I am in the process of evaluating the feasability of using
winbind to provide authentication services for Linux servers in our
company. We have over 100,000 users in Active Directory spread across
several regional master domains. I've had wonderful results in
testing Samba3.0RC4, but I've run into some issues with the way it
handles large groups.
The first problem I'm having is that groups appear to be
effectively limited to 32k members (browsing the code revealed the use
of some signed integers for loop counters when reading in member
lists). This is a problem for us because the Domain Users group
(which is larger than that in a couple of cases) is the default group
for all of our users, which causes winbind to spit out some nifty
looking errors and causes ls -l to show unresolved GIDs instead of
group names. Is there any plan to change this limitation?
The second issue I ran across is that doing an ls -l takes a
really long time if the assigned group for a file is a large one. It
appears from my (admittedly crude) testing that winbind is not only
retrieving the name of the group, but the entire list of members when
a directory listing is run. I determined this by running "date;getent
group EU+Domain Users;date". The elapsed time on this was 12 seconds.
I then created a test file and did a "chgrp 'EU+Domain Users'
foo",
followed by "date;ls -l foo;date" - this also took 12 seconds. This
group has approximately 29,900 users. Smaller groups in the same
domain return the name almost instantaneously, so I believe this has
something to do with the group size. Is this the way winbind is
supposed to work?
Any help you could provide in increasing winbind's performance
would be greatly appreciated.
Thanks,
Jeremy