subject:"\[Samba\] BLOATED LDAP Traffic from Samba"

Re: [Samba] BLOATED LDAP Traffic from Samba

2007-04-26 Thread Josh Kelley


On 4/24/07, Joseph Williams [EMAIL PROTECTED] wrote:

My Samba PDC is sending tons of traffic my ldapserver(iplanet) and is
causing the ldap server load to   peak consitently over a ridiculous 91%.
Logons come to a crawl because the ldap load is so high.  I don't not have
roaming profiles enabled.


This doesn't directly answer your question, but I'm surprised that an
LDAP server would max CPU usage if indexes and such are set up
properly.  Did you make sure to enable all of the recommended LDAP
indexes (in particular, sambaSID)?  (See chapter 2 of the Samba HOWTO
Collection for a sample OpenLDAP slapd.conf file that lists
recommended indexes.)

Josh Kelley
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] BLOATED LDAP Traffic from Samba

2007-04-25 Thread Volker Lendecke

On Tue, Apr 24, 2007 at 07:00:52PM -0400, Joseph Williams wrote:
 How can I get this to stop?  Is this normal behaviour?  
 In my research I noticed a smb.conf parameter setting of winbind enum group
 and winbind enum users.  I am not using windbind, so this will  not work for
 me.

Probably you can't stop this. 99% this is clients doing some
LSA lookupsids or lookupnames call that have to be proxied
to LDAP. It's the Windows clients asking for info that only
the LDAP server authoritatively know about.

Volker


pgpn2TUZToR4Q.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] BLOATED LDAP Traffic from Samba

2007-04-24 Thread Joseph Williams

Hello All,

I am having an issue with a samba 3.0.21a with LDAP backened installation.  

My Samba PDC is sending tons of traffic my ldapserver(iplanet) and is
causing the ldap server load to   peak consitently over a ridiculous 91%.
Logons come to a crawl because the ldap load is so high.  I don't not have
roaming profiles enabled.

 Here is an excerpt from a logfile (log level=2): 

[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua19847
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05996
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua68562
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: dhs
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05938
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua15265
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua18897
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua03367
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tmarti03
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua61714
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua40746
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05048
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua10708
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: koldacre
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua01257
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua56483
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua43553
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: aseward
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: ironman8
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua51360
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: ehlee
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua37090

When users log onto SAMBA domain, Samba queries ldap for the user
authentication credentials, if the user and passwords match, the users are
then able to log onto the client. 

A registry value is then entered in HKLM\Software\Microsoft\Windows\Windows
NT\CurrentVersion\ProfileList\S-1-21-DOMAIN SIDS-other values\tua.

The registry entry is expected and normal and all authenticated domain users
will have an registry entry on any machine they use. 

 the SAMBA request traffic was enough to increase the LDAP system load and
force me to redreict request from SAMBA from the production LDAP servers to
an offsite LDAP server, and then eventually to my own slave ldap server.
This move was necessary so that other university distributed systems would
not be adversely affected.

The queries that SAMBA is requesting from LDAP are for all domain users that
have an registry entry in the aforementioned hive location.  Please bare in
mind that this enumeration occurs in the background whether or not the XP
systems are:

1.  at the logon screen
2.  after a user has successfully authenticated (the request will occur for
the current logon user and enumerate for ALL domain users in the hive).

During my testing,tuning,  and log observation, I have noticed that the
request do not happen at any specific interval for a specific client, rather
they just occur often enough to cause too much load on the LDAP servers.

How can I get this to stop?  Is this normal behaviour?  
In my research I noticed a smb.conf parameter setting of winbind enum group
and winbind enum users.  I am not using windbind, so this will  not work for
me.

I've manually deleted the domain users that exists in the HKLM reg hive I
mentioned above and that stops the traffic request from samba to ldap.
However each new user of a particular workstation will continue to have an
entry cached in this hive.  I've looked for a way to stop the caching using
regedit and gpedit.mscbut wasn't

Re: [Samba] BLOATED LDAP Traffic from Samba

Re: [Samba] BLOATED LDAP Traffic from Samba

[Samba] BLOATED LDAP Traffic from Samba

3 matches

Site Navigation

Mail list logo

Footer information