Re: [Samba] "wbinfo -u" considered harmful towards Winbindd...
- Date: Sun, 9 Dec 2018 22:31:09 +0100
- From: Peter Eriksson via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] "wbinfo -u" considered harmful towards Winbindd...
> On 9 Dec 2018, at 21:06, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> On Sun, 9 Dec 2018 20:20:00 +0100
> Peter Eriksson via samba <samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>> wrote:
>> Our setup:
>> Windows AD realm with ~115K users (and numerous groups etc)
>> FreeBSD servers with Samba 4.7.6 and Samba 4.9.3 (both show the same
>> We just noticed that one of the ‘winbindd’ daemons on the servers
>> seems to be growing and growing forever. A bit of detective work
>> pointed us at the “wbinfo -u” command being that culprit. As part of
>> a systems monitoring script we ran that once a minute (now disabled)
>> in order to see if all AD users were detected, but somehow that seems
>> to fail sometime and also cause the Winbindd daemon to grow around
>> 455MB per hour… the memory used is not a huge problem on the
>> production servers (they have 256GB RAM) so we didn’t notice this at
>> first (since we restart smbd&winbindd every morning at 7am) - but an
>> old test server with much less RAM ran out of memory around
>> 4:30am… :-)
>> smb.conf stuff related to Winbindd:
>>> ; Security type
>>> security = ADS
>>> realm = AD.LIU.SE
>>> workgroup = AD
>>> ;; ID Mappings
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000000001-2100000000
> Interesting range size, do you really need 99,999,999 users or groups
> for something where 999 is too large ?
Probably not. It’s just something that got left there from the initial testing.
>>> idmap config AD : backend = ad
>>> idmap config AD : range = 1-2000000000
>>> idmap config AD : schema_mode = rfc2307
>>> idmap config AD : unix_primary_group = yes
> Do your users and groups have uidNumber & gidNumber attributes ?
Yes. All (normal) users, around 110K of them have them set. And around 4000 of the 435404 groups have gidNumber also so.
> Why have you started at 1 ?
Because of old stuff in the AD. Probably could have started a little bit higher, especially nowadays when things have been cleaned up a bit.
>>> winbind nested groups = false
> It would be better if you turned the above on.
Perhaps. It takes “forever" with that enabled though. Same with enabling “enum” of users & groups.
However - we don’t really use Winbindd for uid/gid resolving on the file servers though. Due to it being too slow (initial logins would take many seconds/minutes before Winbindd had cached it all the first time) we generate a local database (BerkeleyDB-based) based on AD data (generated on another server) that then is used via a locally development nsswitch module) - so sub-second login times instead.. Winbindd here is mostly used for SID lookups for file ACLs and all other stuff that Smbd wants to use it for.
To unsubscribe from this list go to the following URL and read the