[Samba] samba as a domain member: a way to ignore groups?
Michael Tokarev
mjt at tls.msk.ru
Fri Apr 5 18:22:39 UTC 2024
05.04.2024 16:43, Michael Tokarev via samba :
> Now I see samba is doing large amount of setgroups() calls with huge
> amount of groups each time (100+) - based on the domain groups each
> user belongs to. This, and in-kernel group matching code, has become
> quite noticeable in the performance stats, - samba and kernel are doing
> lots of work in this context instead of doing real work.
>
> What is the way to ignore all the domain groups of all domain users?
>
> Will the whole thing work if I'll remove `winbind' from nsswitch.conf:group
> line?
After removing `winbind' from nsswitch.conf:group entry, the server gained
*huge* speedup. Before, each become_user took several *seconds* to get the
list of groups and perform setgroups(), and each file access was also slow
due to in-kernel work with so many groups each user belongs to. This is
a multi-channel connection, handling requests from a single machine but
for multiple users - so effectively, become_user has been called for every
file operation. This is just with about 10 users doing things, - the target
number which the old server is doing is 1000+ users.
Now things are working again.
Dunno what will break with this lack of groups though. We'll see.
Thanks for the help,
/mjt
More information about the samba
mailing list