Rowland penny
2021-Feb-04 10:07 UTC
[Samba] Best way to access the AD database from scripts
On 04/02/2021 09:50, Prunk Dump via samba wrote:> Hello Samba Team and users ! > > I wrote some scripts that interoperate with samba to manage users, > groups and some other AD objects. Everything works fine and I now want > to improve performance. > > So I would like to know what is the best way in terms of performance > to read user/group/ou informations : > -> as domain controller > and > -> as domain member > > It would be great also if the access has no latency. For example, as a > domain controller, wbinfo sometimes continues to give user information > just after deleting the user with samba-tool. > > Is this better to use : > > ldbsearch and access to sam.ldb directly ? > samba-tool ? > winbind with wbinfo ? > winbind with nsswitch tools : uid, getent, ... ? > the ldap:// protocol ? > the samba python library ? > net command ? > other ? > > Thanks if someone can help me ! > > Regards, > > Baptiste. >Your problem isn't so much as how you do this, as where you do it ? AD uses replication, which is usually pretty fast, but sometimes it isn't. This means that if you delete a user on one DC and replication is slow, the user may still exist on another DC. Using wbinfo has its own problems because it may be reading from a cache and this could still contain deleted objects. It doesn't matter if you use ldbsearch, ldapsearch or samba-tool, just as longer as you do all modifications on the same DC, the PDC_Emulator for instance. Rowland
Thank you very much Rowland ! Sorry for my late reply. I have so much work this week. So with your advice I will move all my winbind and nsswitch calls to some ldbseach calls. Thanks again ! Baptiste. Le jeu. 4 f?vr. 2021 ? 11:08, Rowland penny via samba <samba at lists.samba.org> a ?crit :> > On 04/02/2021 09:50, Prunk Dump via samba wrote: > > Hello Samba Team and users ! > > > > I wrote some scripts that interoperate with samba to manage users, > > groups and some other AD objects. Everything works fine and I now want > > to improve performance. > > > > So I would like to know what is the best way in terms of performance > > to read user/group/ou informations : > > -> as domain controller > > and > > -> as domain member > > > > It would be great also if the access has no latency. For example, as a > > domain controller, wbinfo sometimes continues to give user information > > just after deleting the user with samba-tool. > > > > Is this better to use : > > > > ldbsearch and access to sam.ldb directly ? > > samba-tool ? > > winbind with wbinfo ? > > winbind with nsswitch tools : uid, getent, ... ? > > the ldap:// protocol ? > > the samba python library ? > > net command ? > > other ? > > > > Thanks if someone can help me ! > > > > Regards, > > > > Baptiste. > > > > Your problem isn't so much as how you do this, as where you do it > > AD uses replication, which is usually pretty fast, but sometimes it > isn't. This means that if you delete a user on one DC and replication is > slow, the user may still exist on another DC. Using wbinfo has its own > problems because it may be reading from a cache and this could still > contain deleted objects. > > It doesn't matter if you use ldbsearch, ldapsearch or samba-tool, just > as longer as you do all modifications on the same DC, the PDC_Emulator > for instance. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba