1500 users may qualify your environment as a "large" domain. Try setting the winbind group enumeration to " no"... On Oct 1, 2012 4:24 AM, "David Touzeau" <da...@touzeau.eu> wrote:
> > > -----Original Message----- From: Rowland Penny > Sent: Sunday, September 30, 2012 5:49 PM > To: samba@lists.samba.org > Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process > run cpu to 100% > > On 30/09/12 16:36, David Touzeau wrote: > >> I have created a ticket on bugtrack >> https://bugzilla.samba.org/**show_bug.cgi?id=9226<https://bugzilla.samba.org/show_bug.cgi?id=9226> >> >> >> -----Original Message----- From: Rowland Penny >> Sent: Saturday, September 29, 2012 10:21 PM >> To: samba@lists.samba.org >> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process >> run cpu to 100% >> >> On 29/09/12 20:31, David Touzeau wrote: >> >>> nsswitch as been changed to >>> >>> passwd: files ldap winbind >>> group: files ldap winbind >>> shadow: files ldap winbind >>> >>> But lsass.exe still run at 100% cpu and winbind still want to parse the >>> full AD >>> I think i will create a ticket on the tracker because we have removed >>> winbind from the nsswitch: >>> >>> passwd: files ldap >>> group: files ldap >>> shadow: files ldap >>> >>> and lsass.exe still run at 100% >>> When stopping winbindd >>> lsass.exe is down to 0% >>> >>> From: Heather Choi >>> Sent: Saturday, September 29, 2012 4:26 PM >>> To: David Touzeau >>> Cc: mario.codeni...@gmail.com ; samba@lists.samba.org >>> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process >>> run cpu to 100% >>> >>> manpages of nssswitch: compat support `+/-' in the ``passwd'' and >>> ``group'' databases. If this is present, it must be the only source for >>> that entry. Database Default source list group compat group_compat nis >>> hosts files dns netgroup files [notfound=return] nis passwd compat >>> passwd_compat nis >>> On 09/29/2012 05:03 AM, David Touzeau wrote: >>> Thanks Heather Choi >>> >>> But in my nsswitch i have >>> >>> passwd: compat ldap winbind >>> group: compat ldap winbind >>> shadow: compat ldap winbind >>> >>> As compat is and advanced "files" method... >>> So my nsswitch is compatible with your suggest...? >>> >>> >>> -----Original Message----- From: Heather Choi >>> Sent: Saturday, September 29, 2012 4:52 AM >>> To: mario.codeni...@gmail.com >>> Cc: samba@lists.samba.org >>> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process >>> run cpu to 100% >>> >>> You definitely should have "files" placed *before* winbind of passwd, >>> group and shadow, like: >>> >>> passwd: files winbind >>> shadow: files winbind >>> group: files winbind >>> >>> Otherwise, you will be hitting AD a whole ton for localized users and >>> definitely root with services running. >>> >>> On 09/27/2012 02:00 AM, David Touzeau wrote: >>> Dear >>> I have connected samba 3.6.8 to my Active Directory in the lsass.exe run >>> to 100% >>> When stopping winbind the lsass.exe CPU is down to 0% >>> When set winbindd to debug mode, it seems it try to scan the root user >>> every time. >>> I would to know how to ban nsswitch to query winbindd for system >>> internal users such has root, apache..... >>> >>> Here it is my nsswitch.conf : >>> >>> # >>> # Example configuration of GNU Name Service Switch functionality. >>> # If you have the `glibc-doc-reference' and `info' packages installed, >>> try: >>> # `info libc "Name Service Switch"' for information about this file. >>> bind_policy soft >>> >>> passwd: compat ldap winbind >>> group: compat ldap winbind >>> shadow: compat ldap winbind >>> >>> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns >>> networks: files >>> >>> protocols: db files >>> services: db files >>> ethers: db files >>> rpc: db files >>> netmasks: files >>> netgroup: files nis >>> publickey: files >>> bootparams: files >>> aliases: files >>> automount: ldap files >>> >>> Attached file is the winbindd debug mode: >>> >>> >>> >>> >>> Hi, you say that you have connected samba 3.6.8 to your Active >> Directory, How? and where does ldap come into it. >> If you join a samba 3.6 machine to Active Directory, you only need >> winbind to be added to nsswitch.conf >> >> Rowland >> >> >> Hi again, now that I have seen your smb.conf on the bug link you posted, > try removing the ldap entries from /etc/nsswitch.conf , you do not need > them, you are not using ldap. > > Rowland > > > hi > Removing LDAP did not change any behavior... > > david > -- > To unsubscribe from this list go to the following URL and read the > instructions: > https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
