Command recommended by the Updating Samba wiki page: samba-tool dbcheck --cross-ncs --fix takes ages to complete, which makes it complicated to run after every update. The last time it did not complete and I had to terminate it after 20 minutes. Size of /var/lib/samba for this installation is about 370M. It holds ~13K users.
This should be much better in Samba 4.5. We found a single line fix in 2ef0c9a8d4623d88414eaaf32cdd18c6ef17900a was responsible for 20% of the time some of our tests took, increasing with each additional object checked. Can you please try Samba 4.5.3 and let us know if it is still an issue. If it is, please with all the required debug packages installed, then run it under perf and generate a flame graph per: http://www.brendangregg.com/FlameGraphs/cpuflamegraphs.html The resulting .svg file is often quite enlightening.
(In reply to Andrew Bartlett from comment #1) Sorry for reporting an issue for an older release. Will try to upgrade as soon as possible. Thanks!
As long as you shut down Samba first, or use tdbbackup, you can make a copy of the DB, and run a newer Samba (say built in a prefix, or on a different machine) over the sam.ldb copy. That will let you test the newer codebase and get an idea if it is reasonable to re-run in in production during the upgrade, or to get me the flame graph. Normally (sadly) Samba bugs in older releases are in the current release also, so no apology is needed, it just happens that in this case we put a lot of effort into performance during the 4.5 cycle, including dbcheck in particular. This work has continued, and git master or 4.6 should be even better.
fixed in 4.5+ with commit 2ef0c9a8d4623d88414eaaf32cdd18c6ef17900a, as mentioned in comment 1.