samba - Apr 2024 - samba as a domain member: a way to ignore groups?

Hi!

We had stand-alone anonymous samba server serving a read-only share
as guest account.  It worked well but had a few strange issues (like
lots of noise in logs about bad smb2 signature).

Its been suggested to switch to a domain member server.  I didn't see
the point since we don't need different user IDs and security model,
but okay, - I joined a new server to a domain.

Now I see samba is doing large amount of setgroups() calls with huge
amount of groups each time (100+) - based on the domain groups each
user belongs to.  This, and in-kernel group matching code, has become
quite noticeable in the performance stats, - samba and kernel are doing
lots of work in this context instead of doing real work.

What is the way to ignore all the domain groups of all domain users?

Will the whole thing work if I'll remove `winbind' from
nsswitch.conf:group
line?

Thanks,

/mjt

On Fri, 5 Apr 2024 16:43:42 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> Hi!
> 
> We had stand-alone anonymous samba server serving a read-only share
> as guest account.  It worked well but had a few strange issues (like
> lots of noise in logs about bad smb2 signature).
> 
> Its been suggested to switch to a domain member server.  I didn't see
> the point since we don't need different user IDs and security model,
> but okay, - I joined a new server to a domain.
> 
> Now I see samba is doing large amount of setgroups() calls with huge
> amount of groups each time (100+) - based on the domain groups each
> user belongs to.  This, and in-kernel group matching code, has become
> quite noticeable in the performance stats, - samba and kernel are
> doing lots of work in this context instead of doing real work.
> 
> What is the way to ignore all the domain groups of all domain users?
> 
> Will the whole thing work if I'll remove `winbind' from
> nsswitch.conf:group line?
> 
> Thanks,
> 
> /mjt
> 
Have you set 'winbind expand groups' to anything but its default
'0' ?
Setting it to a large number could give you the problem you are having.

Rowland

On Fri, 5 Apr 2024 16:43:42 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> Hi!
> 
> We had stand-alone anonymous samba server serving a read-only share
> as guest account.  It worked well but had a few strange issues (like
> lots of noise in logs about bad smb2 signature).
> 
> Its been suggested to switch to a domain member server.  I didn't see
> the point since we don't need different user IDs and security model,
> but okay, - I joined a new server to a domain.
> 
Just one other thing, As far as I can see, no one on the list said use
a Unix domain member, they just suggested using a valid username and
password on your standalone server. Something like 'sambauser%sambapass'

Rowland

05.04.2024 16:43, Michael Tokarev via samba :
> Now I see samba is doing large amount of setgroups() calls with huge
> amount of groups each time (100+) - based on the domain groups each
> user belongs to.? This, and in-kernel group matching code, has become
> quite noticeable in the performance stats, - samba and kernel are doing
> lots of work in this context instead of doing real work.
> 
> What is the way to ignore all the domain groups of all domain users?
> 
> Will the whole thing work if I'll remove `winbind' from
nsswitch.conf:group
> line?
After removing `winbind' from nsswitch.conf:group entry, the server gained
*huge* speedup.  Before, each become_user took several *seconds* to get the
list of groups and perform setgroups(), and each file access was also slow
due to in-kernel work with so many groups each user belongs to.  This is
a multi-channel connection, handling requests from a single machine but
for multiple users - so effectively, become_user has been called for every
file operation.  This is just with about 10 users doing things, - the target
number which the old server is doing is 1000+ users.

Now things are working again.

Dunno what will break with this lack of groups though.  We'll see.

Thanks for the help,

/mjt