On Thu, 2009-10-08 at 14:21 +0200, Julio Gómez Belmonte wrote: > Hi > > We have a large installation consisting of many Citrix servers using 2 > Samba servers as domain controllers, using 2 LDAP 389 Directory > Servers as user database. Also, there are workstations using the Samba > servers. These LDAP servers have around 30000 user accounts, and we > have detected that Samba servers make this ldap search:
You should really [always] specify query size limits on the DSA. For example - limits anonymous size.soft=512 size.hard=1024 size.unchecked=32767 time.soft=10 time.hard=60 limits group="cn=Administrators,ou=Entities,ou=Access Control,dc=rss,dc=nw" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited time.soft=60 time.hard=120 limits dn.exact="uid=syncrepl,ou=Entities,ou=Access Control,dc=rss,dc=nw" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited time.soft=unlimited time.hard=unlimited limits users size.soft=1024 size.hard=2048 size.unchecked=32767 time.soft=15 time.hard=60 I'm fairly certain AD imposes query size limits; the client can page the results if they need to exceed the limit. Since Samba works with AD I assume it will page results. This makes like much easier for the DSA. [I assume your Samba servers are not binding to the DSA with the admin DN.] > [07/ Oct /2009:13:54:06 +0200] conn=46 op=13 SRCH > base="dc=domain,dc=my" scope=2 > filter="(&(uid=*)(objectClass=sambaSamAccount))" attrs="uid sambaSID > displayName description sambaAcctFlags" > So Samba is trying to retrieve the 30000 user accounts, making the > LDAP servers freeze. We don't what is happening to make this big > query, I think that this query results of running the "net user" > command from a Windows or Linux machine, but I cannot find which > machine is executing that command. Is there any way to obtain which > host is running this command, or which host is the responsible of make > Samba make that LDAP query? Enable logging on the DSAs. Maybe "loglevel 768" if I recall correctly, that should give you statistics for operations (256) and results (512). > If not, is there any way to make Samba apply an additional filter when > obtaining accounts? I would like to make the query like > (&(uid=*)(objectClass=sambaSamAccount)(&(objectClass=myOwnClass)(ou:dn:=People))). How would that help? Wouldn't it retrieve the same number of objects? We designed our Dit so that all the Samba and NSS stuff [users & groups] were beneath ou=SAM, so we have ou=SAM, ou=Entities,ou=SAM, ou=People,ou=Entities,ou=SAM, ou=System Accounts,ou=Entities,ou=SAM, ou=Groups,ou=Entities,ou=SAM, which keeps Samba and other systems out of the rest of the Dit. [Of course that will all have to be restructured for Samab4/AD]. Sadly the, rather retarded, PADL conversion scripts created almost a convention of , ou=Groups, ou=People, which is a rather crappy design. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba