[Samba] 3.6.8: Winbind/Active Directory: lsass.exe process run cpu to 100%

David Touzeau david at touzeau.eu
Mon Oct 1 03:23:59 MDT 2012 


-----Original Message----- 
From: Rowland Penny
Sent: Sunday, September 30, 2012 5:49 PM
To: samba at lists.samba.org
Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process run 
cpu to 100%

On 30/09/12 16:36, David Touzeau wrote:
> I have created a ticket on bugtrack
> https://bugzilla.samba.org/show_bug.cgi?id=9226
>
>
> -----Original Message----- From: Rowland Penny
> Sent: Saturday, September 29, 2012 10:21 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process 
> run cpu to 100%
>
> On 29/09/12 20:31, David Touzeau wrote:
>> nsswitch as been changed to
>>
>> passwd:         files ldap winbind
>> group:          files ldap winbind
>> shadow:         files ldap winbind
>>
>> But lsass.exe still run at 100% cpu and winbind still want to parse the 
>> full AD
>> I think i will create a ticket on the tracker because we have removed 
>> winbind from the nsswitch:
>>
>> passwd:         files ldap
>> group:          files ldap
>> shadow:         files ldap
>>
>> and lsass.exe still run at 100%
>> When stopping winbindd
>> lsass.exe is down to 0%
>>
>> From: Heather Choi
>> Sent: Saturday, September 29, 2012 4:26 PM
>> To: David Touzeau
>> Cc: mario.codeniera at gmail.com ; samba at lists.samba.org
>> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process 
>> run cpu to 100%
>>
>> manpages of nssswitch:  compat support `+/-' in the ``passwd'' and 
>> ``group'' databases. If this is present, it must be the only source for 
>> that entry. Database Default source list group compat group_compat nis 
>> hosts files dns netgroup files [notfound=return] nis passwd compat 
>> passwd_compat nis
>> On 09/29/2012 05:03 AM, David Touzeau wrote:
>> Thanks Heather Choi
>>
>> But in my nsswitch i have
>>
>> passwd:         compat ldap winbind
>> group:          compat ldap winbind
>> shadow:         compat ldap winbind
>>
>> As compat is and advanced "files" method...
>> So my nsswitch is compatible with your suggest...?
>>
>>
>> -----Original Message----- From: Heather Choi
>> Sent: Saturday, September 29, 2012 4:52 AM
>> To: mario.codeniera at gmail.com
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process 
>> run cpu to 100%
>>
>> You definitely should have "files" placed *before* winbind of passwd,
>> group and shadow, like:
>>
>> passwd:     files winbind
>> shadow:     files winbind
>> group:      files winbind
>>
>> Otherwise, you will be hitting AD a whole ton for localized users and
>> definitely root with services running.
>>
>> On 09/27/2012 02:00 AM, David Touzeau wrote:
>> Dear
>> I have connected samba 3.6.8 to my Active Directory in the lsass.exe run 
>> to 100%
>> When stopping winbind the lsass.exe CPU is down to 0%
>> When set winbindd to debug mode, it seems it try to scan the root user 
>> every time.
>> I would to know how to ban nsswitch to query winbindd for system internal 
>> users such has root, apache.....
>>
>> Here it is my nsswitch.conf :
>>
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages installed, 
>> try:
>> # `info libc "Name Service Switch"' for information about this file.
>> bind_policy soft
>>
>> passwd:         compat ldap winbind
>> group:          compat ldap winbind
>> shadow:         compat ldap winbind
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>> netmasks:       files
>> netgroup:       files nis
>> publickey:      files
>> bootparams:     files
>> aliases:        files
>> automount:      ldap files
>>
>> Attached file is the winbindd debug mode:
>>
>>
>>
>>
> Hi, you say that you have connected samba 3.6.8 to your Active
> Directory, How? and where does ldap come into it.
> If you join a samba 3.6 machine to Active Directory, you only need
> winbind to be added to nsswitch.conf
>
> Rowland
>
>
Hi again, now that I have seen your smb.conf on the bug link you posted,
try removing the ldap entries from /etc/nsswitch.conf , you do not need
them, you are not using ldap.

Rowland


hi
Removing LDAP did not change any behavior...

david

More information about the samba mailing list