winbind very slow with large AD groups

Solution Unverified - Updated -

Issue

  • When running the "id" or "groups" command on a user in a group with 20000 users it takes over 20 seconds to complete. Then it is fast for 10 minutes (the time configured for 'winbind cache timeout') and then it is slow again. Running ltrace, these long calls are from getgrgid(), which apparently queries LDAP for all the members of the group, and this takes a long time (and a lot of traffic).

  • Just to give you a rough idea, while issuing an "ls -l" command can cause hiccups or a few seconds delay in the directory listing, the use of the "id" command can result in waiting for some 30 or 40 seconds before having the result printed.

Environment

  • Red Hat Enterprise Linux 5.2
  • Red Hat Enterprise Linux 6.3
  • samba 3.6.9-151

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.