[Freeipa-users] Another patch for ipa-sam: Excessive LDAP calls by ipa-sam during file operations
Jason Woods
devel at jasonwoods.me.uk
Sun Mar 9 17:42:28 UTC 2014
Hi,
A follow up from previous email regarding my patch for ipa-sam to fix "valid users = " group references in the samba server that comes with ipa-server-trust-ad.
(Found here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html )
I noticed that ns-slapd CPU was excessive during multi-file copies (like a git repository with thousands of files.)
Debug level 10 logs showed ipa-sam was performing multiple LDAP queries per file. One for the user and others for the groups. Specifically in order to perform gid/uid<->sid lookups.
I've pre-empted and raised as a bug with a proposed patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1074314
It does a few things:
1. idmap caching so the ldap calls are significantly reduced
2. when gid lookup received for the primary user group (so where gid==uid), properly reflect behaviour of the initial lookup that happens during init by returning the Default SMB Group fallback group
3. don't bother ldap call for uidNumber=0 (root) - since it never will exist in FreeIPA according to my research
My CPU for ns-slapd is now 0. And file copies are much better and more like normal.
This seems to fix all issues for me at the moment - and I guess all what remains to do is extra features to make it more like the ldapsam.
It also looks like all that is needed to get the ipa-sam.so to work without FreeIPA master local - is to allow the service principal access to the ipaNTHash attribute. However, I can't see any current aci referring to principals at the moment or even grouping of them into types - probably because I'm taking the wrong though-path - but if anyone would like to discuss this that would be great.
Hope the patch helps!
Thanks,
Jason
More information about the Freeipa-users
mailing list