[Samba] commiting SAM database

Thu Feb 6 09:46:56 UTC 2020

Hi Stefan,

Le 02/06/2020 à 09:13 AM, Stefan Kania via samba a écrit :
> We stopped the migration, because we had to many problems. For your
> information:
>
> The windows-domain was set up in 2002 with windows 2000 and was raised
> up to windows 2012 over the years. The domain is responsible for the
> login of all 20.000 students. So over the years they have over 170.000
> Objects. For the migration we used the 4.11 sernet-packages. We started
> with 32GB of RAM and noticed that this was not enough. We raised the RAM
> to 128GB. After reading all objects the system needed 28GB RAM but then
> the "commiting SAM database" process started and the RAM usage increases
> up to 68GB. Because we have to get the new domain running we stopped the
> migration after 28 hours. Because the original domain is getting all
> objects via an openLDAP (hiphiphuraaaa) we started with a new domain (I
> think it's the best way after 18 years) and now we are pushing all
> objects into the now domain. They getting a new storage and all the
> fileserver have to move anyway so the time is right for making
> everything new.

Samba-AD has gone a long way in term of performance and Samba 4.11 
should fare pretty good at your size of domain... We have done some 
stress testing recently and the join time was pretty decent at around 45 
minutes...
* 120k users objects
* 150k computers objects
* 1k groups with at least 1 group membership per users

Either you have a pile of objects in Deleted Objects container (flush 
them by lowering tombstonelifetime) or you have very huge group 
membership (check if some cleanup can be done or if you could set up 
groups in groups to lower the membership count in groups).

Most of the time it is not necessary to recreate the domain from 
scratch, even if the source domain is in a bad shape. In the worst case 
scenario you can recreate the domain with same domain SID and domain 
name, and then re-inject object while keeping object SID for users and 
group. That way you don't have to do anything on desktops and other 
member servers. Recreating a domain in a MS-AD way of doing thing, 
Samba-AD is much more versatile.

Having an ldap in a university for applicative identity management is 
very common. Most of the time there will be more than one AD domains for 
different branches and a central identity repo that will run some kind 
of ldap implementation and pipe in the account in the AD domains.

> @Andrew We took lmdb as a backend for the database together with bind9.

if using LMDB be sure to use a recent samba version, there was an issue 
with locks on DNS partitions in older version.

Cheers,

Denis

>
> Stefan
>
> Am 03.02.20 um 23:09 schrieb Andrew Bartlett:
>> On Mon, 2020-02-03 at 13:44 +0100, Stefan Kania via samba wrote:
>>> 	Error verifying signature: parse error
>>> --------------ms040700010204060400070803
>>> Content-Type: text/plain; charset=utf-8
>>> Content-Transfer-Encoding: quoted-printable
>>> Content-Language: en-US
>>>
>>> Anyone can give=C2=A0 hint how log it will take to commit the SAM
>>> databas=
>>> e?
>>> We joining a samba 4.11 into a windows domain:
>>>
>>> Partition[DC=3Dexample,DC=3Dde] objects[129301/57641]
>>> linked_values[40647=
>>> /42351]
>>> Done with always replicated NC (base, config, schema)
>>> Replicating DC=3DDomainDnsZones,DC=3Dexample,DC=3Dde
>>> Partition[DC=3DDomainDnsZones,DC=3Dexample,DC=3Dde] objects[83/79]
>>> linked_values[0/0]
>>> Replicating DC=3DForestDnsZones,DC=3Dexample,DC=3Dde
>>> Partition[DC=3DForestDnsZones,DC=3Dexample,DC=3Dde] objects[8/8]
>>> linked_values[0/0]
>>> Exop on[CN=3DRID Manager$,CN=3DSystem,DC=3Dexample,DC=3Dde]
>>> objects[3]
>>> linked_values[0]
>>> Committing SAM database
>>>
>>> Commiting the database is running now for more then an hour, is this
>>> norm=
>>> al?
>> This can take quite some time on that scale on TDB.  LMDB should be
>> faster from memory.
>>
>> Andrew Bartlett
>>
>
>
>
>
>
>

-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr