samba - Feb 2016 - winbind limitations

Hi.

Does winbind has limitations  with lots of users in domain?

I'm compiled samba 4.3.1 and created 40 users, so winbind and getent works
fine, but when created 26.000 users and "wbinfo -u" doesn't show
users.

On DC Member Server, "wbinfo -u" and "getent passwd"
doesn't show users to.

On log.wb-CORP appears:
[2016/02/23 18:46:46.319393,  1]
../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
  ads reopen failed after error Time limit exceeded
[2016/02/23 18:46:46.319552,  1]
../source3/winbindd/winbindd_ads.c:319(query_user_list)
  query_user_list ads_search: Time limit exceeded

my smb.conf on DC:
[global]
        workgroup = CORP
        realm = CORP.EXAMPLE.COM
        netbios name = SRV-401
        interfaces = lo eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes

smb.conf on Member Server:
[global]
       netbios name = FS-SERVER1-CORP
       security = ADS
       workgroup = CORP
       realm = CORP.EXAMPLE.COM
       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = yes
       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes
       idmap config *:backend = tdb
       idmap config *:range = 1000-9999
       idmap config CORP:backend = ad
       idmap config CORP:schema_mode = rfc2307
       idmap config CORP:range = 10000-99999
       winbind nss info = rfc2307
       vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes


Regards,
Fernando

On Tue, Feb 23, 2016 at 06:58:52PM -0300, Fernando Favero
wrote:
> Hi.
> 
> Does winbind has limitations  with lots of users in domain?
> 
> I'm compiled samba 4.3.1 and created 40 users, so winbind and getent
works
> fine, but when created 26.000 users and "wbinfo -u" doesn't
show users.
I'm sure there's timeouts all over the place with 26.000 users. I'd
say
enumerating that number is not really a good idea. You might have good
reasons to do so, but I would recommend using direct LDAP against AD to
get the users. Winbind eventually might get there, but I doubt we have
proper retries around everywhere to fulfill that.

In normal operations you should never need to enumerate users and
groups. Doing "getent passwd <username>" on users that
successfully
logged in will always work fine. If it does not, we'll fix it.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

Hi Fernando,

For me that's a well known issue of winbind.

You could notice also issue with "samba-tool ldapcmp ..." and another
tool
I don't remember for now. Both does not work anymore once you reach around
40 000 objects in Samba database.

For ldapcmp a workaround, which is an awful workaround, is to:
1° List all containers
2° For each container -> launch ldapcmp

Unfortunately this process increase a lot the time needed to compare all
data.

As an example:
- we have 20 DC.
- we have 120 000 users and no computers and no groups in our database.
Comparing sequentially all these DC against FSMO owner is running since 6
days and it is not finished. We even suspect we only reached half of the
process this noon...

Sorry to not have better news,

mathias

2016-02-23 22:58 GMT+01:00 Fernando Favero <favero.fernando at gmail.com>:
> Hi.
>
> Does winbind has limitations  with lots of users in domain?
>
> I'm compiled samba 4.3.1 and created 40 users, so winbind and getent
works
> fine, but when created 26.000 users and "wbinfo -u" doesn't
show users.
>
> On DC Member Server, "wbinfo -u" and "getent passwd"
doesn't show users to.
>
> On log.wb-CORP appears:
> [2016/02/23 18:46:46.319393,  1]
> ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
>   ads reopen failed after error Time limit exceeded
> [2016/02/23 18:46:46.319552,  1]
> ../source3/winbindd/winbindd_ads.c:319(query_user_list)
>   query_user_list ads_search: Time limit exceeded
>
> my smb.conf on DC:
> [global]
>         workgroup = CORP
>         realm = CORP.EXAMPLE.COM
>         netbios name = SRV-401
>         interfaces = lo eth0
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         idmap_ldb:use rfc2307 = yes
>
> smb.conf on Member Server:
> [global]
>        netbios name = FS-SERVER1-CORP
>        security = ADS
>        workgroup = CORP
>        realm = CORP.EXAMPLE.COM
>        dedicated keytab file = /etc/krb5.keytab
>        kerberos method = secrets and keytab
>        winbind refresh tickets = yes
>        winbind trusted domains only = no
>        winbind use default domain = yes
>        winbind enum users  = yes
>        winbind enum groups = yes
>        idmap config *:backend = tdb
>        idmap config *:range = 1000-9999
>        idmap config CORP:backend = ad
>        idmap config CORP:schema_mode = rfc2307
>        idmap config CORP:range = 10000-99999
>        winbind nss info = rfc2307
>        vfs objects = acl_xattr
>        map acl inherit = yes
>        store dos attributes = yes
>
>
> Regards,
> Fernando
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Volker,

I have same behaviour here without enumerating users or groups. As soon as
the DB increase too much (which is not too much, my tests months ago made
Samba starting to hang on certains commands (ldapcmp, wbinfo -u...) around
40000 objects in Samba database.

On DC wbinfo -u is hanging today after 10s. This on the 2 DC I tested (on
20 DC). As soon as wbinfo -u is launched RPC PID of Samba processes is
eating 100% of one CPU core. This process continues to eat CPU long after
these 10s.
On member wbinfo -u is longer to hang and it seems to be LDAP process of
the DC trying to reply which eat 100% of one CPU core.

Anyway, on member and on DC wbinfo -u is not working with too much objects
(120k here today).

You spoke about timeout. Are they configurable these timeout? Can we
increase them?

With 120k users, no computers, no groups, winbind configured on member
server users are retrieved episodically.  Sometimes the user is existing,
id shows it, wbinfo -i too, sometimes the user do not exists for any
command I tried.

I'm still afraid winbind is not ready to scale up.

Sorry to put it like that...

Cheers,

mathias

2016-02-24 10:41 GMT+01:00 Volker Lendecke <Volker.Lendecke at sernet.de>:
> On Tue, Feb 23, 2016 at 06:58:52PM -0300, Fernando Favero wrote:
> > Hi.
> >
> > Does winbind has limitations  with lots of users in domain?
> >
> > I'm compiled samba 4.3.1 and created 40 users, so winbind and
getent
> works
> > fine, but when created 26.000 users and "wbinfo -u"
doesn't show users.
>
> I'm sure there's timeouts all over the place with 26.000 users.
I'd say
> enumerating that number is not really a good idea. You might have good
> reasons to do so, but I would recommend using direct LDAP against AD to
> get the users. Winbind eventually might get there, but I doubt we have
> proper retries around everywhere to fulfill that.
>
> In normal operations you should never need to enumerate users and
> groups. Doing "getent passwd <username>" on users that
successfully
> logged in will always work fine. If it does not, we'll fix it.
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>