[Samba] High cpu load on LDAP

Mon Feb 17 08:08:35 UTC 2025

hi,

For the moment, it looks like the problem has been solved.

I am now using LMDB back end and it is much more performant.

It was noticeable that with kerberos requests the LDAP processes were
under high CPU load. sometimes the system was blocked for several
minutes, so that no answers came.

Now, with LMDB, the situation is completely different. With Kerberos
requests you can see a small CPU load of the KDC processes, but no
longer the high load of the LDAP processes, as expected. 

Many thanks for your help.

Regards,

Heinz

P.s. LMDB does not work with btrfs as underlying filesystem. 

Perhaps this could be noted in the documentation?
https://wiki.samba.org/index.php/Using_the_lmdb_database_backend

Am Donnerstag, dem 23.01.2025 um 14:08 +1300 schrieb Douglas Bagnall
via samba:
> On 9/01/25 06: 27, Marco Gaiarin via samba wrote: > Mandi! Douglas
> Bagnall via samba > In chel di` si favelave. . . > > Sorry for the
> late answer and thanks for all the post. > >> Samba AD does not do
> this rephrasing, probably
>  
> ZjQcmQRYFpfptBannerStart
>   
> 
>     
> 
>       
> 
> 	This Message Is From an External Sender
>       
>       
> 
> This message came from outside your organization.
>       
> 
>     
>     
> 
> 
>     
>  Report Suspicious 
> 
>     
>     
>  
>   
> ZjQcmQRYFpfptBannerEnd
>   
> On 9/01/25 06:27, Marco Gaiarin via samba wrote:
> > Mandi! Douglas Bagnall via samba
> >    In chel di` si favelave...
> > 
> > Sorry for the late answer and thanks for all the post.
> > 
> > > Samba AD does not do this rephrasing, probably because in the
> > > distant
> > > past (a) it was not used at scale, (b) we didn't trust our
> > > backlinks,
> > > and (c) we didn't think of it. We could/should do it now, but it
> > > will
> > > take a bit of work.
> > 
> > But a question still sound on me: if i enable index on Members, i
> > can brake
> > something?
> > 
> > Brake mean 'per se' (eg, Samba does not work anymore) or in
> > 'compatibility'
> > (eg, some AD-enabled apps and client does not work anymore).
> 
> I don't *think* you will break anything. Two situations spring to
> mind 
> in which it might be dangerous:
> 
> 1. Your Samba AD LDB is using a TDB backend, and the database size is
> getting close to 4GB. The extra indexes could push it over the limit.
> 
> 2. You have a mixed domain with Windows DCs. We don't know how
> Windows 
> will react to member being indexed. Probably mostly fine.
> 
> Otherwise it comes down to the question of whether Samba has places 
> where it fatally assumes member is not indexed. I don't think so, but
> sometimes I forget a few millions of lines here or there, so it is
> possible.
> 
> Indexing should be transparent to clients. It's just a question of 
> getting the answer faster or slower.
> 
> Douglas
> 
> 