samba - Feb 2019 - winbind causing huge timeouts/delays since 4.8

On Sun, Feb 24, 2019 at 08:16:55AM +0000, Rowland Penny via samba
wrote:
> Well yes, it could be used for the default domain, but what about the
> 'DOMAIN' domain ?
> 
> From my understanding, the default range is meant for the Well Known
> SIDs and anything outside the given domains and there are less than two
> hundred Well known SIDs.
> 
> To be honest, I have never really seen the point to autorid, it just
> seems to be the 'rid' backend with a way to set the range size.
> 
> I will stick to recommending using 'tdb' for the '*' domain
and 'ad'
> or 'rid' for any other domains.
Autorid is made to combine the efficiency of rid with the ease of
configuration of tdb. tdb generates a lot of entries in its database,
autorid is very small. For me, if we could, we would make autorid the
default these days. But this would break too many existing tdb default
setups. Of course, wherever people have SFU maintained in AD, that is
clearly preferrable. For everybody else, I think autorid is just a
great idea. But that's mostly me :-)

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kontakt at sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
AG Göttingen: HR-B 2816 - http://www.sernet.de

> Am 24.02.2019 um 12:14 schrieb Volker Lendecke via samba <samba at
lists.samba.org>:
> 
> On Sun, Feb 24, 2019 at 08:16:55AM +0000, Rowland Penny via samba wrote:
>> Well yes, it could be used for the default domain, but what about the
>> 'DOMAIN' domain ?
>> 
>> From my understanding, the default range is meant for the Well Known
>> SIDs and anything outside the given domains and there are less than two
>> hundred Well known SIDs.
>> 
>> To be honest, I have never really seen the point to autorid, it just
>> seems to be the 'rid' backend with a way to set the range size.
>> 
>> I will stick to recommending using 'tdb' for the '*'
domain and 'ad'
>> or 'rid' for any other domains.
> 
> Autorid is made to combine the efficiency of rid with the ease of
> configuration of tdb. tdb generates a lot of entries in its database,
> autorid is very small. For me, if we could, we would make autorid the
> default these days. But this would break too many existing tdb default
> setups. Of course, wherever people have SFU maintained in AD, that is
> clearly preferrable. For everybody else, I think autorid is just a
> great idea. But that's mostly me :-)
me too. And is we've just seen idmap_ad has its issues in large
environments.

-slow

On Sun, 24 Feb 2019 12:20:43 +0100
Ralph Böhme <slow at samba.org> wrote:
> 
> 
> > Am 24.02.2019 um 12:14 schrieb Volker Lendecke via samba
> > <samba at lists.samba.org>:
> > 
> > On Sun, Feb 24, 2019 at 08:16:55AM +0000, Rowland Penny via samba
> > wrote:
> >> Well yes, it could be used for the default domain, but what about
> >> the 'DOMAIN' domain ?
> >> 
> >> From my understanding, the default range is meant for the Well
> >> Known SIDs and anything outside the given domains and there are
> >> less than two hundred Well known SIDs.
> >> 
> >> To be honest, I have never really seen the point to autorid, it
> >> just seems to be the 'rid' backend with a way to set the
range
> >> size.
> >> 
> >> I will stick to recommending using 'tdb' for the
'*' domain and
> >> 'ad' or 'rid' for any other domains.
> > 
> > Autorid is made to combine the efficiency of rid with the ease of
> > configuration of tdb. tdb generates a lot of entries in its
> > database, autorid is very small. For me, if we could, we would make
> > autorid the default these days. But this would break too many
> > existing tdb default setups. Of course, wherever people have SFU
> > maintained in AD, that is clearly preferrable. For everybody else,
> > I think autorid is just a great idea. But that's mostly me :-)
> 
> me too. And is we've just seen idmap_ad has its issues in large
> environments.
> 
> -slow
Seen where ? and how ?

The only real problem that I see is that, from a Samba point of view,
you have to store the next available uidNumber or gidNumber outside of
AD e.g. scribbled on a piece of paper.

Rowland

On 2/24/19 12:20 PM, Ralph Böhme via samba wrote:
> And is we've just seen idmap_ad has its issues in large environments.
Which one?

Ciao, Michael.