[Samba] High cpu load on LDAP
Heinz Hölzl
heinz.hoelzl at gvcc.net
Tue Jan 21 08:30:49 UTC 2025
Hi Douglas,
> Samba AD does not do this rephrasing, probably because in the distant
> past (a) it was not used at scale, (b) we didn't trust our backlinks,
> and (c) we didn't think of it. We could/should do it now, but it will
> take a bit of work.
I'm not sure if that's the problem in our AD, but it's a possibility.
We still have massive performance problems every Monday, the ldap
processes are often blocked for up to 10 seconds to 1-2 minutes and
sometimes no longer respond at all.
We have a total of 21500 assignments between users and groups:
ldbsearch -b dc=xxxx,dc=xxx -H /usr/local/samba/private/sam.ldb member|
grep ^member| wc -l
21539
I ask you to think about whether this could be the cause of our
problems.
greetings ,
Heinz
P.s. I did our DNS setup as suggested by several of you, it was worth a
try but did not improve anything.
Am Donnerstag, dem 12.12.2024 um 10:30 +1300 schrieb Douglas Bagnall
via samba:
> hi Marco,
>
> > I've noted that there's no info on samba wiki on index
> > manipulation. And
> > i've some doubt.
>
> Doubt is usually appropriate.
>
> > > and trigger a reindex.
> >
> > With:
> > samba-tool dbcheck --reindex
> >
> > rigth?!
>
> That looks right (I haven't done this myself, so I was being
> deliberately vague).
>
> > > The thing that determines whether an attribute is indexed its
> > > schema
> > > definition has an odd number (or in some versions, the string
> > > "fATTINDEX") for the searchFlags attribute.
> > > There is this samba-tool command:
> > > samba-tool schema attribute \
> > > modify \
> > > member \
> > > --searchflags="fATTINDEX" \
> > > --option="dsdb:schema update allowed = true"
> >
> > In the past i've added index (eg, for an added 'lasr draft' schema)
> > as:
> >
> > ldbedit -H /var/lib/samba/private/sam.ldb -b
> > CN=mailLocalAddress,CN=Schema,CN=Configuration,DC=ad,DC=mydomain,DC
> > =it --option="dsdb:schema update allowed"=true
> >
> > and adding:
> >
> > searchFlags: 1
> >
> > it is the same? It is safest to use 'samba-tool'?
>
> That is doing the same thing. Samba-tool is just doing an ldb edit,
> and
> "fATTINDEX" is a fancy way of writing "1" for searchFlags.
>
> I guess samba-tool lowers the risk of pushing the wrong buttons in
> vim
> and ruining everything.
>
> > But the more general question is: AFAIK the Samba AD schema is as
> > compatible
> > as possible to the MS AD schema; so MS AD schema have no 'member'
> > index by
> > default? And if true, why?
> >
> > Or MS AD have no 'index' concept whatsoever and manage AD
> > performance in
> > other way?
>
> These are good question. MS AD does have indexes (that is what
> "searchFlags: 1" is for), but they never index linked attributes like
> member.
>
> I touched on this further back in the thread, and I think there are
> two
> reasons:
>
> 1. MS AD probably uses memberOf as an index for member.
>
> An index on member would be used to answer the question "what objects
> have a member attribute with the value X?". But "member" is a linked
> attribute, which means there is an automagical backlink attribute
> ("memberOf") on the object it points to. So you can answer the
> question
> by rephrasing it as "what objects are pointed to by the memberOf
> attributes of X?", then just looking up X. That should be about as
> fast
> as an index.
>
> Samba AD does not do this rephrasing, probably because in the distant
> past (a) it was not used at scale, (b) we didn't trust our backlinks,
> and (c) we didn't think of it. We could/should do it now, but it will
> take a bit of work.
>
> 2. People use MS AD differently.
>
> My guess is that a lot of things that seem common in large Samba AD
> deployments, like OpenLDAP integrations and so forth, are not that
> common in MS-only organisations.
>
> cheers,
> Douglas
>
>
More information about the samba
mailing list