[Samba] winbind file open limits

Jeremy Allison jra at samba.org
Sat Apr 2 00:41:45 UTC 2022 

On Mon, Sep 13, 2021 at 03:32:57PM -0500, Nate Collins via samba wrote:
>We have monitoring in place to detect when processes on servers are
>approaching their open file limits (ulimit -n). On all our Ubuntu servers,
>winbind processes have a soft limit of 270 (this seems to be the default),
>and most winbind processes use up most or all of these open files. We've
>been noticing some domain join flakiness on some of our servers, and
>are trying to determine if processes reaching their soft file limit is
>related or not.
>
>I attempted to increase the open file limits for winbind via LimitNOFILE
>in systemd, and was able to set the hard limit, but not the soft limit:
>
># systemctl show --property MainPID --value winbind
>6194
># cat /proc/6194/limits | grep 'open files'
>Max open files            270                  524288               files
># vim /etc/systemd/system/winbind.service.d/override.conf
># cat /etc/systemd/system/winbind.service.d/override.conf | grep LimitNOFILE
>LimitNOFILE=2048:524287
># systemctl daemon-reload
># systemctl restart winbind
># systemctl show --property MainPID --value winbind
>6269
># cat /proc/6269/limits | grep 'open files'
>Max open files            270                  524287               files
>#
>
>Does winbind adjust the soft limit on process initialization, or is there
>something else at play? Should we be concerned about winbind processes
>reaching their soft file limits?

winbind calculates it's open file limit using this code:

static void winbindd_setup_max_fds(void)
{
         int num_fds = MAX_OPEN_FUDGEFACTOR;
         int actual_fds;

         num_fds += lp_winbind_max_clients();
         /* Add some more to account for 2 sockets open
            when the client transitions from unprivileged
            to privileged socket
         */
         num_fds += lp_winbind_max_clients() / 10;

         /* Add one socket per child process
            (yeah there are child processes other than the
            domain children but only domain children can vary
            with configuration
         */
         num_fds += lp_winbind_max_domain_connections() *
                    (lp_allow_trusted_domains() ? WINBIND_MAX_DOMAINS_HINT : 1);

         actual_fds = set_maxfiles(num_fds);

         if (actual_fds < num_fds) {
                 DEBUG(1, ("winbindd_setup_max_fds: Information only: "
                           "requested %d open files, %d are available.\n",
                           num_fds, actual_fds));
         }
}

So that would normally be:

MAX_OPEN_FUDGEFACTOR = 40
+ lp_winbind_max_clients() = 200 (default)
+ (lp_winbind_max_clients() / 10) = 20
+ 1 * (WINBIND_MAX_DOMAINS_HINT = 10)

which is where the 270 comes from. Might be this
calculation is a bit old. Maybe we should bump
it up.

More information about the samba mailing list