Context :
client linux Ubuntu 12.04 SSO authentification against Microsoft 2008 AD
server, Winbind 3.6.3 (Ubuntu 12.04 LTS, Linux 3.2.0-27-generic, winbind
2:3.6.3-2ubuntu2.3 )
I'have discovered that setting option "winbind normalize names = yes"
cause winbind client to send LDAP search for each username/group
resolution even those in cache. Setting this option to "No" makes
winbind use cache, setting winbind in offline mode works fine too
(smbcontrol winbind offline). This behavior cause heavy load on
client/server if resolving a full tree files or simply slow down apache
SSO authentification based on winbind as each web object read will cause
multiple LDAP search before serving.
How to reproduce :
running shell command
# id pnomblot
will makes winbind send 3 LDAP search to solve pnomblot alias (can be
checked with wireshark)
for i in {0..10}; do id pnomblot ;done
cause 30 ldap search to be send to ldap server to solve the same id.
My smb.conf :
[global]
workgroup = nomblot.org
realm = nomblot.org
security = ads
domain master = no
local master = no
allow trusted domains = no
socket options = TCP_NODELAY
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
password server = *
client ntlmv2 auth = yes
idmap config NOMBLOT:backend = ad
idmap config NOMBLOT:default = yes
idmap config NOMBLOT:schema_mode = rfc2307
idmap config NOMBLOT:range = 500 - 300000000
idmap config *:backend = ad
idmap config *:range = 500 - 300000000
idmap cache time = 1209600
idmap negative cache time = 1209600
username map cache time = 300
winbind cache time = 300
winbind expand groups = 10
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind reconnect delay = 5
winbind normalize names = yes
dns proxy = no
log file = /var/log/samba/log.%m
log level = 0 idmap:0 winbind:1
max log size = 1000
obey pam restrictions = yes
pam password change = yes
name resolve order = host
create krb5 conf = no
private dir = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
lock directory = /var/lib/samba
pid directory = /var/run
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
invalid users = root daemon bin sys sync games man lp ...
#end of smb.conf
Hope this can help samba project,
Any usefull comment is appreciated.
Thank's
Patrick.
--
Patrick Nomblot
Systems & Networks Engineer
Parkeon
Parc Lafayette - 6 rue Isaac Newton
25075 Besancon - Cedex 9 - France
Phone +33(0) 381 545 212
Mobile +33(0) 633 323 423
Fax +33(0) 381 527 638
[email protected] <mailto:[email protected]>
www.parkeon.com <http://www.parkeon.com>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
