Hoogstraten, Ton wrote:
Thank you for your reply. I'm testing with 3.0.33 since that's the latest
version Redhat is using in RHEL5 (Redhat has the habbit of holding a version
and do backport patching). The 3.2.x version was marked for production and what
I saw in FAQ was that the 3.4.x was still to experiment with?
IIUC 3.0 is in "dead" state and nearly unsupported by Samba team. 3.2 is
in "End of life", 3.4 "current" and 4.x "testing". But I'm not an expert
and surely someone else is authoritative about it.
If you mean the 'winbind enum users/groups' setting that has been turned off as
suggested in the man pages. If activated it could crash a certain role AD
controller. That's not something I can risk. But would that in normal behaviour
not fill somekind of cache? If I increase the caching in theory that would
perhaps reduce the numer of queries required for a user at a given time. I
don't know if it would be a problem setting this to 3 days so the cache could
also pass over the weekend. Does not take away why it takes so long to query
the AD.
IIUC, the only drawbacks in long lasting caches are related to slowing
down updates propagation -- if you add a user to a group, it could take
"too much" to actually apply the change to all domain members.
Is it always slow to query the AD? Would the 3.0.23d server that I need to
upgrade be using more caching then the later versions by default?
As I said, I'm not an expert, but I always noticed it's quite slow.
Just tested: looking up "for the first time" (with 'id') an user in 12
groups took 49s, immediately rerunning 'id' took 'just' 1s.
Running 'id' on other users (that I'm sure weren't in cache) took up to
2s, and seems it's just loosely correlated to the number of groups.
So it seems that ust the first query is slow.
Since our AD trees are quite large (more than 20K users in one domain
and more than 100K in the other... and really a lot more groups, not
counting "secondary" domains), I don't think the whole trees can be
cached in 49s with the first query (at least not on a 100Mbit link).
Actually, if I enable enum users/groups, winbind takes some minutes to
start up and needs a couple of GB RAM).
--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: [email protected]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
