Hi Gabriel and Hubert,
Le 05/10/2024 ? 11:32, denis bonnenfant--- via samba a
?crit?:>
> Le 05/10/2024 ? 02:48, Douglas Bagnall via samba a ?crit?:
>> hi Hubert,
>>
>> I missed this earlier.
>
> Hello, I exerienced the same kind of problem.? DC were overloaded by
> some requests. running DC with suficient debug level shows immediately
> 2 problems :
>
> - requests on big groups ( 70 000 members) with? member attributes
>
> - requests with *? in filters.
>
> these requests were? consuming from 1 to 10 s.
>
> reconfiguring applications (keycloak in our case),? and rewriting our
> custom php application to avoid if possible thes kind of requests
> definitely solved the problem : all requests are now below 10 ms, and
> everything works.
Like Denis from SambaEdu said above, the most common culprit would be
large groups (you shoudn't go beyond a few thousand members), and the
other one would be application that do problematic LDAP requests. There
is a new LDAP debug option that has been added by my colleague Andreas
Leroux [1] that can be used to search for problematic ldap requests and
which should be in 4.21 specifically for that purpose.
You should also be wary of long lasting requests : for example if a LDAP
client takes too much time to retrieve its result, then it will occupy
one query slot until it has finished flushing the data. I had once a
ldapsrv issue due to a buggy hp driver that was downloading a 100k users
LDAP result on a 2mbps ISDN connexion on a remote site, which kind of
DDOS'ed Samba ldapsrv by using all the available slots.
We have also seen a software doing a "whoami" MS-RPC query on the PDC
every few seconds, and with 7k users it makes a quite heavy load.
Cheers,
Denis
[1]
https://gitlab.com/samba-team/samba/-/commit/2c1a4a516ff425f3b27b52e6b8b63772b589da23
>
> Denis
>
>
>