It's strange. We have root domain and a lot subdomain. We try to join Samba to one of subdomain. Active Directory DB (NTDS.dit) without GC = 1.2 Gb, with GC=16 Gb. When we try to join Samba we have samba DB limit 4Gb. We see that samba replicate information about all domains in forest: descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=domain1,DC=oao,DC=company not found under DC=domain1,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 3c4005a3-6aa9-4776-a23a-d0f632d6ebd8 - using CN=DOMAIN6-DC-02,OU=Domain Controllers,DC=domain6,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 5cefb527-31c5-45b3-98e1-473e54b75ac8 - using CN=DOMAIN6-DC-01,OU=Domain Controllers,DC=domain6,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 29d15948-c550-43ec-91bc-9eea9516197e - using DC=domain6,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 01a7952b-a4e1-4e91-b3cd-74b34307a019 - using DC=domain2,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID c9686534-1edb-48ae-8f2d-808320512b71 - using DC=domain3,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID f45fa54a-8512-4af0-9aab-b24b0ae4b868 - using DC=domain4,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 580df24f-20ba-4cc5-8c51-f95e4fe08d6e - using DC=domain5,DC=oao,DC=company Can we disable GC in Samba before join? -----Original Message----- From: Andrew Bartlett [mailto:abartlet at samba.org] Sent: Monday, November 02, 2015 9:50 PM To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org Subject: Re: [Samba] Join Samba without GC role On Mon, 2015-11-02 at 13:07 +0000, Luchko Dmitriy wrote:> Thanks for the answer! > > Is that true if we have Subdomains, Samba write to DB information only > about join-domain?Operation in the presence of subdomains is not supported. When we do add it, we will attempt to be a GC and replicate the GC partitions for the whole forest. This information is critical to the correct operation of the DsCrackNames interface.> And what option --domain-critical-only do? I did not see the > difference - with or without.A smaller set of objects is replicated initially, but the whole domain is replicated once Samba starts. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
I created test environment: 1 root domain, 2 subdomain. I created about 250000 user accounts in subdomain 2 (sub2.company.com) ntds.dit 14gb. Joining samba in first subdomain (sub1) was without problem. But in production environment (with a lot of domains and objects) python process was hung with 100% CPU (after 6 hour we killed hung process). Why can this happened? This is samba subdomain support limitation, tdb database limitation, feature works samba with big active directrory infrastructure (a lot sites, domains and objects), or is this bug? -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Luchko Dmitriy Sent: Friday, November 06, 2015 10:55 AM To: Andrew Bartlett <abartlet at samba.org>; samba at lists.samba.org Subject: Re: [Samba] Join Samba without GC role It's strange. We have root domain and a lot subdomain. We try to join Samba to one of subdomain. Active Directory DB (NTDS.dit) without GC = 1.2 Gb, with GC=16 Gb. When we try to join Samba we have samba DB limit 4Gb. We see that samba replicate information about all domains in forest: descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=domain1,DC=oao,DC=company not found under DC=domain1,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 3c4005a3-6aa9-4776-a23a-d0f632d6ebd8 - using CN=DOMAIN6-DC-02,OU=Domain Controllers,DC=domain6,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 5cefb527-31c5-45b3-98e1-473e54b75ac8 - using CN=DOMAIN6-DC-01,OU=Domain Controllers,DC=domain6,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 29d15948-c550-43ec-91bc-9eea9516197e - using DC=domain6,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 01a7952b-a4e1-4e91-b3cd-74b34307a019 - using DC=domain2,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID c9686534-1edb-48ae-8f2d-808320512b71 - using DC=domain3,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID f45fa54a-8512-4af0-9aab-b24b0ae4b868 - using DC=domain4,DC=oao,DC=company ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to re-resolve GUID 580df24f-20ba-4cc5-8c51-f95e4fe08d6e - using DC=domain5,DC=oao,DC=company Can we disable GC in Samba before join? -----Original Message----- From: Andrew Bartlett [mailto:abartlet at samba.org] Sent: Monday, November 02, 2015 9:50 PM To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org Subject: Re: [Samba] Join Samba without GC role On Mon, 2015-11-02 at 13:07 +0000, Luchko Dmitriy wrote:> Thanks for the answer! > > Is that true if we have Subdomains, Samba write to DB information only > about join-domain?Operation in the presence of subdomains is not supported. When we do add it, we will attempt to be a GC and replicate the GC partitions for the whole forest. This information is critical to the correct operation of the DsCrackNames interface.> And what option --domain-critical-only do? I did not see the > difference - with or without.A smaller set of objects is replicated initially, but the whole domain is replicated once Samba starts. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Tue, 2015-11-17 at 08:27 +0000, Luchko Dmitriy wrote:> I created test environment: 1 root domain, 2 subdomain. I created > about 250000 user accounts in subdomain 2 (sub2.company.com) ntds.dit > 14gb. Joining samba in first subdomain (sub1) was without problem. > But in production environment (with a lot of domains and objects) > python process was hung with 100% CPU (after 6 hour we killed hung > process). > Why can this happened? This is samba subdomain support limitation, > tdb database limitation, feature works samba with big active > directrory infrastructure (a lot sites, domains and objects), or is > this bug?Samba has simply never been designed or tested for use in the presence of subdomains, nor for that number of objects. We hope to add subdomain support, and I have done some work towards that, but it is as you have noticed, unfinished. We would also like to improve Samba to scale up, and to support more diverse domain structures, but it isn't a small task. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba