The PDC appears to request ALL groups from LDAP, using the search (objectclass=sambaGroupMapping). In our case, this is nearly 14,000 entries and it can take almost 10 minutes to retrieve those from LDAP when there are hundreds trying at once. Indexing doesn't help in this case because samba is asking for ALL groups.
...
Is there any way to make samba do a more targeted lookup of groups, perhaps only those groups where the user is a member?
I think it's possible. As far as I can see the problem is in this rpc_server/srv_util.c:get_domain_user_groups implementation which does retrieve all groups and then sort them out. Unfortunately, the fix isn't that simple since interface to backends (include/passdb.h:struct pdb_methods) has only one method to list groups: enum_group_mapping().
The solution could be to introduce another method to the above interface (enum_user_groups()?) or to extend enum_group_mapping() to accept an extra argument (user account name). The problem with the first solution is that this method would repeat almost everything enum_group_mapping does for all backends except that in ldapsam backend it will have an extra (memberUid=<user>) filter. The problem with the second - all calls to enum_group_mapping would need to be altered to accept an extra argument.
I'll try to see what I can do. Cheers, Igor
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
