to second DC (dc2). Problem
> was 
> not gone. Then I seen high load on both my DCs on same site: dc1 and 
> dc2, samba processes on both DCs always was loaded by 20-40%
> permanently 
> on both DCs. After I switched nss on openldap I found that load on
> both 
> DCs decreased, now is about 3-7% permanently. Even on dc1, which not 
> serve nss queries. dc1 have all FSMO roles in my domain, and may be 
> reason of high load on it is permanent replication with dc2 or 
> retransmit queries from dc2?

No queries are re-submitted, but there may be other factors going on
here.

> Now I have test domain and easy repeat problem: setup server with nss
> to 
> ldap and run simple script
> for i in `cat file-with-all-users-in-domain` ; do id $i & ; done
> This script processing minutes and on samba server I see messages
> like
> kernel: sonewconn: pcb 0xfffff800753d6ab8: Listen queue overflow: 16 
> already in queue awaiting acceptance (3018 occurrences)
> 
> When I will have free time, I will try to add linux DC on my test
> domain 
> and run same test on linux.

Each of those queries opens an LDAP connection, authenticates as a new
user (in that we have to check the password again), re-opens the
databases (hence the mkdir and stat calls), possibly loads the schema,
makes a very simple query, and then closes the socket.  This is
essentially the worst possible case for Samba.

Against OpenLDAP, you probably used an anonymous socket, so even at the
very start the Samba server has to do twice as much work, before we hit
the lack of optimisation in this codepath.

I hope this clarifies things,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba