Switching from TDB storage to LMDB storage

As of Samba 4.9 the domain controller can be configured to store its data in LMDB format instead of TDB format. The TDB format is a 32bit key / value library implementation. This limits the size of the database to 4GB. To get around this limitation, the Samba project has developed a new storage backend based on the LMDB library which is 32bit and 64bit compatible, which allows to push this limit. The LMDB library was developed within the OpenLDAP project.

If it is planned to store large objects (photo, etc.) or if the Active Directory will contain many users (100k and more), it is preferable to change the storage mode to LMDB.

There is currently no way to directly convert a TDB base to LMDB. To convert a domain controller to LMDB, it is necessary to demote it and join it back to the domain.

Switching a domain controller to LMDB mode

Note

In the documentation below we assume that the different machines have been installed following the different recommendations given in this documentation, notably those on the configuration DNS for RedHat8 and derived distributions, or DNS for Debian, and krb5.conf for RedHat8 and derived distributions or krb5.conf for Debian.

Note

Check beforehand that the domain controller does not hold any FSMO roles, otherwise move the FSMO roles to another domain controller before updating to LMDB.

In the documentation below, we call srvads-lmdb the AD server to switch to LMDB.

• On the TDB domain controller to be switched to LMDB, save the database and turn off Samba:

  yum install lmdb
  samba-tool fsmo show
  systemctl stop samba
  rsync -aPAX /var/lib/samba /root/samba_backup_20191107/
  rm -Rf /var/lib/samba/*
  mkdir /var/lib/samba/private
  

• On the FSMO PDC domain controller, start the demoting of the domain controller to be switched:

  samba-tool domaine demote --remove-other-dead-server=srvads-lmdb
  

• Ensure that the command:demote has been propagated to all other domain controllers. To do this, you can run the command on all the controllers with your favorite automation tool:

  ldbsearch -H /var/lib/samba/private/sam.ldb 'cn=srvads-lmdb'
  

• Once the deletion has been propagated to all domain controllers, the domain controller can be re-joined in LMDB mode. When joining, the size of the LMDB database can be changed with the parameter --backend-store-size, here set to 16GB (the default value is 8GB):

  samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN --backend-store=mdb --backend-store-size=16Gb
  systemctl restart samba
  samba_dnsupdate --verbose
  systemctl samba_kcc