[Bug 1034869] [NEW] winbind normalize names = yes disable winbind cache mechanism and cause LDAP heavy load / poor performances
pnomblot
1034869 at bugs.launchpad.net
Thu Aug 9 12:27:31 UTC 2012
Public bug reported:
Context :
Description: Ubuntu 12.04 LTS
Release: 12.04
samba:
Installed: 2:3.6.3-2ubuntu2.3
Candidate: 2:3.6.3-2ubuntu2.3
Version table:
*** 2:3.6.3-2ubuntu2.3 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise-updates/main amd64 Packages
100 /var/lib/dpkg/status
2:3.6.3-2ubuntu2.1 0
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
2:3.6.3-2ubuntu2 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise/main amd64 Packages
client linux Ubuntu 12.04 SSO authentification against Microsoft 2008 AD server, Winbind 3.6.3 (Ubuntu 12.04 LTS, Linux 3.2.0-27-generic, winbind 2:3.6.3-2ubuntu2.3 )
Problem Desciption :
I'have discovered that setting option "winbind normalize names = yes"
cause winbind client to send LDAP search for each username/group
resolution even those in cache. Setting this option to "No" makes
winbind use cache, setting winbind in offline mode works fine too
(smbcontrol winbind offline). This behavior cause heavy load on
client/server if resolving a full tree files or simply slow down apache
SSO authentification based on winbind as each web object read will cause
multiple LDAP search before serving.
How to reproduce :
run shell command
# id pnomblot
will makes winbind send 3 LDAP search to solve pnomblot alias (can be
checked with wireshark)
for i in {0..10}; do id pnomblot ;done
cause 30 ldap search to be send to ldap server to solve the same id.
for example, deja-dup backup plus cause million of LDAP request parsing
files ...
My smb.conf :
[global]
workgroup = nomblot.org
realm = nomblot.org
security = ads
domain master = no
local master = no
allow trusted domains = no
socket options = TCP_NODELAY
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
password server = *
client ntlmv2 auth = yes
idmap config NOMBLOT:backend = ad
idmap config NOMBLOT:default = yes
idmap config NOMBLOT:schema_mode = rfc2307
idmap config NOMBLOT:range = 500 - 300000000
idmap config *:backend = ad
idmap config *:range = 500 - 300000000
idmap cache time = 1209600
idmap negative cache time = 1209600
username map cache time = 300
winbind cache time = 300
winbind expand groups = 10
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind reconnect delay = 5
winbind normalize names = yes
dns proxy = no
log file = /var/log/samba/log.%m
log level = 0 idmap:0 winbind:1
max log size = 1000
obey pam restrictions = yes
pam password change = yes
name resolve order = host
create krb5 conf = no
private dir = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
lock directory = /var/lib/samba
pid directory = /var/run
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
invalid users = root daemon bin sys sync games man lp ...
#end of smb.conf
Thank's for your help
Patrick.
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1034869
Title:
winbind normalize names = yes disable winbind cache mechanism and
cause LDAP heavy load / poor performances
Status in “samba” package in Ubuntu:
New
Bug description:
Context :
Description: Ubuntu 12.04 LTS
Release: 12.04
samba:
Installed: 2:3.6.3-2ubuntu2.3
Candidate: 2:3.6.3-2ubuntu2.3
Version table:
*** 2:3.6.3-2ubuntu2.3 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise-updates/main amd64 Packages
100 /var/lib/dpkg/status
2:3.6.3-2ubuntu2.1 0
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
2:3.6.3-2ubuntu2 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise/main amd64 Packages
client linux Ubuntu 12.04 SSO authentification against Microsoft 2008 AD server, Winbind 3.6.3 (Ubuntu 12.04 LTS, Linux 3.2.0-27-generic, winbind 2:3.6.3-2ubuntu2.3 )
Problem Desciption :
I'have discovered that setting option "winbind normalize names = yes"
cause winbind client to send LDAP search for each username/group
resolution even those in cache. Setting this option to "No" makes
winbind use cache, setting winbind in offline mode works fine too
(smbcontrol winbind offline). This behavior cause heavy load on
client/server if resolving a full tree files or simply slow down
apache SSO authentification based on winbind as each web object read
will cause multiple LDAP search before serving.
How to reproduce :
run shell command
# id pnomblot
will makes winbind send 3 LDAP search to solve pnomblot alias (can be
checked with wireshark)
for i in {0..10}; do id pnomblot ;done
cause 30 ldap search to be send to ldap server to solve the same id.
for example, deja-dup backup plus cause million of LDAP request
parsing files ...
My smb.conf :
[global]
workgroup = nomblot.org
realm = nomblot.org
security = ads
domain master = no
local master = no
allow trusted domains = no
socket options = TCP_NODELAY
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
password server = *
client ntlmv2 auth = yes
idmap config NOMBLOT:backend = ad
idmap config NOMBLOT:default = yes
idmap config NOMBLOT:schema_mode = rfc2307
idmap config NOMBLOT:range = 500 - 300000000
idmap config *:backend = ad
idmap config *:range = 500 - 300000000
idmap cache time = 1209600
idmap negative cache time = 1209600
username map cache time = 300
winbind cache time = 300
winbind expand groups = 10
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind reconnect delay = 5
winbind normalize names = yes
dns proxy = no
log file = /var/log/samba/log.%m
log level = 0 idmap:0 winbind:1
max log size = 1000
obey pam restrictions = yes
pam password change = yes
name resolve order = host
create krb5 conf = no
private dir = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
lock directory = /var/lib/samba
pid directory = /var/run
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
invalid users = root daemon bin sys sync games man lp ...
#end of smb.conf
Thank's for your help
Patrick.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1034869/+subscriptions
More information about the foundations-bugs
mailing list