[Samba] winbind limitations

mathias dufresne infractory at gmail.com
Wed Feb 24 12:42:17 UTC 2016 

Hi Fernando,

For me that's a well known issue of winbind.

You could notice also issue with "samba-tool ldapcmp ..." and another tool
I don't remember for now. Both does not work anymore once you reach around
40 000 objects in Samba database.

For ldapcmp a workaround, which is an awful workaround, is to:
1° List all containers
2° For each container -> launch ldapcmp

Unfortunately this process increase a lot the time needed to compare all
data.

As an example:
- we have 20 DC.
- we have 120 000 users and no computers and no groups in our database.
Comparing sequentially all these DC against FSMO owner is running since 6
days and it is not finished. We even suspect we only reached half of the
process this noon...

Sorry to not have better news,

mathias

2016-02-23 22:58 GMT+01:00 Fernando Favero <favero.fernando at gmail.com>:

> Hi.
>
> Does winbind has limitations  with lots of users in domain?
>
> I'm compiled samba 4.3.1 and created 40 users, so winbind and getent works
> fine, but when created 26.000 users and "wbinfo -u" doesn't show users.
>
> On DC Member Server, "wbinfo -u" and "getent passwd" doesn't show users to.
>
> On log.wb-CORP appears:
> [2016/02/23 18:46:46.319393,  1]
> ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
>   ads reopen failed after error Time limit exceeded
> [2016/02/23 18:46:46.319552,  1]
> ../source3/winbindd/winbindd_ads.c:319(query_user_list)
>   query_user_list ads_search: Time limit exceeded
>
> my smb.conf on DC:
> [global]
>         workgroup = CORP
>         realm = CORP.EXAMPLE.COM
>         netbios name = SRV-401
>         interfaces = lo eth0
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         idmap_ldb:use rfc2307 = yes
>
> smb.conf on Member Server:
> [global]
>        netbios name = FS-SERVER1-CORP
>        security = ADS
>        workgroup = CORP
>        realm = CORP.EXAMPLE.COM
>        dedicated keytab file = /etc/krb5.keytab
>        kerberos method = secrets and keytab
>        winbind refresh tickets = yes
>        winbind trusted domains only = no
>        winbind use default domain = yes
>        winbind enum users  = yes
>        winbind enum groups = yes
>        idmap config *:backend = tdb
>        idmap config *:range = 1000-9999
>        idmap config CORP:backend = ad
>        idmap config CORP:schema_mode = rfc2307
>        idmap config CORP:range = 10000-99999
>        winbind nss info = rfc2307
>        vfs objects = acl_xattr
>        map acl inherit = yes
>        store dos attributes = yes
>
>
> Regards,
> Fernando
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list