[Samba] ad dc performance issues

Wed Sep 18 15:22:22 UTC 2024

Hi

We have been experiencing performance issues with the 4 Samba4 (currently installed version 4.20.4) AD DC domain controllers for a while. We have tested various options, including hidden ones that were not documented. The LDB indices help a bit, but typically on Mondays, when the most customers log in, there is 100% CPU usage by one LDAP process and high RPC process load.
The domain controller appears to freeze for a period of time and cannot handle requests. Even logging in via SSH with the root user (which authenticates through the local passwd) is not possible during this time. The server eventually recovers after a while, but of course, this has restrictive effects on the entire production environment.
We believe the issue lies with the LDAP processes, which, it seems, do not scale very well. We have till 16 CPU cores and plenty of RAM on each system. By starting with prefork children=64, we spawn some subprocesses, but this didn’t really solve the performance issue either.
The underlying operating system is Debian 11, and the ulimits (open files) don’t seem to be a problem because otherwise dmesg would show kernel messages. We also do not have any I/O, RAM, or CPU issues.
Our environment comprises around 4000-5000 clients spread across 4 domain controllers. Most of the clients use Samba file server services and many third-party applications that authenticate through LDAP and via saslauthd on Active Directory.
our smb.conf:

[global]
        netbios name = ###
        realm = ###
        workgroup = ###
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        comment =
        template homedir = /home/%U
        template shell = /bin/bash
        ldap server require strong auth = No
        # WICHTIG: Radius ntlm_auth
        ntlm auth = Yes
        log level = auth_json_audit:0 auth_audit:3
        #ldb:3@/var/log/ldb.log
        logging = syslog
        password hash gpg key ids = "xyz"
        dns forwarder = a.b.c.d
        dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool
        logon script = login.bat
        panic action = /opt/samba/bin/panicRestartSamba.sh
        dns zone transfer clients allow = aaa bbbb
        prefork children = 64
        server min protocol = SMB2_10

        dbindex:objectClass = yes
        dbindex:uid = yes
        dbindex:uidNumber = yes
        dbindex:gidNumber = yes
        dbindex:memberUid = yes
        dbindex:sAMAccountName = yes

        ldb:max-cachesize = 10000000
        ldap timeout = 2
        ldap replication sleep = 1000

Are there any performance parameters for LDB databases or an alternative to LDB for better scalability?

Thanks for any help

Hubert

---

Hubert Kröss

Systeme | sistemi

Südtiroler Gemeindenverband Genossenschaft | Consorzio dei Comuni della Provincia di Bolzano Società Cooperativa
I – 39100 Bozen | Kanonikus-Michael-Gamper-Straße 10 | I – 39100 Bolzano | via Canonico Michael Gamper 10
T. - +39 0471 304 634
info at gvcc.net | https://www.gvcc.net

Gemäß und für die Zwecke der Artikel 12, 13 und 14 der EU-Verordnung 679/2016 finden Sie die Informationen zum Schutz personenbezogener Daten unter folgendem Link: www.gvcc.net/de/Service/Web/Datenschutz
Ai sensi e per gli effetti degli artt. 12, 13 e 14 del Regolamento UE 679/2016 l’informativa relativa alla protezione dei dati personali è reperibile al seguente link: www.gvcc.net/it/Service/Web/Privacy<http://www.gvcc.net/it/Service/Web/Privacy>