[Samba] samba as a domain member: a way to ignore groups?
Rowland Penny
rpenny at samba.org
Fri Apr 5 14:07:39 UTC 2024
On Fri, 5 Apr 2024 16:43:42 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> Hi!
>
> We had stand-alone anonymous samba server serving a read-only share
> as guest account. It worked well but had a few strange issues (like
> lots of noise in logs about bad smb2 signature).
>
> Its been suggested to switch to a domain member server. I didn't see
> the point since we don't need different user IDs and security model,
> but okay, - I joined a new server to a domain.
>
> Now I see samba is doing large amount of setgroups() calls with huge
> amount of groups each time (100+) - based on the domain groups each
> user belongs to. This, and in-kernel group matching code, has become
> quite noticeable in the performance stats, - samba and kernel are
> doing lots of work in this context instead of doing real work.
>
> What is the way to ignore all the domain groups of all domain users?
>
> Will the whole thing work if I'll remove `winbind' from
> nsswitch.conf:group line?
>
> Thanks,
>
> /mjt
>
Have you set 'winbind expand groups' to anything but its default '0' ?
Setting it to a large number could give you the problem you are having.
Rowland
More information about the samba
mailing list