Large Active Directory Env Configuration

[mhaught]

I have been using FreeNAS 8 (8.0.3) in a large Active Directory environment and have had to make some changes to the configuration to make FreeNAS usable. We have over 108,000 users and with this many users FreeNAS is unusable in its current form.

One of the problems is with winbindd_cache.tdb. It will grow to over 500MB and with the additional copies (.bak and .bak.old), it will easily fill /var/tmp/.cache .
To work around this, I create a "samba_db" dataset on my zfs volume and within the CIFS Services I add the Auxiliary parameters "cache directory = /mnt/myvolume/samba_db"

With so many users, winbindd will just set there eating cpu for hours, signal 6 constantly, and cause the GUI to timeout for just about every function making changing anything impossible. User lookups from the terminal will timeout, and cron jobs will get backed up and fail.
To work around this, I add in the CIFS Services the Auxiliary parameters "winbind enum users = no" and "winbind enum groups = no". Once added, winbind works properly, GUI works, and user lookups do not timeout. I have not seen any negatives from this change yet.

I also add "winbind use default domain = yes" to the CIFS Services Auxiliary parameters. This keeps you from having to give YOURDOMAIN\username. Without it my AD users were having to give their credentials. I can't confirm that this is responsible, but before adding this my winbindd_cache.tdb would grow to over 1.5GB (x3 if you include the .bak and .bak.old).

Anyone else have any tips?

 

[gcooper]

Here's a ticket that I've opened to track the issue: http://support.freenas.org/ticket/1177 .

I'm bumping the default back to 1.5g in 8.0.3-RELEASE-p1 based on user feedback, but if you need to change the value, look for 'FREENAS_CACHESIZE' and change the value to something higher, e.g. 2g, 3g, etc. Please note that this isn't maintained across upgrades and you'll need to change /conf/base/etc/rc.freenas .

 

[Brand]

We have over 108,000 users and with this many users FreeNAS is unusable in its current form.

Is FreeNAS designed to work in an environment of that scale? With an environment that large wouldn't using the full featured operating system have many more advantages and be more ideal?

FreeNAS 8 works but not what I would call ready for the enterprise.

 

[mhaught]

I guess I should clarify. When I say we have over 100k users, I am speaking about users in the AD environment, not users of this single FreeNAS box. It is being used nicely for a department of a hundred or so.

In a way I am trying to use FreeNAS *in* an enterprise rather the *for* the enterprise.

The changes needed to run FreeNAS in an environment like this are seemingly small. All of the current problems we are having boil down to the memory disks being too small for the caches and samba tdbs.

 

[denyson]

I just read your post about running freenas on a large active directory domain. We are running a truenas witch its the enterprise version of freenas and we are having a problems with uses not able to authenticate to the domain and losing access to their map drives. We have a single truenas server that the users login and we replicate that server to another truenas on a different building. We have the enterprise support with ixsystem but those guys have not been able to figure out a solution to that problem.
We got the network team here involved and monitor all the connection to those 2 truenas server and we were able to verify that the the box does not loose network connection with the our domain controllers and when the problem happens we are able to ping the domain controllers from the truenas server but when we do a wbinfo -t we get unable to find our domain. To fix the problem we have to rebuild the LDAP cache and restart the Active directory services and the CIFS services and them the users can login again. This happens every couple months. I think the winbindd_cache its getting full and thats when this happens and by rebuilding the LDAP cache we the reset winbindd_cache. Anyone else here having this problem? How big its your active directory domain?