On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote: > On 09/05/2013 04:00, Andrew Bartlett wrote: > > On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: > >> Hi all, > >> > >> Is it a necessity to use the winbind nss module? > >> I have run a few tests and having it enabled creates a massive > >> bottleneck. It's not nss_winbind itself that is the bottleneck but > >> something in the background (I'm guessing uid/rid->username code). > >> If I disable winbind in nsswitch.conf what impact will it have? Will the > >> system continue to work? > >> Please note this last test shows that it is not the nss_winbind module > >> that it slow it is something 'behind the scenes'. > >> Also note that this is not just applicable to the sysvolreset (it was > >> just a convenient method of testing). Copying a directory consisting of > >> many small files (eg a windows roaming profile) can be excruciatingly > >> slow! 50s+ for a 50mb folder! > >> I am sure that it is not a network or drive limitation, copying the > >> folder locally and via NFS happen very quickly and copying the same > >> folder from a standalone S3 install on the same hardware is 'fast' also. > > The issue is that the winbind in the Samba 4.0 AD DC is incredibly > > inefficient. It is required for the [homes] share to work, but we try > > to avoid needing it for other things. > > > > I understand this is incredibly frustrating, but what this highlights is > > that we really, really need to start on the project to replace it with > > running the winbindd code from source3. The challenge is that this is a > > lot of work, which will cause disruption in other parts of the system as > > we generalise stuff and add the plugins we need to hook into the AD DC. > > > > I'm increasingly of the view that this will need to be a priority soon, > > but it's still hard to get stuck into this stuff. > > > > Andrew Bartlett > > > I see, I had figured it would be something along those lines. I for one, > would love to see this pushed up the todo list! It seems like quite a > large issue! > > So, are you saying that I can split the system into one AD DC serving > home directories (with nss_windbind enabled) and all other files being > served from a different AD DC with nss_winbind disabled. I appreciate > this makes seeing permissions on linux that bit more tricky, but seeing > as there aren't any real tools for manipulating them yet it's only a > nicety. Would it make much of a difference?
Making it a member server and a DC would be the better combination. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
