[Samba] Question on Safety of Removing TDB Read Locks for LDAP Queries in Large Samba AD DC

[f2012 f1]

Hello Samba Team,

I am running several Samba Active Directory Domain Controller clusters in a cloud environment, each serving approximately 80,000 users.

We have an application that performs LDAP queries requiring a full directory scan. Unfortunately, the application vendor is unwilling to modify or optimize their query. When these LDAP queries are executed, the Samba process frequently reaches 100% CPU usage, which in turn causes other directory operations (such as modifications and writes) to be delayed by up to 10 seconds.

During investigation, I observed that TDB read locking appears to be a significant bottleneck. As an experiment, I modified the locking behavior to remove the read lock for LDAP queries, and this change effectively eliminated the CPU spike and the associated delays.

My questions are:

  1.  Is it safe to remove or relax TDB read locks for LDAP queries in Samba AD DC?
  2.  What potential data consistency, correctness, or replication risks might this introduce, especially in a multi-DC environment?
  3.  Is there an officially supported or recommended approach to handle heavy full-directory LDAP scans at this scale (e.g., configuration tuning, indexing strategies, MDB usage, read replicas, or architectural changes)?
  4.  Are there any known design constraints in Samba that would make such locking changes fundamentally unsafe?

I understand that modifying Samba’s locking behavior is not ideal, and I would strongly prefer a supported solution or architectural recommendation if one exists. However, given the constraints imposed by the application vendor, I would appreciate guidance on whether this approach is fundamentally unsafe, or if there are alternative mitigations I should consider.

Thank you very much for your time and for the excellent work on Samba.

Samba version: The latest

Best regards