samba - Oct 2009 - Winbind lookup performance

Redhat 5.2 x86_64
samba-3.0.28-0.el5.8

My system is fully AD integrated, the only issue I have is that when I look up a
users group (id, groups, etc.) it takes forever.? This is causing issues due to
the fact that I have pam policies in place to allow only users from a specific
groups to log in, sudo and/or su.? When the cache expires, it can take over 2
minutes to perform the lookup.? I'm sure it doesn't help that my AD user
account is a member of 120 different groups.? I would imagine that if I could
use a custom, more?exclusive LDAP filter for the winbind module I could improve
performance, but I don't believe that option is available.

Is there a way for speeding up the lookup process?

Thanks

[global]
??????? workgroup = DOMAIN
??????? realm = DOMAIN.NET
??????? server string = Samba file and print server
??????? security = ADS
??????? log level = 3
??????? max log size = 4192
??????? large readwrite = No
??????? max xmit = 65535
??????? client signing = Yes
??????? server signing = Yes
??????? deadtime = 15
??????? socket options = TCP_NODELAY IPTOS_LOWDELAY TCP_NODELAY
??????? printcap name = cups
??????? preferred master = No
??????? idmap domains = DOMAIN
??????? idmap backend = tdb
??????? idmap alloc backend = tdb
??????? idmap cache time = 302400
??????? idmap negative cache time = 600
??????? template shell = /bin/bash
??????? winbind separator = +
??????? winbind cache time = 1800
??????? winbind enum users = Yes
??????? winbind enum groups = Yes
??????? winbind nested groups = No
??????? winbind refresh tickets = Yes
??????? winbind offline logon = Yes
??????? winbind normalize names = Yes
??????? idmap config DOMAIN:default = yes
??????? idmap config DOMAIN:backend = rid
??????? idmap config DOMAIN:range = 5000-9999999
??????? idmap config DOMAINN:cache time = 1800
??????? idmap alloc config:range = 4000 - 4999

----- Original Message ----
From: Matthew J. Salerno <vagabond_king at yahoo.com>
To: samba at lists.samba.org
Sent: Thu, October 22, 2009 1:19:59 PM
Subject: [Samba] Winbind lookup performance

Redhat 5.2 x86_64
samba-3.0.28-0.el5.8

My system is fully AD integrated, the only issue I have is that when I look up a
users group (id, groups, etc.) it takes forever.? This is causing issues due to
the fact that I have pam policies in place to allow only users from a specific
groups to log in, sudo and/or su.? When the cache expires, it can take over 2
minutes to perform the lookup.? I'm sure it doesn't help that my AD user
account is a member of 120 different groups.? I would imagine that if I could
use a custom, more?exclusive LDAP filter for the winbind module I could improve
performance, but I don't believe that option is available.

Is there a way for speeding up the lookup process?

Thanks

[global]
??????? workgroup = DOMAIN
??????? realm = DOMAIN.NET
??????? server string = Samba file and print server
??????? security = ADS
??????? log level = 3
??????? max log size = 4192
??????? large readwrite = No
??????? max xmit = 65535
??????? client signing = Yes
??????? server signing = Yes
??????? deadtime = 15
??????? socket options = TCP_NODELAY IPTOS_LOWDELAY TCP_NODELAY
??????? printcap name = cups
??????? preferred master = No
??????? idmap domains = DOMAIN
??????? idmap backend = tdb
??????? idmap alloc backend = tdb
??????? idmap cache time = 302400
??????? idmap negative cache time = 600
??????? template shell = /bin/bash
??????? winbind separator = +
??????? winbind cache time = 1800
??????? winbind enum users = Yes
??????? winbind enum groups = Yes
??????? winbind nested groups = No
??????? winbind refresh tickets = Yes
??????? winbind offline logon = Yes
??????? winbind normalize names = Yes
??????? idmap config DOMAIN:default = yes
??????? idmap config DOMAIN:backend = rid
??????? idmap config DOMAIN:range = 5000-9999999
??????? idmap config DOMAINN:cache time = 1800
??????? idmap alloc config:range = 4000 - 4999



? ? ? 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba



I removed winbind enum users = Yes and winbind enum groups = Yes and it seems to
be much faster.? Now I just need ot make sure everything else is still working
as expected.