Re: [Samba] Is nss_winbind required?
On 09/05/2013 09:56, Andrew Bartlett wrote: On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote: On 09/05/2013 04:00, Andrew Bartlett wrote: On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: Hi all, Is it a necessity to use the winbind nss module? I have run a few tests and having it enabled creates a massive bottleneck. It's not nss_winbind itself that is the bottleneck but something in the background (I'm guessing uid/rid->username code). If I disable winbind in nsswitch.conf what impact will it have? Will the system continue to work? Please note this last test shows that it is not the nss_winbind module that it slow it is something 'behind the scenes'. Also note that this is not just applicable to the sysvolreset (it was just a convenient method of testing). Copying a directory consisting of many small files (eg a windows roaming profile) can be excruciatingly slow! 50s+ for a 50mb folder! I am sure that it is not a network or drive limitation, copying the folder locally and via NFS happen very quickly and copying the same folder from a standalone S3 install on the same hardware is 'fast' also. The issue is that the winbind in the Samba 4.0 AD DC is incredibly inefficient. It is required for the [homes] share to work, but we try to avoid needing it for other things. I understand this is incredibly frustrating, but what this highlights is that we really, really need to start on the project to replace it with running the winbindd code from source3. The challenge is that this is a lot of work, which will cause disruption in other parts of the system as we generalise stuff and add the plugins we need to hook into the AD DC. I'm increasingly of the view that this will need to be a priority soon, but it's still hard to get stuck into this stuff. Andrew Bartlett I see, I had figured it would be something along those lines. I for one, would love to see this pushed up the todo list! It seems like quite a large issue! So, are you saying that I can split the system into one AD DC serving home directories (with nss_windbind enabled) and all other files being served from a different AD DC with nss_winbind disabled. I appreciate this makes seeing permissions on linux that bit more tricky, but seeing as there aren't any real tools for manipulating them yet it's only a nicety. Would it make much of a difference? Making it a member server and a DC would be the better combination. Andrew Bartlett Hiya, Having re-read your message. Is your suggestion to have an AD DC serving home directories and member servers (as described here: https://wiki.samba.org/index.php/Samba4/Domain_Member (but skipping the enabling nss_winbind step?) serving everything else? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is nss_winbind required?
On 09/05/2013 09:56, Andrew Bartlett wrote: On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote: On 09/05/2013 04:00, Andrew Bartlett wrote: On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: Hi all, Is it a necessity to use the winbind nss module? I have run a few tests and having it enabled creates a massive bottleneck. It's not nss_winbind itself that is the bottleneck but something in the background (I'm guessing uid/rid->username code). If I disable winbind in nsswitch.conf what impact will it have? Will the system continue to work? Please note this last test shows that it is not the nss_winbind module that it slow it is something 'behind the scenes'. Also note that this is not just applicable to the sysvolreset (it was just a convenient method of testing). Copying a directory consisting of many small files (eg a windows roaming profile) can be excruciatingly slow! 50s+ for a 50mb folder! I am sure that it is not a network or drive limitation, copying the folder locally and via NFS happen very quickly and copying the same folder from a standalone S3 install on the same hardware is 'fast' also. The issue is that the winbind in the Samba 4.0 AD DC is incredibly inefficient. It is required for the [homes] share to work, but we try to avoid needing it for other things. I understand this is incredibly frustrating, but what this highlights is that we really, really need to start on the project to replace it with running the winbindd code from source3. The challenge is that this is a lot of work, which will cause disruption in other parts of the system as we generalise stuff and add the plugins we need to hook into the AD DC. I'm increasingly of the view that this will need to be a priority soon, but it's still hard to get stuck into this stuff. Andrew Bartlett I see, I had figured it would be something along those lines. I for one, would love to see this pushed up the todo list! It seems like quite a large issue! So, are you saying that I can split the system into one AD DC serving home directories (with nss_windbind enabled) and all other files being served from a different AD DC with nss_winbind disabled. I appreciate this makes seeing permissions on linux that bit more tricky, but seeing as there aren't any real tools for manipulating them yet it's only a nicety. Would it make much of a difference? Making it a member server and a DC would be the better combination. Andrew Bartlett Sorry, could you elaborate slightly? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is nss_winbind required?
On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote: > On 09/05/2013 04:00, Andrew Bartlett wrote: > > On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: > >> Hi all, > >> > >> Is it a necessity to use the winbind nss module? > >> I have run a few tests and having it enabled creates a massive > >> bottleneck. It's not nss_winbind itself that is the bottleneck but > >> something in the background (I'm guessing uid/rid->username code). > >> If I disable winbind in nsswitch.conf what impact will it have? Will the > >> system continue to work? > >> Please note this last test shows that it is not the nss_winbind module > >> that it slow it is something 'behind the scenes'. > >> Also note that this is not just applicable to the sysvolreset (it was > >> just a convenient method of testing). Copying a directory consisting of > >> many small files (eg a windows roaming profile) can be excruciatingly > >> slow! 50s+ for a 50mb folder! > >> I am sure that it is not a network or drive limitation, copying the > >> folder locally and via NFS happen very quickly and copying the same > >> folder from a standalone S3 install on the same hardware is 'fast' also. > > The issue is that the winbind in the Samba 4.0 AD DC is incredibly > > inefficient. It is required for the [homes] share to work, but we try > > to avoid needing it for other things. > > > > I understand this is incredibly frustrating, but what this highlights is > > that we really, really need to start on the project to replace it with > > running the winbindd code from source3. The challenge is that this is a > > lot of work, which will cause disruption in other parts of the system as > > we generalise stuff and add the plugins we need to hook into the AD DC. > > > > I'm increasingly of the view that this will need to be a priority soon, > > but it's still hard to get stuck into this stuff. > > > > Andrew Bartlett > > > I see, I had figured it would be something along those lines. I for one, > would love to see this pushed up the todo list! It seems like quite a > large issue! > > So, are you saying that I can split the system into one AD DC serving > home directories (with nss_windbind enabled) and all other files being > served from a different AD DC with nss_winbind disabled. I appreciate > this makes seeing permissions on linux that bit more tricky, but seeing > as there aren't any real tools for manipulating them yet it's only a > nicety. Would it make much of a difference? Making it a member server and a DC would be the better combination. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is nss_winbind required?
On 09/05/2013 04:00, Andrew Bartlett wrote: On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: Hi all, Is it a necessity to use the winbind nss module? I have run a few tests and having it enabled creates a massive bottleneck. It's not nss_winbind itself that is the bottleneck but something in the background (I'm guessing uid/rid->username code). If I disable winbind in nsswitch.conf what impact will it have? Will the system continue to work? Please note this last test shows that it is not the nss_winbind module that it slow it is something 'behind the scenes'. Also note that this is not just applicable to the sysvolreset (it was just a convenient method of testing). Copying a directory consisting of many small files (eg a windows roaming profile) can be excruciatingly slow! 50s+ for a 50mb folder! I am sure that it is not a network or drive limitation, copying the folder locally and via NFS happen very quickly and copying the same folder from a standalone S3 install on the same hardware is 'fast' also. The issue is that the winbind in the Samba 4.0 AD DC is incredibly inefficient. It is required for the [homes] share to work, but we try to avoid needing it for other things. I understand this is incredibly frustrating, but what this highlights is that we really, really need to start on the project to replace it with running the winbindd code from source3. The challenge is that this is a lot of work, which will cause disruption in other parts of the system as we generalise stuff and add the plugins we need to hook into the AD DC. I'm increasingly of the view that this will need to be a priority soon, but it's still hard to get stuck into this stuff. Andrew Bartlett I see, I had figured it would be something along those lines. I for one, would love to see this pushed up the todo list! It seems like quite a large issue! So, are you saying that I can split the system into one AD DC serving home directories (with nss_windbind enabled) and all other files being served from a different AD DC with nss_winbind disabled. I appreciate this makes seeing permissions on linux that bit more tricky, but seeing as there aren't any real tools for manipulating them yet it's only a nicety. Would it make much of a difference? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is nss_winbind required?
On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: > Hi all, > > Is it a necessity to use the winbind nss module? > I have run a few tests and having it enabled creates a massive > bottleneck. It's not nss_winbind itself that is the bottleneck but > something in the background (I'm guessing uid/rid->username code). > If I disable winbind in nsswitch.conf what impact will it have? Will the > system continue to work? > Please note this last test shows that it is not the nss_winbind module > that it slow it is something 'behind the scenes'. > Also note that this is not just applicable to the sysvolreset (it was > just a convenient method of testing). Copying a directory consisting of > many small files (eg a windows roaming profile) can be excruciatingly > slow! 50s+ for a 50mb folder! > I am sure that it is not a network or drive limitation, copying the > folder locally and via NFS happen very quickly and copying the same > folder from a standalone S3 install on the same hardware is 'fast' also. The issue is that the winbind in the Samba 4.0 AD DC is incredibly inefficient. It is required for the [homes] share to work, but we try to avoid needing it for other things. I understand this is incredibly frustrating, but what this highlights is that we really, really need to start on the project to replace it with running the winbindd code from source3. The challenge is that this is a lot of work, which will cause disruption in other parts of the system as we generalise stuff and add the plugins we need to hook into the AD DC. I'm increasingly of the view that this will need to be a priority soon, but it's still hard to get stuck into this stuff. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
