[Samba] Winbind lookup performance

Redhat 5.2 x86_64
samba-3.0.28-0.el5.8

My system is fully AD integrated, the only issue I have is that when I look up a users group (id, groups, etc.) it takes forever.  This is causing issues due to the fact that I have pam policies in place to allow only users from a specific groups to log in, sudo and/or su.  When the cache expires, it can take over 2 minutes to perform the lookup.  I'm sure it doesn't help that my AD user account is a member of 120 different groups.  I would imagine that if I could use a custom, more exclusive LDAP filter for the winbind module I could improve performance, but I don't believe that option is available.

Is there a way for speeding up the lookup process?

Thanks

[global]
        workgroup = DOMAIN
        realm = DOMAIN.NET
        server string = Samba file and print server
        security = ADS
        log level = 3
        max log size = 4192
        large readwrite = No
        max xmit = 65535
        client signing = Yes
        server signing = Yes
        deadtime = 15
        socket options = TCP_NODELAY IPTOS_LOWDELAY TCP_NODELAY
        printcap name = cups
        preferred master = No
        idmap domains = DOMAIN
        idmap backend = tdb
        idmap alloc backend = tdb
        idmap cache time = 302400
        idmap negative cache time = 600
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 1800
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = No
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        winbind normalize names = Yes
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:backend = rid
        idmap config DOMAIN:range = 5000-9999999
        idmap config DOMAINN:cache time = 1800
        idmap alloc config:range = 4000 - 4999




--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

----- Original Message ----
From: Matthew J. Salerno <vagabond_king.RemoveThis@yahoo.com>
To: samba.RemoveThis@lists.samba.org
Sent: Thu, October 22, 2009 1:19:59 PM
Subject: [Samba] Winbind lookup performance

Redhat 5.2 x86_64
samba-3.0.28-0.el5.8

My system is fully AD integrated, the only issue I have is that when I look up a users group (id, groups, etc.) it takes forever.  This is causing issues due to the fact that I have pam policies in place to allow only users from a specific groups to log in, sudo and/or su.  When the cache expires, it can take over 2 minutes to perform the lookup.  I'm sure it doesn't help that my AD user account is a member of 120 different groups.  I would imagine that if I could use a custom, more exclusive LDAP filter for the winbind module I could improve performance, but I don't believe that option is available.

Is there a way for speeding up the lookup process?

Thanks

[global]
        workgroup = DOMAIN
        realm = DOMAIN.NET
        server string = Samba file and print server
        security = ADS
        log level = 3
        max log size = 4192
        large readwrite = No
        max xmit = 65535
        client signing = Yes
        server signing = Yes
        deadtime = 15
        socket options = TCP_NODELAY IPTOS_LOWDELAY TCP_NODELAY
        printcap name = cups
        preferred master = No
        idmap domains = DOMAIN
        idmap backend = tdb
        idmap alloc backend = tdb
        idmap cache time = 302400
        idmap negative cache time = 600
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 1800
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = No
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        winbind normalize names = Yes
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:backend = rid
        idmap config DOMAIN:range = 5000-9999999
        idmap config DOMAINN:cache time = 1800
        idmap alloc config:range = 4000 - 4999



     
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



I removed winbind enum users = Yes and winbind enum groups = Yes and it seems to be much faster.  Now I just need ot make sure everything else is still working as expected.



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba