We have a test samba setup containing two domain controllers (both running
samba v4.1.6). Recently we created an ldap group, added around 5000 members
to it and then deleted the users from the directory. We set
tombstoneLifetime to few days and waited for these ldap objects to be
purged from the system.
But we notice that the particular group has slowed down considerably for
all ldap operations. On some investigation we found that the 5000
"member"
attributes for the deleted user are still present under the Group object
which are shown only with "--reveal" flag.
ldbsearch --reveal -H sam.ldb (cn=TestGroup) member
Even tdbtool shows that the record for the particular TestGroup DN has
grown to multiple MBs. It shows fields like RMD_ADDTIME, RMD_CHANGETIME,
RMD_FLAGS even for the permanently deleted user objects.
strace shows that the drs samba process is doing msync() of several MBs of
data to the ldb files, every time a user modification operation takes place.
Can someone please shed some light on this internal TDB/LDB working of
samba. Why aren't these RMD attributes deleted from the system?
Thanks for the help!
