Francesco Malvezzi
2019-Apr-17 08:27 UTC
[Samba] Does Netlogon prefork feature of samba-4.10 allow larger user base?
hi all, times ago I had a performance bottleneck issues on DCE/RPC process with a 50k user base. Once in a while CPU jumped to 100% and users weren't able to log in. I decided to reduce the user base to 7k user and everything is fine since then. Does the 'Netlogon prefork' (a new feature of samba-4.10) mitigate the above issue? Is it worth to give a try to raise again the AD users to 50k with some confidence that even if high CPU usage shows again at least users' logon is yet possible? thank you, Francesco
Andrew Bartlett
2019-Apr-17 08:59 UTC
[Samba] Does Netlogon prefork feature of samba-4.10 allow larger user base?
On Wed, 2019-04-17 at 10:27 +0200, Francesco Malvezzi via samba wrote:> hi all, > > times ago I had a performance bottleneck issues on DCE/RPC process with > a 50k user base. Once in a while CPU jumped to 100% and users weren't > able to log in. I decided to reduce the user base to 7k user and > everything is fine since then. > > Does the 'Netlogon prefork' (a new feature of samba-4.10) mitigate the > above issue? Is it worth to give a try to raise again the AD users to > 50k with some confidence that even if high CPU usage shows again at > least users' logon is yet possible?Yes, that is exactly why this was added, to gain some ability to handle parallel load in this area. Expect Samba 4.11 to be even better as we continuing to make the processing under the hood more efficient also. Earlier versions (I forget exactly which, sorry) would fork one worker per netlogon child in the 'standard' process model, which was the first step to addressing this (but can cause an overwhelming number of RPC workers depending on what your clients do). Just remember this isn't the default yet, set '-M prefork' on the command line to use in Samba 4.10. Finally, if your load is coming from one single Samba winbindd (eg for a squid proxy) then set 'winbind max domain connections' to a value greater than 1 on the client. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba