Hello,
I have set up winbind to authenticate linux pc's to a windows 2003 AD.
The authentication works, but the performance is not good (takes over 5 minutes)
PRELIMINARY
-----------
OS: ubuntu 7.04
Samba: 3.0.24
AD: windows 2003
ANALYSIS
---------
After analyzing the log.winbindd file in log level 10, I can see three major
parts
1) lookup and authenticate the user -> performance OK
[2007/06/25 14:31:50, 10] nsswitch/winbindd.c:process_request(287)
process_request: request fn GETPWNAM
[2007/06/25 14:31:50, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336)
[ 0]: getpwnam sergeyf
[2007/06/25 14:31:50, 10] sam/idmap_util.c:idmap_sid_to_uid(70)
idmap_sid_to_uid: sid = [S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx]
internal_get_id_from_sid: record
S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx -> UID 87023
2) list all groups this user is member of. -> performance OK
[2007/06/25 14:31:54, 10] nsswitch/winbindd.c:process_request(287)
process_request: request fn GETGROUPS
[2007/06/25 14:31:54, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1017)
[ 0]: getgroups sergeyf
...
internal_get_id_from_sid: ID_GROUPID fetching record
S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxx -> GID 10513
... (more than 50 groups)
3) Per group list all members of that group -> BOTTLENECK
[2007/06/25 17:18:02, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1665)
lookup_groupmem: [Cached] - doing backend query for info for domain XXXX
[2007/06/25 17:18:02, 10] nsswitch/winbindd_ads.c:lookup_groupmem(879)
ads: lookup_groupmem POST sid=S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx
...
Step 3 is the one causing the delay because each group has about a 1000 users
If I interrupt the login, I actually see I am logged in, but in the background
the process of listing the groups continues.
STEPS ALREADY TAKEN
-------------------
After I found this, I thought the problem had to be related to one of these
settings:
winbind expand groups = 0
winbind nested groups = no
Both settings where default settings first (1 and yes respectively), but after
setting them to the values 0 and no, winbind still performed the lookup group
members .
I also found this mailpost:
http://archives.free.net.ph/message/20070613.052201.64562430.en.html
It mentions that this step should actually be asynchronous. When will that be
implemented?
SOLUTION?
---------
This is my question to the list: Is there a workaround or what settings do I
need to apply.
Thanks in advance,
Filip Sergeys
STRICTLY PERSONAL AND CONFIDENTIAL
This message may contain confidential and proprietary material for the sole use
of the intended recipient. Any review or distribution by others is strictly
prohibited. If you are not the intended recipient please contact the sender and
delete all copies.
Dit bericht is enkel bestemd voor de aangeduide ontvangers en kan
vertrouwelijke informatie bevatten. Als u niet de ontvanger bent, dan mag u de
inhoud van dit bericht niet bekendmaken noch kopiëren. Als u dit bericht per
vergissing ontvangen heeft, gelieve er de afzender of De Post onmiddellijk van
op de hoogte te brengen en het bericht vervolgens te verwijderen.
Ce message est uniquement destiné aux destinataires indiqués et peut contenir
des informations confidentielles. Si vous n'êtes pas le destinataire, vous ne
devez pas révéler le contenu de ce message ou en prendre copie. Si vous avez
reçu ce message par erreur, veuillez en informer l'expéditeur, ou La Poste
immédiatement, avant de le supprimer.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
