Hello Samba Team and users ! I wrote some scripts that interoperate with samba to manage users, groups and some other AD objects. Everything works fine and I now want to improve performance. So I would like to know what is the best way in terms of performance to read user/group/ou informations : -> as domain controller and -> as domain member It would be great also if the access has no latency. For example, as a domain controller, wbinfo sometimes continues to give user information just after deleting the user with samba-tool. Is this better to use : ldbsearch and access to sam.ldb directly ? samba-tool ? winbind with wbinfo ? winbind with nsswitch tools : uid, getent, ... ? the ldap:// protocol ? the samba python library ? net command ? other ? Thanks if someone can help me ! Regards, Baptiste.
Rowland penny
2021-Feb-04 10:07 UTC
[Samba] Best way to access the AD database from scripts
On 04/02/2021 09:50, Prunk Dump via samba wrote:> Hello Samba Team and users ! > > I wrote some scripts that interoperate with samba to manage users, > groups and some other AD objects. Everything works fine and I now want > to improve performance. > > So I would like to know what is the best way in terms of performance > to read user/group/ou informations : > -> as domain controller > and > -> as domain member > > It would be great also if the access has no latency. For example, as a > domain controller, wbinfo sometimes continues to give user information > just after deleting the user with samba-tool. > > Is this better to use : > > ldbsearch and access to sam.ldb directly ? > samba-tool ? > winbind with wbinfo ? > winbind with nsswitch tools : uid, getent, ... ? > the ldap:// protocol ? > the samba python library ? > net command ? > other ? > > Thanks if someone can help me ! > > Regards, > > Baptiste. >Your problem isn't so much as how you do this, as where you do it ? AD uses replication, which is usually pretty fast, but sometimes it isn't. This means that if you delete a user on one DC and replication is slow, the user may still exist on another DC. Using wbinfo has its own problems because it may be reading from a cache and this could still contain deleted objects. It doesn't matter if you use ldbsearch, ldapsearch or samba-tool, just as longer as you do all modifications on the same DC, the PDC_Emulator for instance. Rowland