Public bug reported: Context :
Description: Ubuntu 12.04 LTS Release: 12.04 samba: Installed: 2:3.6.3-2ubuntu2.3 Candidate: 2:3.6.3-2ubuntu2.3 Version table: *** 2:3.6.3-2ubuntu2.3 0 500 ftp://debmirror.parkeon.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 2:3.6.3-2ubuntu2.1 0 500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages 2:3.6.3-2ubuntu2 0 500 ftp://debmirror.parkeon.com/ubuntu/ precise/main amd64 Packages client linux Ubuntu 12.04 SSO authentification against Microsoft 2008 AD server, Winbind 3.6.3 (Ubuntu 12.04 LTS, Linux 3.2.0-27-generic, winbind 2:3.6.3-2ubuntu2.3 ) Problem Desciption : I'have discovered that setting option "winbind normalize names = yes" cause winbind client to send LDAP search for each username/group resolution even those in cache. Setting this option to "No" makes winbind use cache, setting winbind in offline mode works fine too (smbcontrol winbind offline). This behavior cause heavy load on client/server if resolving a full tree files or simply slow down apache SSO authentification based on winbind as each web object read will cause multiple LDAP search before serving. How to reproduce : run shell command # id pnomblot will makes winbind send 3 LDAP search to solve pnomblot alias (can be checked with wireshark) for i in {0..10}; do id pnomblot ;done cause 30 ldap search to be send to ldap server to solve the same id. for example, deja-dup backup plus cause million of LDAP request parsing files ... My smb.conf : [global] workgroup = nomblot.org realm = nomblot.org security = ads domain master = no local master = no allow trusted domains = no socket options = TCP_NODELAY template homedir = /home/%U template shell = /bin/bash kerberos method = secrets and keytab password server = * client ntlmv2 auth = yes idmap config NOMBLOT:backend = ad idmap config NOMBLOT:default = yes idmap config NOMBLOT:schema_mode = rfc2307 idmap config NOMBLOT:range = 500 - 300000000 idmap config *:backend = ad idmap config *:range = 500 - 300000000 idmap cache time = 1209600 idmap negative cache time = 1209600 username map cache time = 300 winbind cache time = 300 winbind expand groups = 10 winbind use default domain = yes winbind refresh tickets = yes winbind nss info = rfc2307 winbind offline logon = yes winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind reconnect delay = 5 winbind normalize names = yes dns proxy = no log file = /var/log/samba/log.%m log level = 0 idmap:0 winbind:1 max log size = 1000 obey pam restrictions = yes pam password change = yes name resolve order = host create krb5 conf = no private dir = /var/lib/samba state directory = /var/lib/samba cache directory = /var/cache/samba lock directory = /var/lib/samba pid directory = /var/run dos charset = ASCII unix charset = UTF8 display charset = UTF8 invalid users = root daemon bin sys sync games man lp ... #end of smb.conf Thank's for your help Patrick. ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1034869 Title: winbind normalize names = yes disable winbind cache mechanism and cause LDAP heavy load / poor performances To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1034869/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs