samba - Jul 2006 - winbind periodically does 44 extraneous lookups, causing 10-15 second lag

The setting is Debian with winbind v3.0.22.  The pertinent bit of
winbind configuration is as follows:

        winbind nss info = sfu
        idmap backend = ad
        winbind enum groups = yes
        winbind cache time = 1800

The problem is that once in a while, typically when either:

        a) an ls command is given for the 1st time in a login shell
           session

        or

        b) a groups command is given for a username for the 1st time
           in a login shell session

there is a 10 to 15 second delay before the ls(1) or groups(1) command yields
any output.  If the same command is given again, it returns normally,
with no delay.

I captured the output of strace -f -T on two such groups(1) commands, the
first with the large delay, and the 2nd with no abnormal delay.  From
the output, the delay seems to be coming from read()'s from a winbind
pipe, for 44 different groups.

Here is an example snippet from the strace output:

22191 mmap2(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x55749000 <0.000005>
22191 select(5, [4], NULL, NULL, {5, 0}) = 1 (in [4], left {5, 0})
<0.000005>
22191 read(4,
"frei-group\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 134046) =
134046 <0.000212>
22191 munmap(0x55749000, 135168)        = 0 <0.000014>

you can see the rather large time spent in the read() call.

It should be pointed out that the 44 groups that take a long time, are
all for groups to which the username used in the groups command
does not belong.  In other words, there is no apparent reason why the
lookup is being done for those groups : the username I ran the groups
command for does not belong to these 44 groups.

Does anyone know why this is happening, and what I could do to remove or
minimize the initial large delay?
-- 
Happy Landings,

Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.

>         winbind enum groups = yes
....
> 
> Does anyone know why this is happening, and what I could do
> to remove or
> minimize the initial large delay?
I see a similar behavior with the Debian 3.0.14a and 3.0.22 packages.
My guess is that you won't see this if you don't enumerate groups.

See http://samba.org/samba/docs/man/Samba3-HOWTO/idmapper.html

If I understand winbind correctly, your setup is asking winbind to
refresh all of the groups, not just ask which groups the user may be a
member of.

James Zuelow....................CBJ MIS (907)586-0236
Network Specialist...Registered Linux User No. 186591