thr3ads.net - samba - [Samba] winbind authentication performance: lookup

If this information is useful, please help other people find it:
Share via:

SERGEYS Filip

2007-Jun-26 09:30 UTC

[Samba] winbind authentication performance: lookup_groupmem in large sites

Hello,

I have set up winbind to authenticate linux pc's to a windows 2003 AD.
The authentication works, but the performance is not good (takes over 5 minutes)

PRELIMINARY
-----------
OS: ubuntu 7.04
Samba: 3.0.24
AD: windows 2003

ANALYSIS
---------
After analyzing the log.winbindd file in log level 10, I can see three major
parts

1) lookup and authenticate the user -> performance OK
[2007/06/25 14:31:50, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn GETPWNAM
[2007/06/25 14:31:50, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336)
  [    0]: getpwnam sergeyf
[2007/06/25 14:31:50, 10] sam/idmap_util.c:idmap_sid_to_uid(70)
  idmap_sid_to_uid: sid = [S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx]
  internal_get_id_from_sid: record S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx
-> UID 87023

2) list all groups this user is member of. -> performance OK
[2007/06/25 14:31:54, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn GETGROUPS
[2007/06/25 14:31:54, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1017)
  [    0]: getgroups sergeyf
...
internal_get_id_from_sid: ID_GROUPID fetching record
S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxx -> GID 10513
... (more than 50 groups)

3) Per group list all members of that group -> BOTTLENECK
[2007/06/25 17:18:02, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1665)
  lookup_groupmem: [Cached] - doing backend query for info for domain XXXX
[2007/06/25 17:18:02, 10] nsswitch/winbindd_ads.c:lookup_groupmem(879)
  ads: lookup_groupmem POST sid=S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx
...

Step 3 is the one causing the delay because each group has about a 1000 users
If I interrupt the login, I actually see I am logged in, but in the background
the process of listing the groups continues.

STEPS ALREADY TAKEN
-------------------
After I found this, I thought the problem had to be related to one of these
settings:
        winbind expand groups = 0
        winbind nested groups =  no
Both settings where default settings first (1 and yes respectively), but after
setting them to the values 0 and no, winbind still performed the lookup group
members .

I also found this mailpost:
http://archives.free.net.ph/message/20070613.052201.64562430.en.html
It mentions that this step should actually be asynchronous. When will that be
implemented?

SOLUTION?
---------
This is my question to the list: Is there a workaround or what settings do I
need to apply.


Thanks in advance,

Filip Sergeys




STRICTLY PERSONAL AND CONFIDENTIAL
This message may contain confidential and proprietary material for the sole use
of the intended recipient. Any review or distribution by others is strictly
prohibited. If you are not the intended recipient please contact the sender and
delete all copies.

Dit bericht is enkel bestemd voor de aangeduide ontvangers en kan vertrouwelijke
informatie bevatten. Als u niet de ontvanger bent, dan mag u de inhoud van dit
bericht niet bekendmaken noch kopi?ren. Als u dit bericht per vergissing
ontvangen heeft, gelieve er de afzender of De Post onmiddellijk van op de hoogte
te brengen en het bericht vervolgens te verwijderen.

Ce message est uniquement destin? aux destinataires indiqu?s et peut contenir
des informations confidentielles. Si vous n'?tes pas le destinataire, vous
ne devez pas r?v?ler le contenu de ce message ou en prendre copie. Si vous avez
re?u ce message par erreur, veuillez en informer l'exp?diteur, ou La Poste
imm?diatement, avant de le supprimer.

Guenther Deschner

2007-Jun-26 11:12 UTC

head link

[Samba] winbind authentication performance: lookup_groupmem in large sites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SERGEYS Filip wrote:
 > 3) Per group list all members of that group ->
BOTTLENECK> [2007/06/25 17:18:02, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1665)
>   lookup_groupmem: [Cached] - doing backend query for info for domain XXXX
> [2007/06/25 17:18:02, 10] nsswitch/winbindd_ads.c:lookup_groupmem(879)
>   ads: lookup_groupmem POST
sid=S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx
In older samba releases we needed to lookup each member in AD which in
the upcoming 3.0.26 release will be done much more efficient. You can
try the SAMBA_3_0_26 branch to check whether this fixes your performance
problem.

Thanks,
Guenther

- --
G?nther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner@redhat.com
Samba Team                              gd@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGgPRWSOk3aI7hFogRAhrjAJ95hF6DjRjTaVQjktfvPLVbwZMtWQCfV63x
vRtdQsQIF9JMKrEPEmNpXlw=dlTH
-----END PGP SIGNATURE-----

Seemingly Similar Threads

Search for more reasonably related threads

samba - Jun 2007 - winbind authentication performance: lookup_groupmem in large sites

[Samba] winbind authentication performance: lookup_groupmem in large sites

[Samba] winbind authentication performance: lookup_groupmem in large sites

Seemingly Similar Threads