[Samba] 3.6.8: Winbind/Active Directory: lsass.exe process run cpu to 100%

hceuterpe at gmail.com hceuterpe at gmail.com
Mon Oct 1 17:03:33 MDT 2012 

1500 users may qualify your environment as a "large"  domain.  Try setting
the winbind group enumeration to " no"...
On Oct 1, 2012 4:24 AM, "David Touzeau" <david at touzeau.eu> wrote:

>
>
> -----Original Message----- From: Rowland Penny
> Sent: Sunday, September 30, 2012 5:49 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process
> run cpu to 100%
>
> On 30/09/12 16:36, David Touzeau wrote:
>
>> I have created a ticket on bugtrack
>> https://bugzilla.samba.org/**show_bug.cgi?id=9226<https://bugzilla.samba.org/show_bug.cgi?id=9226>
>>
>>
>> -----Original Message----- From: Rowland Penny
>> Sent: Saturday, September 29, 2012 10:21 PM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process
>> run cpu to 100%
>>
>> On 29/09/12 20:31, David Touzeau wrote:
>>
>>> nsswitch as been changed to
>>>
>>> passwd:         files ldap winbind
>>> group:          files ldap winbind
>>> shadow:         files ldap winbind
>>>
>>> But lsass.exe still run at 100% cpu and winbind still want to parse the
>>> full AD
>>> I think i will create a ticket on the tracker because we have removed
>>> winbind from the nsswitch:
>>>
>>> passwd:         files ldap
>>> group:          files ldap
>>> shadow:         files ldap
>>>
>>> and lsass.exe still run at 100%
>>> When stopping winbindd
>>> lsass.exe is down to 0%
>>>
>>> From: Heather Choi
>>> Sent: Saturday, September 29, 2012 4:26 PM
>>> To: David Touzeau
>>> Cc: mario.codeniera at gmail.com ; samba at lists.samba.org
>>> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process
>>> run cpu to 100%
>>>
>>> manpages of nssswitch:  compat support `+/-' in the ``passwd'' and
>>> ``group'' databases. If this is present, it must be the only source for
>>> that entry. Database Default source list group compat group_compat nis
>>> hosts files dns netgroup files [notfound=return] nis passwd compat
>>> passwd_compat nis
>>> On 09/29/2012 05:03 AM, David Touzeau wrote:
>>> Thanks Heather Choi
>>>
>>> But in my nsswitch i have
>>>
>>> passwd:         compat ldap winbind
>>> group:          compat ldap winbind
>>> shadow:         compat ldap winbind
>>>
>>> As compat is and advanced "files" method...
>>> So my nsswitch is compatible with your suggest...?
>>>
>>>
>>> -----Original Message----- From: Heather Choi
>>> Sent: Saturday, September 29, 2012 4:52 AM
>>> To: mario.codeniera at gmail.com
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process
>>> run cpu to 100%
>>>
>>> You definitely should have "files" placed *before* winbind of passwd,
>>> group and shadow, like:
>>>
>>> passwd:     files winbind
>>> shadow:     files winbind
>>> group:      files winbind
>>>
>>> Otherwise, you will be hitting AD a whole ton for localized users and
>>> definitely root with services running.
>>>
>>> On 09/27/2012 02:00 AM, David Touzeau wrote:
>>> Dear
>>> I have connected samba 3.6.8 to my Active Directory in the lsass.exe run
>>> to 100%
>>> When stopping winbind the lsass.exe CPU is down to 0%
>>> When set winbindd to debug mode, it seems it try to scan the root user
>>> every time.
>>> I would to know how to ban nsswitch to query winbindd for system
>>> internal users such has root, apache.....
>>>
>>> Here it is my nsswitch.conf :
>>>
>>> #
>>> # Example configuration of GNU Name Service Switch functionality.
>>> # If you have the `glibc-doc-reference' and `info' packages installed,
>>> try:
>>> # `info libc "Name Service Switch"' for information about this file.
>>> bind_policy soft
>>>
>>> passwd:         compat ldap winbind
>>> group:          compat ldap winbind
>>> shadow:         compat ldap winbind
>>>
>>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>> netmasks:       files
>>> netgroup:       files nis
>>> publickey:      files
>>> bootparams:     files
>>> aliases:        files
>>> automount:      ldap files
>>>
>>> Attached file is the winbindd debug mode:
>>>
>>>
>>>
>>>
>>>  Hi, you say that you have connected samba 3.6.8 to your Active
>> Directory, How? and where does ldap come into it.
>> If you join a samba 3.6 machine to Active Directory, you only need
>> winbind to be added to nsswitch.conf
>>
>> Rowland
>>
>>
>>  Hi again, now that I have seen your smb.conf on the bug link you posted,
> try removing the ldap entries from /etc/nsswitch.conf , you do not need
> them, you are not using ldap.
>
> Rowland
>
>
> hi
> Removing LDAP did not change any behavior...
>
> david
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>

More information about the samba mailing list