samba - Oct 2024 - ad dc performance issues

Hi Gabriel and Hubert,

Le 05/10/2024 ? 11:32, denis bonnenfant--- via samba a
?crit?:
>
> Le 05/10/2024 ? 02:48, Douglas Bagnall via samba a ?crit?:
>> hi Hubert,
>>
>> I missed this earlier.
>
> Hello, I exerienced the same kind of problem.? DC were overloaded by 
> some requests. running DC with suficient debug level shows immediately 
> 2 problems :
>
> - requests on big groups ( 70 000 members) with? member attributes
>
> - requests with *? in filters.
>
> these requests were? consuming from 1 to 10 s.
>
> reconfiguring applications (keycloak in our case),? and rewriting our 
> custom php application to avoid if possible thes kind of requests 
> definitely solved the problem : all requests are now below 10 ms, and 
> everything works.
Like Denis from SambaEdu said above, the most common culprit would be 
large groups (you shoudn't go beyond a few thousand members), and the 
other one would be application that do problematic LDAP requests. There 
is a new LDAP debug option that has been added by my colleague Andreas 
Leroux [1] that can be used to search for problematic ldap requests and 
which should be in 4.21 specifically for that purpose.

You should also be wary of long lasting requests : for example if a LDAP 
client takes too much time to retrieve its result, then it will occupy 
one query slot until it has finished flushing the data. I had once a 
ldapsrv issue due to a buggy hp driver that was downloading a 100k users 
LDAP result on a 2mbps ISDN connexion on a remote site, which kind of 
DDOS'ed Samba ldapsrv by using all the available slots.

We have also seen a software doing a "whoami" MS-RPC query on the PDC 
every few seconds, and with 7k users it makes a quite heavy load.

Cheers,

Denis

[1] 
https://gitlab.com/samba-team/samba/-/commit/2c1a4a516ff425f3b27b52e6b8b63772b589da23

>
> Denis
>
>
>

Here?s a possible response in English:

---

Hi Denis,

Thank you for the insights.

We have recently updated to version 4.20.5, so unfortunately, we don't have
access to the new debug tool you mentioned. Given this, we are considering
alternative actions to prevent potential DDOS caused by the proxy querying
the Global Catalog for security groups and retrieving user profiles to
assign browsing roles.

We will definitely talk to the team responsible for the proxy server to
address the issue on their side, but we also need to implement measures on
our end to mitigate this situation.

So far, I've found that limiting LDAP queries and implementing caching
could be effective solutions. If you have any other suggestions, they would
be greatly appreciated.

Thanks again for your help.

Best regards,
Gabriel

El lun, 7 de oct de 2024, 05:36, Denis CARDON <dcardon at tranquil.it>
escribi?:
> Hi Gabriel and Hubert,
>
> Le 05/10/2024 ? 11:32, denis bonnenfant--- via samba a ?crit :
> >
> > Le 05/10/2024 ? 02:48, Douglas Bagnall via samba a ?crit :
> >> hi Hubert,
> >>
> >> I missed this earlier.
> >
> > Hello, I exerienced the same kind of problem.  DC were overloaded by
> > some requests. running DC with suficient debug level shows immediately
> > 2 problems :
> >
> > - requests on big groups ( 70 000 members) with  member attributes
> >
> > - requests with *  in filters.
> >
> > these requests were  consuming from 1 to 10 s.
> >
> > reconfiguring applications (keycloak in our case),  and rewriting our
> > custom php application to avoid if possible thes kind of requests
> > definitely solved the problem : all requests are now below 10 ms, and
> > everything works.
>
> Like Denis from SambaEdu said above, the most common culprit would be
> large groups (you shoudn't go beyond a few thousand members), and the
> other one would be application that do problematic LDAP requests. There
> is a new LDAP debug option that has been added by my colleague Andreas
> Leroux [1] that can be used to search for problematic ldap requests and
> which should be in 4.21 specifically for that purpose.
>
> You should also be wary of long lasting requests : for example if a LDAP
> client takes too much time to retrieve its result, then it will occupy
> one query slot until it has finished flushing the data. I had once a
> ldapsrv issue due to a buggy hp driver that was downloading a 100k users
> LDAP result on a 2mbps ISDN connexion on a remote site, which kind of
> DDOS'ed Samba ldapsrv by using all the available slots.
>
> We have also seen a software doing a "whoami" MS-RPC query on the
PDC
> every few seconds, and with 7k users it makes a quite heavy load.
>
> Cheers,
>
> Denis
>
> [1]
>
>
https://gitlab.com/samba-team/samba/-/commit/2c1a4a516ff425f3b27b52e6b8b63772b589da23
>
>
> >
> > Denis
> >
> >
> >
>