[Samba] winbind limitations

Fri Feb 26 15:25:47 UTC 2016

On Fri, Feb 26, 2016 at 04:00:15PM +0100, mathias dufresne wrote:
> Hi Volker,
> 
> I have same behaviour here without enumerating users or groups. As soon as
> the DB increase too much (which is not too much, my tests months ago made
> Samba starting to hang on certains commands (ldapcmp, wbinfo -u...) around
> 40000 objects in Samba database.
> 
> On DC wbinfo -u is hanging today after 10s. This on the 2 DC I tested (on
> 20 DC). As soon as wbinfo -u is launched RPC PID of Samba processes is
> eating 100% of one CPU core. This process continues to eat CPU long after
> these 10s.

What exact process is chewing CPU here? You are blaming
winbind, but I need to know exactly which winbind process
chews CPU to be sure. If it's a process called "samba", this
is not part of core winbind but it is part of the AD DC
component of the Samba software suite.

> On member wbinfo -u is longer to hang and it seems to be LDAP process of
> the DC trying to reply which eat 100% of one CPU core.

What do you EXACTLY mean by "LDAP process"? winbind does do
LDAP as a client, so it might qualify as "LDAP process". I
need to know which winbind process chews indefinite CPU to
fix this in winbind. However, if it is in the "samba"
process then we should not blame winbind but the LDAP
process.

> Anyway, on member and on DC wbinfo -u is not working with too much objects
> (120k here today).
> 
> You spoke about timeout. Are they configurable these timeout? Can we
> increase them?
> 
> With 120k users, no computers, no groups, winbind configured on member
> server users are retrieved episodically.  Sometimes the user is existing,

Winbind starts enumerations on its own? That is a SEVERE bug that we
need to fix. Can you get us more information about the circumstances
when winbind starts enumerating stuff on its own?

> id shows it, wbinfo -i too, sometimes the user do not exists for any
> command I tried.
> 
> I'm still afraid winbind is not ready to scale up.
> 
> Sorry to put it like that...

What you describe to me sounds like that the Samba DC is not yet ready to
serve 120k objects. Winbind just does LDAP and/or RPC requests. Eventually
it gives up. If the DC component still chews CPU indefinitely, is that
really winbind's fault?

If this about sssd vs winbind again, we need to fix winbind!

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de