A follow up from previous email regarding my patch for ipa-sam to fix "valid
users = " group references in the samba server that comes with
I noticed that ns-slapd CPU was excessive during multi-file copies (like a git
repository with thousands of files.)
Debug level 10 logs showed ipa-sam was performing multiple LDAP queries per
file. One for the user and others for the groups. Specifically in order to
perform gid/uid<->sid lookups.
I've pre-empted and raised as a bug with a proposed patch:
It does a few things:
1. idmap caching so the ldap calls are significantly reduced
2. when gid lookup received for the primary user group (so where gid==uid),
properly reflect behaviour of the initial lookup that happens during init by
returning the Default SMB Group fallback group
3. don't bother ldap call for uidNumber=0 (root) - since it never will exist in
FreeIPA according to my research
My CPU for ns-slapd is now 0. And file copies are much better and more like
This seems to fix all issues for me at the moment - and I guess all what
remains to do is extra features to make it more like the ldapsam.
It also looks like all that is needed to get the ipa-sam.so to work without
FreeIPA master local - is to allow the service principal access to the
ipaNTHash attribute. However, I can't see any current aci referring to
principals at the moment or even grouping of them into types - probably because
I'm taking the wrong though-path - but if anyone would like to discuss this
that would be great.
Hope the patch helps!
Freeipa-users mailing list