[Samba] Best way to access the AD database from scripts

Rowland penny rpenny at samba.org
Thu Feb 4 10:07:48 UTC 2021

On 04/02/2021 09:50, Prunk Dump via samba wrote:
> Hello Samba Team and users !
> I wrote some scripts that interoperate with samba to manage users,
> groups and some other AD objects. Everything works fine and I now want
> to improve performance.
> So I would like to know what is the best way in terms of performance
> to read user/group/ou informations :
> -> as domain controller
> and
> -> as domain member
> It would be great also if the access has no latency. For example, as a
> domain controller, wbinfo sometimes continues to give user information
> just after deleting the user with samba-tool.
> Is this better to use :
> ldbsearch and access to sam.ldb directly ?
> samba-tool ?
> winbind with wbinfo ?
> winbind with nsswitch tools : uid, getent, ... ?
> the ldap:// protocol ?
> the samba python library ?
> net command ?
> other ?
> Thanks if someone can help me !
> Regards,
> Baptiste.

Your problem isn't so much as how you do this, as where you do it 😁

AD uses replication, which is usually pretty fast, but sometimes it 
isn't. This means that if you delete a user on one DC and replication is 
slow, the user may still exist on another DC. Using wbinfo has its own 
problems because it may be reading from a cache and this could still 
contain deleted objects.

It doesn't matter if you use ldbsearch, ldapsearch or samba-tool, just 
as longer as you do all modifications on the same DC, the PDC_Emulator 
for instance.


More information about the samba mailing list