On Fri, Feb 16, 2007 at 05:31:05PM +0100, ZIGLIO, Frediano, VF-IT
wrote:> Hi,
> I installed samba on a large Active Directory. All is working, I use
> winbind in pam and everything is working.
> However sometime it just hang for a while (say 20 seconds) and then go
> without problems.
> Currently I increased "winbind cache time" to mitigate the
problem.
> There are mainly two situation where this hang occur
> 1- login
> 2- ls -l
> 3- groups
>
> I tried to analyze the problem a bit deeply. The hang with case 2 occurs
> every 2/3 minutes (without "winbind cache time") so I launched a
strace
> on winbind and when ls -l hang I see a lot of ldap query !!! Then I
> launch tcpdump on ldap port and strace and retry the ls -l test.
> Now I do a ls -l in my home directory. My user is an AD user of a
> "DOMAIN\Domain Users" main group so ls -l say something like
>
> -rw-r--r-- 1 user Domain Users 1234 Xxx XX 2005 file.txt
>
> ls -ln:
>
> -rw-r--r-- 1 16804756 16777217 1234 Xxx XX 2005 file.txt
>
> So ls -l should ask which user is 16804756 and which group is 16777217.
> Winbind should (IMHO) get SID of 16804756 and 16777217 from local cache
> then check if names are updated in cache and update if necessary. The
> problem is that winbind do not simply check for 16777217 name but when
> group change it dump many other informations like users in the group and
> then for each user in the group it ask for informations. Now all users
> in AD (I know is ugly but I don't manage AD) have Domain Users as the
> main group so it take very long to get all users list and update every
> users. It would be better (at list for my case) that winbind just get
> group name and mark "the member list is not correct".
>
> Is anybody working in this direction? Can I help you in some way?
We already have fixes for this in the SAMBA_3_0_25 tree.
If you're willing to experiment then you could try the
SVN code to see if it fixes the issue.
Jeremy.