Hi, A follow up from previous email regarding my patch for ipa-sam to fix "valid users = " group references in the samba server that comes with ipa-server-trust-ad. (Found here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html )
I noticed that ns-slapd CPU was excessive during multi-file copies (like a git repository with thousands of files.) Debug level 10 logs showed ipa-sam was performing multiple LDAP queries per file. One for the user and others for the groups. Specifically in order to perform gid/uid<->sid lookups. I've pre-empted and raised as a bug with a proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1074314 It does a few things: 1. idmap caching so the ldap calls are significantly reduced 2. when gid lookup received for the primary user group (so where gid==uid), properly reflect behaviour of the initial lookup that happens during init by returning the Default SMB Group fallback group 3. don't bother ldap call for uidNumber=0 (root) - since it never will exist in FreeIPA according to my research My CPU for ns-slapd is now 0. And file copies are much better and more like normal. This seems to fix all issues for me at the moment - and I guess all what remains to do is extra features to make it more like the ldapsam. It also looks like all that is needed to get the ipa-sam.so to work without FreeIPA master local - is to allow the service principal access to the ipaNTHash attribute. However, I can't see any current aci referring to principals at the moment or even grouping of them into types - probably because I'm taking the wrong though-path - but if anyone would like to discuss this that would be great. Hope the patch helps! Thanks, Jason _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
