Bug 1561 - High load on Samba PDCs with Samba Member Servers and LDAP passdb backend
Summary: High load on Samba PDCs with Samba Member Servers and LDAP passdb backend
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.4
Hardware: Other Linux
: P3 critical
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-26 06:39 UTC by Lars Scheiter
Modified: 2005-08-24 10:21 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Scheiter 2004-07-26 06:39:28 UTC
We are currently in the process to update an Windows NT driven Network completely to 
Samba. The main structure is as follows: 
- one PDC with an Master LDAP Server 
- Several Samba Member Servers with Slave LDAPs, ACLs and Winbind for nss 
 
We wrote some Scripts to Migrate NTs SAM to LDAP and switched over to the Samba PDC, 
which currently works very well. 
In the second step we tried to setup Samba member servers to switch off those NT machines. 
Everything was setup as described in the The Official Samba-3 HOWTO and Reference Guide. 
During testing we discovered a major problem with Winbind in conjunction with a Samba PDC: 
If we tried to do a "getent group" on one of the member servers the PDCs load went through the 
roof and rendered the system nearly unusable. The Problem was the Samba Server which was 
hard working on "discovering" the users which it found in the groups. 
The problem seems that Winbind requests a list of Groups, then Samba tries to find EVERY 
user in that group. Now if you got a broken Group entry with one or more users which are not in 
the DIT Samba simply loops.  
Well okay that should normally not happen, but i think this is a Samba bug ;) 
 
The second problem, which is by far worse, is that Samba always tries to find every user in 
every group, which brings LDAP to its knees. We got an av. of 500+ Users and ca. 170 
Groups, and some groups have an high amount of users in it. Well now we got to the point 
where we try to do nss lookups via "getent group" on the members and we were not able to do 
a reasonable lookup of groupinformation. "wbinfo -g" works by the way.  
In the meantime the PDCs gets a very hight load by some slapd which are trying to find every 
user in the DIT multiple times (Timeout problems?) 
This behavior is reproduceable on different machines :( 
 
Since i dont know which information might be usefull for you i will now not attach any files to 
this Bug, but i may produce any debug log you may wish :)
Comment 1 Sergio Roberto Claser 2004-08-25 11:05:05 UTC
(In reply to comment #0)
> We are currently in the process to update an Windows NT driven Network
completely to 
> Samba. The main structure is as follows: 
> - one PDC with an Master LDAP Server 
> - Several Samba Member Servers with Slave LDAPs, ACLs and Winbind for nss 
>  
> We wrote some Scripts to Migrate NTs SAM to LDAP and switched over to the
Samba PDC, 
> which currently works very well. 
> In the second step we tried to setup Samba member servers to switch off those
NT machines. 
> Everything was setup as described in the The Official Samba-3 HOWTO and
Reference Guide. 
> During testing we discovered a major problem with Winbind in conjunction with
a Samba PDC: 
> If we tried to do a "getent group" on one of the member servers the PDCs load
went through the 
> roof and rendered the system nearly unusable. The Problem was the Samba Server
which was 
> hard working on "discovering" the users which it found in the groups. 
> The problem seems that Winbind requests a list of Groups, then Samba tries to
find EVERY 
> user in that group. Now if you got a broken Group entry with one or more users
which are not in 
> the DIT Samba simply loops.  
> Well okay that should normally not happen, but i think this is a Samba bug ;) 
>  
> The second problem, which is by far worse, is that Samba always tries to find
every user in 
> every group, which brings LDAP to its knees. We got an av. of 500+ Users and
ca. 170 
> Groups, and some groups have an high amount of users in it. Well now we got to
the point 
> where we try to do nss lookups via "getent group" on the members and we were
not able to do 
> a reasonable lookup of groupinformation. "wbinfo -g" works by the way.  
> In the meantime the PDCs gets a very hight load by some slapd which are trying
to find every 
> user in the DIT multiple times (Timeout problems?) 
> This behavior is reproduceable on different machines :( 
>  
> Since i dont know which information might be usefull for you i will now not
attach any files to 
> this Bug, but i may produce any debug log you may wish :)



-----------------------------

We had the same problem with version 3.0.5, broken groups put's Samba in loop.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2004-08-25 11:45:42 UTC
Please retest.  This should be better in 3.0.6.  Thanks.  Marking as fixed.
Please reopen if that is not the case.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:21:17 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.