Gautier, B (Bob)
2006-May-04 13:52 UTC
[Samba] Speeding up 'getent passwd' with winbindd on AD
I am working on a Linux-AD integration using winbindd in security=ads mode with idmap=ad. Everything is basically working, but the performance of user (and group) enumeration has been very poor and I am almost at the stage where I ask my users if they can live without it, though I would prefer not to. In my test environment, I have about 8500 users in AD, of which currently only about 10 have the necessary attributes to make them valid Linux users. When I try to enumerate the users, I notice that winbindd gets the list of *all* users in AD, and then (in idmap_ad) it makes an LDAP query per-user for the SFU attributes (e.g. uidNumber etc). Most of those queries fail, of course. By changing the LDAP filter (in winbindd_ads.c, function query_user_list) from "(objectClass=user)" to (for example) "(&(objectClass=user)(uidNumber=*))", i.e. by asking *only* for users that have a uidNumber attribute, I have reduced a response time of 4 minutes for 'getent passwd' down to only 6 seconds. I'd really like to see a change like this go into Samba, but I realise the new filter isn't compatible with other idmap backends, and so at best it needs to be optional. Currently I have a patch which applies the filter only if 'winbind nss info = sfu' in in effect. I'm posting this here to get feedback: should I file an enhancement request in Bugzilla, refine the fix somehow first, or forget it altogether? Bob Gautier _____________________________________________________________ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _____________________________________________________________
Rex Dieter
2006-May-04 14:06 UTC
[Samba] Re: Speeding up 'getent passwd' with winbindd on AD
Gautier, B (Bob) wrote:> I'm posting this here to get feedback: should I file an enhancement > request in Bugzilla, refine the fix somehow first, or forget it > altogether?IMO, bugzilla it now. Possible refinement can occur later. -- Rex
Jeremy Allison
2006-May-04 14:22 UTC
[Samba] Speeding up 'getent passwd' with winbindd on AD
On Thu, May 04, 2006 at 02:33:05PM +0100, Gautier, B (Bob) wrote:> > I'm posting this here to get feedback: should I file an enhancement > request in Bugzilla, refine the fix somehow first, or forget it > altogether?Enhancement in bugzilla please ! Jeremy.
Gautier, B (Bob)
2006-May-04 14:50 UTC
[Samba] Speeding up 'getent passwd' with winbindd on AD
> -----Original Message----- > From: Jeremy Allison [mailto:jra@samba.org] > Sent: 04 May 2006 15:17 > To: Gautier, B (Bob) > Cc: samba@lists.samba.org > Subject: Re: [Samba] Speeding up 'getent passwd' with winbindd on AD > > On Thu, May 04, 2006 at 02:33:05PM +0100, Gautier, B (Bob) wrote: > > > > I'm posting this here to get feedback: should I file an enhancement > > request in Bugzilla, refine the fix somehow first, or forget it > > altogether? > > Enhancement in bugzilla please !Done: https://bugzilla.samba.org/show_bug.cgi?id=3751 Thanks, Bob G> > Jeremy. >_____________________________________________________________ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _____________________________________________________________