Bug 6771 - Too much init_sam_from_ldap per user
Summary: Too much init_sam_from_ldap per user
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.3.7
Hardware: x86 Linux
: P3 critical
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-30 07:39 UTC by Bruno MACADRE
Modified: 2009-10-07 04:56 UTC (History)
0 users

See Also:

Attachments
My smb.conf (2.68 KB, text/plain)
2009-09-30 07:45 UTC, Bruno MACADRE 		no flags Details
Sample of a workstation logfile (1.97 KB, text/plain)
2009-09-30 07:49 UTC, Bruno MACADRE 		no flags Details
Logfile of one connection of a user with log level 10 activated (736.76 KB, application/octet-stream)
2009-10-06 10:31 UTC, Bruno MACADRE 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno MACADRE 2009-09-30 07:39:53 UTC 
Hi,

I'm working on a big problem with a Samba PDC 3.3.7 with an OpenLDAP Backend.

The problem is, when a user try to log into a WinXP WorkStation, the Samba Server scan ALL the accounts in the LDAP (about 550 accounts for me). This behavior is the same for ALL users who try to log into ALL workstations (about 250). Finally the connexion succeed but it need to wait a little (about 10 seconds if this user is the only one to try to connect at this time).

The problem was bigger when (for practices sessions purpose) i've between 16 and 64 users trying to connect at the same time... the SAMBA server scan ALL accounts during each connexion (between 16 and 64 at the same time...). This results in a dramatically increase of the load average of the LDAP server, and a dramaticaly increase of the time a user need to wait to work on his workstation... When 2 working sessions starts at the same time (i.e. when about 30 users try to connect at the same time), the users must wait about 15 minutes before starting to work.

When i read the log for a workstation i see after the loading of the win profile multiples lines like : "init_sam_from_ldap: Entry found for user: user1"... In my case this line appears 551 times (with a different username on each)... this 551 "init_sam_from_ldap" must be multiplied by the number of workstation (about 250). So it's not abnormal that a connexion need 15 minutes to proceed when 30 users try to connect at the same time.

I'll put my smb.conf and a sample of workstation log file in attachment.
Comment 1 Bruno MACADRE 2009-09-30 07:45:59 UTC 
Created attachment 4764 [details]
My smb.conf

My smb.conf
Comment 2 Bruno MACADRE 2009-09-30 07:49:53 UTC 
Created attachment 4765 [details]
Sample of a workstation logfile

Sample of a workstation logfile. We can see lines like "init_sam_from_ldap", in reality this line appears 551 times.
Comment 3 Bruno MACADRE 2009-09-30 07:55:29 UTC 
(In reply to comment #0)
Just for information, in Samba 3.4.1 i've got the same behavior
Comment 4 Volker Lendecke 2009-10-05 14:35:53 UTC 
(In reply to comment #2)
> Created an attachment (id=4765) [details]
> Sample of a workstation logfile
> 
> Sample of a workstation logfile. We can see lines like "init_sam_from_ldap", in
> reality this line appears 551 times.
> 

Please supply a full debug level 10 log of such a login.

Volker
Comment 5 Bruno MACADRE 2009-10-06 04:53:15 UTC 
(In reply to comment #4)
> (In reply to comment #2)
> > Created an attachment (id=4765) [details] [details]
> > Sample of a workstation logfile
> > 
> > Sample of a workstation logfile. We can see lines like "init_sam_from_ldap", in
> > reality this line appears 551 times.
> > 
> 
> Please supply a full debug level 10 log of such a login.
> 
> Volker
> 

Hi,

I've made a log level 10 for a connexion process of one user over one WinXP Pro Workstation. I've kept my smb.conf (cf attachment) unchanged, i've just added "ldapsam:trusted=yes", like you said on samba-list.

The logfile is huge (about 40Mb), the scan of the entire LDAP take a lot of lines ^^, so i can't attach this here. But you can find my log file at this URL :
http://dl.free.fr/vM7TdMTFM

Thanks by advance,
Bruno
Comment 6 Volker Lendecke 2009-10-06 05:15:22 UTC 
How much is it if you compress it with bzip2 -9? If it's less than, say, 5MB, send it to me directly. Somehow this overloaded "free" download site does not give it to me. Probably this is only for IE8 users :-(

Volker
Comment 7 Bruno MACADRE 2009-10-06 10:30:06 UTC 
(In reply to comment #6)
> How much is it if you compress it with bzip2 -9? If it's less than, say, 5MB,
> send it to me directly. Somehow this overloaded "free" download site does not
> give it to me. Probably this is only for IE8 users :-(
> 
> Volker
> 
Why i don't think to compress it... i'm so stupid sometimes :'( ... So compressed its size is about 800Kb ^^ I send it to you now and put it in attachement if anybody else want to check it.

DL Free site works with every browser, i never use Windows so i don't have IE at all. I'm working with firefox 2.0.0.20 and 3.5.2 !

Regards,
Bruno
Comment 8 Bruno MACADRE 2009-10-06 10:31:11 UTC 
Created attachment 4789 [details]
Logfile of one connection of a user with log level 10 activated
Comment 9 Volker Lendecke 2009-10-06 12:27:18 UTC 
Set "hide unreadable = no" on the [netlogon] share.

I'm closing this bug as invalid, this is a configuration issue. Please re-open with a new log file if that does not help.

Volker
Comment 10 Bruno MACADRE 2009-10-07 04:56:02 UTC 
(In reply to comment #9)
> Set "hide unreadable = no" on the [netlogon] share.
> 
> I'm closing this bug as invalid, this is a configuration issue. Please re-open
> with a new log file if that does not help.
> 
> Volker
> 
It works !! Thanks a lot. It's a strange behavior for this simple configuration issue, but when i read the log, it's logical...

Thanks again,
Bruno