[Samba] High cpu load on LDAP
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Tue Nov 19 22:04:13 UTC 2024
On 19/11/24 02:29, Heinz Hölzl via samba wrote:
> hi,
>
> I have to activate the thread again ...
>
> we keep having preformance problems on the DC, especially on Monday
> morning when the PCs are switched on and the users log in.
>
> some ldap-searches take a very long time, sometimes even over 15
> seconds
>
> e.g:
>
> ldapsrv_SearchRequest: LDAP Query: Duration was 15.74s, SearchRequest
> by S-1-5-21-xxxxxxxxxx-xxxxxxxxxxxxxx-8585 from
> ipv4:192.168.35.117:49240 filter: [(objectClass=user)] basedn:
> [DC=example,DC=net] scope: [SUB] result: Success
>
>
> The load of the ldap processes reaches 100% of a CPU. The ldapserver is
> then no longer responsive.
>
> It seems that the ldapsearches are blocking each other.
>
> The result is very long response times for login and other
> authentications.
>
> we have 6 DC, approx. 10,000 active users and approx. 5000 PC, 10 samba
> fileservers, all with current samba version
>
>
> is there a way to increase the performance here?
>
It would not hurt to delete about 6000 old machine accounts.
But it probably comes down to member searches on big groups, as
discussed in this other thread:
https://lists.samba.org/archive/samba/2024-October/249848.html
The underlying problem is that linked attributes (like member) are not
indexed.
Why are linked attributes not indexed? because that is what the
Microsoft AD schema says.
Why does the AD schema say that? Perhaps because backlinks (like
memberOf) are effectively an index, so an additional index seemed
redundant. Perhaps Microsoft AD actually uses the backlinks as an index
in linked attribute searches. Or perhaps Samba AD is used in different
ways (e.g. with OpenLDAP slurping up all the memberships), so Microsoft
does not often hit this problem.
It is possible to tell Samba to index 'member'. That would probably make
this problem vanish, and there's a reasonable chance there would be no
ill effects. I don't know if anyone has actually tried that.
I would like to solve this as a development problem, but that depends on
time and funding and won't help you now.
BTW, that last thread ended with:
> Am Freitag, dem 30.09.2022 um 09:14 +1300 schrieb Andrew Bartlett:
>> [Sie erhalten nicht häufig E-Mails von abartlet at samba.org. Weitere
>> Informationen, warum dies wichtig ist, finden Sie unter
>> https://aka.ms/LearnAboutSenderIdentification ]
>>
>> Work out which PIDs are high CPU use:
>>
>> netstat -avp | grep <PID>
>>
>> gdb -p <PID>
>> bt full
>>
>> strace -p <PID>
>>
>> as well as a FlameGraph:
>> https://www.brendangregg.com/FlameGraphs/cpuflamegraphs.html#Instructions
>>
>> I would love to get to the bottom of this.
>> Andrew Bartlett
which would still be useful. Just a sampling of
>> gdb -p <PID>
>> bt full
would confirm where the server was spending its time. If `bt full` looks
too revealing, you could use `bt` instead.
Douglas
More information about the samba
mailing list