On Fri, Feb 16, 2007 at 05:31:05PM +0100, ZIGLIO, Frediano, VF-IT wrote:
> I installed samba on a large Active Directory. All is working, I use
> winbind in pam and everything is working.
> However sometime it just hang for a while (say 20 seconds) and then go
> without problems.
> Currently I increased "winbind cache time" to mitigate the problem.
> There are mainly two situation where this hang occur
> 1- login
> 2- ls -l
> 3- groups
> I tried to analyze the problem a bit deeply. The hang with case 2 occurs
> every 2/3 minutes (without "winbind cache time") so I launched a strace
> on winbind and when ls -l hang I see a lot of ldap query !!! Then I
> launch tcpdump on ldap port and strace and retry the ls -l test.
> Now I do a ls -l in my home directory. My user is an AD user of a
> "DOMAIN\Domain Users" main group so ls -l say something like
> -rw-r--r-- 1 user Domain Users 1234 Xxx XX 2005 file.txt
> ls -ln:
> -rw-r--r-- 1 16804756 16777217 1234 Xxx XX 2005 file.txt
> So ls -l should ask which user is 16804756 and which group is 16777217.
> Winbind should (IMHO) get SID of 16804756 and 16777217 from local cache
> then check if names are updated in cache and update if necessary. The
> problem is that winbind do not simply check for 16777217 name but when
> group change it dump many other informations like users in the group and
> then for each user in the group it ask for informations. Now all users
> in AD (I know is ugly but I don't manage AD) have Domain Users as the
> main group so it take very long to get all users list and update every
> users. It would be better (at list for my case) that winbind just get
> group name and mark "the member list is not correct".
> Is anybody working in this direction? Can I help you in some way?
We already have fixes for this in the SAMBA_3_0_25 tree.
If you're willing to experiment then you could try the
SVN code to see if it fixes the issue.
To unsubscribe from this list go to the following URL and read the