samba - Sep 2004 - samba w/ ldap - groups scalability and performance

I am having problems with samba and ldap as concerns groups.  We have two 
central LDAP servers which we use for authentication for many different 
applications, samba being just one of those. The LDAP servers are Solaris 
servers running Directory Server v5.2.

Our PDC is running samba 3.0.7 on linux.  There are several file servers, but 
the main ones are running samba 3.0.7 on solaris and all authentication goes 
through the PDC with ldapsam backend.

The problem first appeared for us with 3.0.6 this fall, though we might have 
been noticing the start of this problem with 3.0.4 last May but never isolated 
it before all our users left for the summer.

The PDC appears to request ALL groups from LDAP, using the search 
(objectclass=sambaGroupMapping).  In our case, this is nearly 14,000 entries 
and it can take almost 10 minutes to retrieve those from LDAP when there are 
hundreds trying at once.  Indexing doesn't help in this case because samba
is
asking for ALL groups.

Our first day of class here was very VERY BAD as hundreds of users tried to 
login to our labs each hour :(

As a stop-gap measure, I modified samba to request only groups where the 
gidNumber was less than 1000 - the LDAP filter is now 
(&(objectclass=sambaGroupMapping)(gidNumber<=999)).  My rationale is that
groups above 1000 are the individual user private groups, ala Red Hat style. 
And, it's not likely one would want to setup permissions on windows shares 
using that, the user could be used instead.  Groups under 1000 are true groups 
as unix has traditionally used them.

This resolved our login issues and got our labs functional again but now I'm
getting the message:

rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [gray-00] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that

in the logs.  This is correct because I'm no longer allowing samba to find
the
users primary group.  It's not clear to me yet that this is really a problem
as nothing's been noticed.  But, it does concern me, plus it's extra
noise in
the log files.

Is there any way to make samba do a more targeted lookup of groups, perhaps 
only those groups where the user is a member?

-- 
Marlys A. Nelson                      Sr. Network Specialist
Information Technology Services       Network Services
University of Wisconsin - River Falls 715/425-4357
410 South Third Street                Email: Marlys.A.Nelson@uwrf.edu
River Falls  WI  54022                http://www.uwrf.edu/

> in the logs.  This is correct because I'm no longer allowing samba to 
> find the users primary group.  It's not clear to me yet that this is 
> really a problem as nothing's been noticed.  But, it does concern me, 
> plus it's extra noise in the log files.
Now you could fix that by making everyone's primary group some group 
that is defined for the purpose of making samba shut up, but then you'd 
run into this nice issue that using secondary groups in samba with an 
LDAP backend on recent patchlevels is broken.

As a more helpful note, how does using nscd affect your performance issues?

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger@ae-solutions.com

Marlys Nelson wrote:
> The PDC appears to request ALL groups from LDAP, using the search 
> (objectclass=sambaGroupMapping).  In our case, this is nearly 14,000 
> entries and it can take almost 10 minutes to retrieve those from LDAP 
> when there are hundreds trying at once.  Indexing doesn't help in this 
> case because samba is asking for ALL groups.
> ...
> Is there any way to make samba do a more targeted lookup of groups, 
> perhaps only those groups where the user is a member?
I think it's possible. As far as I can see the problem is in this 
rpc_server/srv_util.c:get_domain_user_groups implementation which does 
retrieve all groups and then sort them out. Unfortunately, the fix isn't 
that simple since interface to backends (include/passdb.h:struct 
pdb_methods) has only one method to list groups: enum_group_mapping().

The solution could be to introduce another method to the above interface 
(enum_user_groups()?) or to extend enum_group_mapping() to accept an 
extra argument (user account name). The problem with the first solution 
is that this method would repeat almost everything enum_group_mapping 
does for all backends except that in ldapsam backend it will have an 
extra (memberUid=<user>) filter. The problem with the second - all calls 
to enum_group_mapping would need to be altered to accept an extra argument.

I'll try to see what I can do.
Cheers,
Igor

I have a suggestion.  I think you can partition off the groups by 
putting them in sub OU's of your groups OU.

Alternatively you could use some Balanceing Domain Controllers with 
disconnected authentication. This entails setting up Balanceing Domain 
Controllers, each with a local LDAP slave server. Makeking everything 
local (replicated from the main LDAP server) for each of your BDC's 
should improve performance as you can then have several machines 
answering requests for groups without them haveing to constantly query 
the main LDAP server.
> I am having problems with samba and ldap as concerns groups.  We have 
...
> perhaps only those groups where the user is a member?

-- 
-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz	|
-----------------------------------------------------------------