[Samba] Does Netlogon prefork feature of samba-4.10 allow larger user base?

[Andrew Bartlett]

On Wed, 2019-04-17 at 10:27 +0200, Francesco Malvezzi via samba wrote:
> hi all,
> 
> times ago I had a performance bottleneck issues on DCE/RPC process with
> a 50k user base. Once in a while CPU jumped to 100% and users weren't
> able to log in. I decided to reduce the user base to 7k user and
> everything is fine since then.
> 
> Does the 'Netlogon prefork' (a new feature of samba-4.10) mitigate the
> above issue? Is it worth to give a try to raise again the AD users to
> 50k with some confidence that even if high CPU usage shows again at
> least users' logon is yet possible?

Yes, that is exactly why this was added, to gain some ability to handle
parallel load in this area.  Expect Samba 4.11 to be even better as we
continuing to make the processing under the hood more efficient also.

Earlier versions (I forget exactly which, sorry) would fork one worker
per netlogon child in the 'standard' process model, which was the first
step to addressing this (but can cause an overwhelming number of RPC
workers depending on what your clients do). 

Just remember this isn't the default yet, set '-M prefork' on the
command line to use in Samba 4.10.

Finally, if your load is coming from one single Samba winbindd (eg for
a squid proxy) then set 'winbind max domain connections' to a value
greater than 1 on the client. 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba