[Samba] High cpu load on LDAP

Heinz Hölzl heinz.hoelzl at gvcc.net
Tue Jan 21 08:30:49 UTC 2025


Hi Douglas,
 
> Samba AD does not do this rephrasing, probably because in the distant
> past (a) it was not used at scale, (b) we didn't trust our backlinks,
> and (c) we didn't think of it. We could/should do it now, but it will
> take a bit of work.

I'm not sure if that's the problem in our AD, but it's a possibility.

We still have massive performance problems every Monday, the ldap
processes are often blocked for up to 10 seconds to 1-2 minutes and
sometimes no longer respond at all.

We have a total of 21500 assignments between users and groups:
ldbsearch -b dc=xxxx,dc=xxx -H /usr/local/samba/private/sam.ldb member|
grep ^member| wc -l
21539

I ask you to think about whether this could be the cause of our
problems.

greetings ,
Heinz

P.s. I did our DNS setup as suggested by several of you, it was worth a
try but did not improve anything. 


Am Donnerstag, dem 12.12.2024 um 10:30 +1300 schrieb Douglas Bagnall
via samba:
> hi Marco,
> 
> > I've noted that there's no info on samba wiki on index
> > manipulation. And
> > i've some doubt.
> 
> Doubt is usually appropriate.
> 
> > > and trigger a reindex.
> > 
> > With:
> > 	samba-tool dbcheck --reindex
> > 
> > rigth?!
> 
> That looks right (I haven't done this myself, so I was being 
> deliberately vague).
> 
> > > The thing that determines whether an attribute is indexed its
> > > schema
> > > definition has an odd number (or in some versions, the string
> > > "fATTINDEX") for the searchFlags attribute.
> > > There is this samba-tool command:
> > > samba-tool schema attribute \
> > >       modify  \
> > >       member \
> > >      --searchflags="fATTINDEX" \
> > >      --option="dsdb:schema update allowed = true"
> > 
> > In the past i've added index (eg, for an added 'lasr draft' schema)
> > as:
> > 
> > 	ldbedit -H /var/lib/samba/private/sam.ldb -b
> > CN=mailLocalAddress,CN=Schema,CN=Configuration,DC=ad,DC=mydomain,DC
> > =it --option="dsdb:schema update allowed"=true
> > 
> > and adding:
> > 
> > 	searchFlags: 1
> > 
> > it is the same? It is safest to use 'samba-tool'?
> 
> That is doing the same thing. Samba-tool is just doing an ldb edit,
> and 
> "fATTINDEX" is a fancy way of writing "1" for searchFlags.
> 
> I guess samba-tool lowers the risk of pushing the wrong buttons in
> vim 
> and ruining everything.
> 
> > But the more general question is: AFAIK the Samba AD schema is as
> > compatible
> > as possible to the MS AD schema; so MS AD schema have no 'member'
> > index by
> > default? And if true, why?
> > 
> > Or MS AD have no 'index' concept whatsoever and manage AD
> > performance in
> > other way?
> 
> These are good question. MS AD does have indexes (that is what 
> "searchFlags: 1" is for), but they never index linked attributes like
> member.
> 
> I touched on this further back in the thread, and I think there are
> two 
> reasons:
> 
> 1. MS AD probably uses memberOf as an index for member.
> 
> An index on member would be used to answer the question "what objects
> have a member attribute with the value X?". But "member" is a linked 
> attribute, which means there is an automagical backlink attribute 
> ("memberOf") on the object it points to. So you can answer the
> question 
> by rephrasing it as "what objects are pointed to by the memberOf 
> attributes of X?", then just looking up X. That should be about as
> fast 
> as an index.
> 
> Samba AD does not do this rephrasing, probably because in the distant
> past (a) it was not used at scale, (b) we didn't trust our backlinks,
> and (c) we didn't think of it. We could/should do it now, but it will
> take a bit of work.
> 
> 2. People use MS AD differently.
> 
> My guess is that a lot of things that seem common in large Samba AD 
> deployments, like OpenLDAP integrations and so forth, are not that 
> common in MS-only organisations.
> 
> cheers,
> Douglas
> 
> 



More information about the samba mailing list