Rowland Penny
2021-Jul-19 10:07 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
On Mon, 2021-07-19 at 11:50 +0200, L.P.H. van Belle via samba wrote:> Your software vendor? What is the software your using? > Even that your software vendor is saying that, that still might be > wrong. > > Its same with the guys of Kopano where i had discussions with. > These also said Samba4 and Kopano is slow and not supported. > Well, im running it for years, its fast and as long you "manually" ad > the corrected indexing. > All fine. > > Plain ldap is already in AD... > AD can to the same as plain ldap. > > So, > > verify which records al indexed. > ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST > > Then first find the base DN for your setup: > ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b "" > defaultNamingContext > > Then edit the schema, using ldbedit and set searchFlags attribute to > 1 on the attribute entry you want to index: > ( examples, adjust with your values ) > ldbedit -H /var/lib/samba/private/sam.ldb -b > CN=SCHEMA,CN=CONFIGURATION,DC=S-AD1,DC=INTERNAL,DC=DOMAIN,DC=TLD > > and change : searchFlags: 0 to : searchFlags: 1 > > when all is done. > stop samba and start samba. ( just to make sure things are ok ) > now run : samba-tool dbcheck --reindex << the most important one > and.. One more. > this might take a while, wait untill its finish. > > Repeat this on all AD-DC?s. << the most important one !! > > Personaly i reboot the AD-DC to be sure its still fine after reboots > and i check as last the index list to see its all applied : > ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST > > I suggest try above, your vendor is trying to get the cheap way out > here.. >The other point worth mentioning is that, whether Openldap likes it or not, Openldap is on the way out. It is no longer available from RHEL 8 by default, you have to get it from EPEL, red-hat seemingly wants you to use freeipa. Of course this is all just my opinion, I also think that the vendor needs to support Samba AD (and freeipa) or they might just run out of clients. Rowland
Stefan Kania
2021-Jul-19 14:00 UTC
[Samba] howto optimize samba/kerberos for 20k requests per minute - help needed
Am 19.07.21 um 12:07 schrieb Rowland Penny via samba:> The other point worth mentioning is that, whether Openldap likes it or > not, Openldap is on the way out. It is no longer available from RHEL 8 > by default, you have to get it from EPEL, red-hat seemingly wants you > to use freeipThat is totally wrong. Only while RedHat don't know how to handleOpenLDAP it's not dead. With OpenLDAP they manged up to 980k requests per second (openLDAP 2.5) So I think Samba will never make this. And comparing DS389 with OpenLDAP is like comparing a VW Beatle with a Porsche. The reason Redhat is not supporting OpenLDAP any more you will find here: https://www.redhat.com/en/blog/preparing-identity-management-red-hat-enterprise-linux-8 Quote: ----------- The knowledge and expertise, and thus ability to support OpenLDAP server to the same level of confidence as our other offerings was limited. ------------ And Redhat tells you that only a DS you are paying for is good: Quote: ------------ First of all, the LDAP server is the core of the identity system. It requires enterprise level support. ------------ But who needs a LDAP-Server that relay on Java with a Oracle license?? And so many things not working with DS389 you can do with OpenLDAP. -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html