[Samba] samba as a domain member: a way to ignore groups?

Michael Tokarev mjt at tls.msk.ru
Fri Apr 5 18:22:39 UTC 2024


05.04.2024 16:43, Michael Tokarev via samba :

> Now I see samba is doing large amount of setgroups() calls with huge
> amount of groups each time (100+) - based on the domain groups each
> user belongs to.  This, and in-kernel group matching code, has become
> quite noticeable in the performance stats, - samba and kernel are doing
> lots of work in this context instead of doing real work.
> 
> What is the way to ignore all the domain groups of all domain users?
> 
> Will the whole thing work if I'll remove `winbind' from nsswitch.conf:group
> line?

After removing `winbind' from nsswitch.conf:group entry, the server gained
*huge* speedup.  Before, each become_user took several *seconds* to get the
list of groups and perform setgroups(), and each file access was also slow
due to in-kernel work with so many groups each user belongs to.  This is
a multi-channel connection, handling requests from a single machine but
for multiple users - so effectively, become_user has been called for every
file operation.  This is just with about 10 users doing things, - the target
number which the old server is doing is 1000+ users.

Now things are working again.

Dunno what will break with this lack of groups though.  We'll see.

Thanks for the help,

/mjt



More information about the samba mailing list