guido at lorenzutti.com.ar
2010-Feb-19 11:42 UTC
[Samba] using winbind causes high load on the pdc
Hi people: I have a winbind 3.2.5 running on a box to authenticate users in my squid. My PDC is a samba 3.0.24 and it stores users on ldap. I have aprox 500 users and when they all use the squid my winbind generates a lot of traffic to my pdc box causing high load on the smb process that talks to the winbind... killing the performance of the squid. Is there anyway to reduce this traffic? Why everytime a user navigates the winbind revalidates the credentials? Cache for username/passwords? TTL? something? Can I avoid the rpc traffic to the PDC and setup the winbind to talk to the pdc via ldap? This is my winbind smb.conf: [global] workgroup = DOMAIN netbios name = PROXY wins support = No wins server = 10.1.0.44 password server = * dns proxy = No log file = /var/log/samba/log.%m max log size = 1000 syslog only = No syslog = 0 security = domain domain master = No encrypt passwords = Yes passdb backend = tdbsam printing = none load printers = No restrict anonymous = 1 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind separator = \\ winbind uid = 10000-20000 winbind gid = 10000-20000 winbind cache time = 900 winbind offline logon = Yes Just for curious.. this is my squid.conf regarding ntlm: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN auth_param ntlm children 280 auth_param ntlm keep_alive on I try both keep_alive, on and off... no changes. Thanks in advance.
Unless they're needed for your configuration, try
winbind enum users = No
winbind enum groups = No
In a large site, those create a lot of traffic.
Dale
On 02/19/2010 5:42 AM, guido at lorenzutti.com.ar wrote:> Hi people: I have a winbind 3.2.5 running on a box to authenticate users
> in my squid. My PDC is a samba 3.0.24 and it stores users on ldap. I have
> aprox 500 users and when they all use the squid my winbind generates a lot
> of traffic to my pdc box causing high load on the smb process that talks
> to the winbind... killing the performance of the squid.
>
> Is there anyway to reduce this traffic?
> Why everytime a user navigates the winbind revalidates the credentials?
> Cache for username/passwords? TTL? something?
> Can I avoid the rpc traffic to the PDC and setup the winbind to talk to
> the pdc via ldap?
>
> This is my winbind smb.conf:
> [global]
> workgroup = DOMAIN
> netbios name = PROXY
> wins support = No
> wins server = 10.1.0.44
> password server = *
> dns proxy = No
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog only = No
> syslog = 0
> security = domain
> domain master = No
> encrypt passwords = Yes
> passdb backend = tdbsam
> printing = none
> load printers = No
> restrict anonymous = 1
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind separator = \\
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind cache time = 900
> winbind offline logon = Yes
>
> Just for curious.. this is my squid.conf regarding ntlm:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
> auth_param ntlm children 280
> auth_param ntlm keep_alive on
>
> I try both keep_alive, on and off... no changes.
>
>
> Thanks in advance.
>
>