[Samba] samba w/ ldap - groups scalability and performance

Sun, 19 Sep 2004 08:11:30 -0700

I am having problems with samba and ldap as concerns groups. We have two central LDAP servers which we use for authentication for many different applications, samba being just one of those. The LDAP servers are Solaris servers running Directory Server v5.2.

Our PDC is running samba 3.0.7 on linux. There are several file servers, but the main ones are running samba 3.0.7 on solaris and all authentication goes through the PDC with ldapsam backend.

The problem first appeared for us with 3.0.6 this fall, though we might have been noticing the start of this problem with 3.0.4 last May but never isolated it before all our users left for the summer.

The PDC appears to request ALL groups from LDAP, using the search (objectclass=sambaGroupMapping). In our case, this is nearly 14,000 entries and it can take almost 10 minutes to retrieve those from LDAP when there are hundreds trying at once. Indexing doesn't help in this case because samba is asking for ALL groups.

Our first day of class here was very VERY BAD as hundreds of users tried to login to our labs each hour :(

As a stop-gap measure, I modified samba to request only groups where the gidNumber was less than 1000 - the LDAP filter is now (&(objectclass=sambaGroupMapping)(gidNumber<=999)). My rationale is that groups above 1000 are the individual user private groups, ala Red Hat style. And, it's not likely one would want to setup permissions on windows shares using that, the user could be used instead. Groups under 1000 are true groups as unix has traditionally used them.

This resolved our login issues and got our labs functional again but now I'm getting the message:

rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [gray-00] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that

in the logs. This is correct because I'm no longer allowing samba to find the users primary group. It's not clear to me yet that this is really a problem as nothing's been noticed. But, it does concern me, plus it's extra noise in the log files.

Is there any way to make samba do a more targeted lookup of groups, perhaps only those groups where the user is a member?

--
Marlys A. Nelson                      Sr. Network Specialist
Information Technology Services       Network Services
University of Wisconsin - River Falls 715/425-4357
410 South Third Street                Email: [EMAIL PROTECTED]
River Falls  WI  54022                http://www.uwrf.edu/

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to