On Sun, 09 Mar 2014, Jason Woods wrote:

A follow up from previous email regarding my patch for ipa-sam to fix
"valid users = " group references in the samba server that comes with
ipa-server-trust-ad.  (Found here:

I noticed that ns-slapd CPU was excessive during multi-file copies
(like a git repository with thousands of files.) Debug level 10 logs
showed ipa-sam was performing multiple LDAP queries per file. One for
the user and others for the groups. Specifically in order to perform
gid/uid<->sid lookups.

I've pre-empted and raised as a bug with a proposed patch:

It does a few things:
1. idmap caching so the ldap calls are significantly reduced
2. when gid lookup received for the primary user group (so where
gid==uid), properly reflect behaviour of the initial lookup that
happens during init by returning the Default SMB Group fallback group
3. don't bother ldap call for uidNumber=0 (root) - since it never will
exist in FreeIPA according to my research
My CPU for ns-slapd is now 0. And file copies are much better and more
like normal.

This seems to fix all issues for me at the moment - and I guess all
what remains to do is extra features to make it more like the ldapsam.
It also looks like all that is needed to get the ipa-sam.so to work
without FreeIPA master local - is to allow the service principal access
to the ipaNTHash attribute. However, I can't see any current aci
referring to principals at the moment or even grouping of them into
types - probably because I'm taking the wrong though-path - but if
anyone would like to discuss this that would be great.
Good. I'll take that bug and will review your patch in my queue. It
will, perhaps, take some time as I have some load with stabilization
work for 3.3.x.

Anyway, you are correct that we need a service principal to be allowed
to access it. In FreeIPA 4.0 (former 3.4) we'll have new permission
management system that should make these things easier and also SSSD
1.12 is going to give us a bit more help with Samba -- there will be
talk by Sumit Bose at SambaXP in May.

I also plan to make packaging easier by creating a sub-package for
ipasam.so so that it could be installed on an IPA client, not only on a server. Ideally, with a tool that sets up Samba like
ipa-adtrust-server does, complete with creating all principals and

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to