The LDAP query of lookup_groupmem() returns all group members from AD even those with missing uidNumber. Such group members are useless in UNIX environment for idmap_ad backend since there is no uid mapping. 'test_user' is member of group "Domanin Users" with 200K members, only 20K members have set uidNumber. It takes more than a minute $ time id test_user real 1m5.946s user 0m0.019s sys 0m0.012s If the ldap search string filters out the users using this: "(&(objectCategory=user)(primaryGroupID=%u)(uidNumber=*)(!(uidNumber=0))" The time is much better: $ time id test_user real 0m3.544s user 0m0.004s sys 0m0.007s ====== Fix will follow.
This bug was referenced in samba master: a485d9de2f2d6a9815dcac6addb988a8987e111c 5d475d26a3d545f04791a04e85a06b8b192e3fcf 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a f8b72aa1f72881989990fabc9f4888968bb81967
Created attachment 18288 [details] 4.20.patch
Jule, please apply the patch to 4.20. Thanks!
Pushed to autobuild-v4-20-test.
This bug was referenced in samba v4-20-test: 8857cf299792f50e5917319a38d450c068fa07f4 837012983840d10488404fac2ebad07dd75a6f1c 84f82a09ffd1336bf79cffbe4caa3045aedbd16e 83da49f348921a21a22ff93ffecbd638ff004541
Closing out bug report. Thanks!
This bug was referenced in samba v4-20-stable (Release samba-4.20.1): 8857cf299792f50e5917319a38d450c068fa07f4 837012983840d10488404fac2ebad07dd75a6f1c 84f82a09ffd1336bf79cffbe4caa3045aedbd16e 83da49f348921a21a22ff93ffecbd638ff004541