[Samba] winbind limitations

mathias dufresne infractory at gmail.com
Fri Feb 26 15:00:15 UTC 2016


Hi Volker,

I have same behaviour here without enumerating users or groups. As soon as
the DB increase too much (which is not too much, my tests months ago made
Samba starting to hang on certains commands (ldapcmp, wbinfo -u...) around
40000 objects in Samba database.

On DC wbinfo -u is hanging today after 10s. This on the 2 DC I tested (on
20 DC). As soon as wbinfo -u is launched RPC PID of Samba processes is
eating 100% of one CPU core. This process continues to eat CPU long after
these 10s.
On member wbinfo -u is longer to hang and it seems to be LDAP process of
the DC trying to reply which eat 100% of one CPU core.

Anyway, on member and on DC wbinfo -u is not working with too much objects
(120k here today).

You spoke about timeout. Are they configurable these timeout? Can we
increase them?

With 120k users, no computers, no groups, winbind configured on member
server users are retrieved episodically.  Sometimes the user is existing,
id shows it, wbinfo -i too, sometimes the user do not exists for any
command I tried.

I'm still afraid winbind is not ready to scale up.

Sorry to put it like that...

Cheers,

mathias

2016-02-24 10:41 GMT+01:00 Volker Lendecke <Volker.Lendecke at sernet.de>:

> On Tue, Feb 23, 2016 at 06:58:52PM -0300, Fernando Favero wrote:
> > Hi.
> >
> > Does winbind has limitations  with lots of users in domain?
> >
> > I'm compiled samba 4.3.1 and created 40 users, so winbind and getent
> works
> > fine, but when created 26.000 users and "wbinfo -u" doesn't show users.
>
> I'm sure there's timeouts all over the place with 26.000 users. I'd say
> enumerating that number is not really a good idea. You might have good
> reasons to do so, but I would recommend using direct LDAP against AD to
> get the users. Winbind eventually might get there, but I doubt we have
> proper retries around everywhere to fulfill that.
>
> In normal operations you should never need to enumerate users and
> groups. Doing "getent passwd <username>" on users that successfully
> logged in will always work fine. If it does not, we'll fix it.
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list