Web lists-archives.com

Re: [Samba] "wbinfo -u" considered harmful towards Winbindd...

> On 9 Dec 2018, at 21:06, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> On Sun, 9 Dec 2018 20:20:00 +0100
> Peter Eriksson via samba <samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>> wrote:
>> Our setup:
>> Windows AD realm with ~115K users (and numerous groups etc)
>> FreeBSD servers with Samba 4.7.6 and Samba 4.9.3 (both show the same
>> growth)
>> We just noticed that one of the ‘winbindd’ daemons on the servers
>> seems to be growing and growing forever. A bit of detective work
>> pointed us at the “wbinfo -u” command being that culprit. As part of
>> a systems monitoring script we ran that once a minute (now disabled)
>> in order to see if all AD users were detected, but somehow that seems
>> to fail sometime and also cause the Winbindd daemon to grow around
>> 455MB per hour… the memory used is not a huge problem on the
>> production servers (they have 256GB RAM) so we didn’t notice this at
>> first (since we restart smbd&winbindd every morning at 7am) - but an
>> old test server with much less RAM ran out of memory around
>> 4:30am… :-)
>> smb.conf stuff related to Winbindd:
>>> ; Security type
>>> security = ADS
>>> realm = AD.LIU.SE
>>> workgroup = AD
>>> ;; ID Mappings
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000000001-2100000000
> Interesting range size, do you really need 99,999,999 users or groups
> for something where 999 is too large ?

Probably not. It’s just something that got left there from the initial testing.

>>> idmap config AD : backend = ad
>>> idmap config AD : range = 1-2000000000
>>> idmap config AD : schema_mode = rfc2307
>>> idmap config AD : unix_primary_group = yes
> Do your users and groups have uidNumber & gidNumber attributes ?

Yes. All (normal) users, around 110K of them have them set. And around 4000 of the 435404 groups have gidNumber also so.

> Why have you started at 1 ?

Because of old stuff in the AD. Probably could have started a little bit higher, especially nowadays when things have been cleaned up a bit.

>>> winbind nested groups = false
> It would be better if you turned the above on.

Perhaps. It takes “forever" with that enabled though. Same with enabling “enum” of users & groups.

However - we don’t really use Winbindd for uid/gid resolving on the file servers though. Due to it being too slow (initial logins would take many seconds/minutes before Winbindd had cached it all the first time) we generate a local database (BerkeleyDB-based) based on AD data (generated on another server) that then is used via a locally development nsswitch module) - so sub-second login times instead.. Winbindd here is mostly used for SID lookups for file ACLs and all other stuff that Smbd wants to use it for.

- Peter
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba