Web lists-archives.com

Re: [Samba] "wbinfo -u" considered harmful towards Winbindd...




On Sun, 9 Dec 2018 20:20:00 +0100
Peter Eriksson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Our setup:
> Windows AD realm with ~115K users (and numerous groups etc)
> FreeBSD servers with Samba 4.7.6 and Samba 4.9.3 (both show the same
> growth)
> 
> We just noticed that one of the ‘winbindd’ daemons on the servers
> seems to be growing and growing forever. A bit of detective work
> pointed us at the “wbinfo -u” command being that culprit. As part of
> a systems monitoring script we ran that once a minute (now disabled)
> in order to see if all AD users were detected, but somehow that seems
> to fail sometime and also cause the Winbindd daemon to grow around
> 455MB per hour… the memory used is not a huge problem on the
> production servers (they have 256GB RAM) so we didn’t notice this at
> first (since we restart smbd&winbindd every morning at 7am) - but an
> old test server with much less RAM ran out of memory around
> 4:30am… :-)
> 
> smb.conf stuff related to Winbindd:
> 
> > ; Security type
> > security = ADS
> > realm = AD.LIU.SE
> > workgroup = AD
> > 
> > ;; ID Mappings
> > idmap config * : backend = tdb
> > idmap config * : range = 2000000001-2100000000

Interesting range size, do you really need 99,999,999 users or groups
for something where 999 is too large ?

> > idmap config AD : backend = ad
> > idmap config AD : range = 1-2000000000
> > idmap config AD : schema_mode = rfc2307
> > idmap config AD : unix_primary_group = yes

Do your users and groups have uidNumber & gidNumber attributes ?
Why have you started at 1 ?

> 
> 
> > winbind nested groups = false

It would be better if you turned the above on.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba