Hi, a few months ago I tried to setup samba + winbind (debian etch, amd64, samba 3.0.24). I followed the howto and got the authentication running. But I had not much success with winbind. I disabled the user/group enumeration, but this didn't change it. A simple 'ls -l' in a directory with 10-20 files took minutes to return the list and most of the time winbindd just stopped working an no connection to the samba shares were possible. I had to kill the daemon. I'm only responsible for a couple of linux workstations, but our AD is quite large (>100000 or more entries). Before I start a new attempt to get winbindd working, I would like to know if this is possible at all without any further patches or "secret" tweaks? Ralf
Hi Ralf, I assume that you are using "security = ads" and I assume that your AD setup has groups with lots of members? This is a known problem then that has been fixed in current samba (SAMBA_3_2 as of today): The ads version of the function lookup_groupmem (used to retrieve the members of a given group) showed poor performance on large groups. I recently improved the performance of this call (starting with svn revisions r23070 and r23072). This is in SAMBA_3_2 and in SAMBA_3_2_0, so it will be in the next release (3.2.0). There is no way to improve the performance significantly with 3.0.24 (except patching). So I suggest that you grab the latest sources with svn (see http://www.samba.org/samba/devel/), you can also get the upcoming release branch SAMBA_3_2_0 here) or get the unpacked sources with rsync like so: "rsync -avSH samba.org::ftp/pub/unpacked/samba_3_2/ ./samba_3_2" and then compile it yourself. The reason why lookup_groupmem gets used in "ls -l" at all is that the getgrgid library call is used to resolve the gids into names, and this call returns not only the name but the whole group structure, including the list of members. So to confirm my assumptions above, you could compare the runtime of "ls -l" to that of "ls -ln": The latter should be much faster! Cheers, Michael On Di, Jul 10, 2007 at 10:08:00 +0200, Ralf Gross wrote:> Hi, > > a few months ago I tried to setup samba + winbind (debian etch, > amd64, samba 3.0.24). I followed the howto and got the authentication > running. But I had not much success with winbind. I disabled the > user/group enumeration, but this didn't change it. A simple 'ls -l' in > a directory with 10-20 files took minutes to return the list and most > of the time winbindd just stopped working an no connection to the > samba shares were possible. I had to kill the daemon. > > I'm only responsible for a couple of linux workstations, but our AD is > quite large (>100000 or more entries). Before I start a new attempt to > get winbindd working, I would like to know if this is possible at all > without any further patches or "secret" tweaks? > > Ralf-- Michael Adam <ma@sernet.de> SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE
Michael Adam schrieb:> > I assume that you are using "security = ads" and I assume that > your AD setup has groups with lots of members?Yes, that's right.> This is a known problem then that has been fixed in current > samba (SAMBA_3_2 as of today): The ads version of the function > lookup_groupmem (used to retrieve the members of a given group) > showed poor performance on large groups. I recently improved > the performance of this call (starting with svn revisions r23070 > and r23072). This is in SAMBA_3_2 and in SAMBA_3_2_0, so it will > be in the next release (3.2.0).Ok.> There is no way to improve the performance significantly with > 3.0.24 (except patching). So I suggest that you grab the latest > sources with svn (see http://www.samba.org/samba/devel/), you > can also get the upcoming release branch SAMBA_3_2_0 here) or > get the unpacked sources with rsync like so: > "rsync -avSH samba.org::ftp/pub/unpacked/samba_3_2/ ./samba_3_2" > and then compile it yourself.I can't use rsync or cvs from office. It seems that svnweb which is mentioned in the howto is not working anymore. http://svnanon.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html#id442180 I can't reach http://svnweb.samba.org/. Is there another way to get the 3_2 release by svn/http?> The reason why lookup_groupmem gets used in "ls -l" at all is > that the getgrgid library call is used to resolve the gids into > names, and this call returns not only the name but the whole > group structure, including the list of members. > > So to confirm my assumptions above, you could compare the > runtime of "ls -l" to that of "ls -ln": The latter should be > much faster!Thanks for your reply, I'll try to get the source and compile it. This might take some time. BTW: wbinfo also wasn't working right and winbindd was not responding after issuing that command. Ralf
Volker Lendecke schrieb:> On Wed, Jul 11, 2007 at 06:16:12PM +0200, Ralf Gross wrote: > > [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) > > request_len_recv: Invalid request size received: 1848 > > Update /lib/libnss_winbind.so with the version you just > compiled and reboot.I changed the path to libnss_winbind.so in all relevant files in /etc/pam.d/, but I will try your suggestion tomrorrow and reboot. Ralf