[Samba] 3.6.8: Winbind/Active Directory: lsass.exe process run cpu to 100%

David Touzeau david at touzeau.eu
Sat Sep 29 13:31:40 MDT 2012 

nsswitch as been changed to

passwd:         files ldap winbind
group:          files ldap winbind
shadow:         files ldap winbind

But lsass.exe still run at 100% cpu and winbind still want to parse the full 
AD
I think i will create a ticket on the tracker because we have removed 
winbind from the nsswitch:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

and lsass.exe still run at 100%
When stopping winbindd
lsass.exe is down to 0%

From: Heather Choi
Sent: Saturday, September 29, 2012 4:26 PM
To: David Touzeau
Cc: mario.codeniera at gmail.com ; samba at lists.samba.org
Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process run 
cpu to 100%

manpages of nssswitch:  compat support `+/-' in the ``passwd'' and ``group'' 
databases. If this is present, it must be the only source for that entry. 
Database Default source list group compat group_compat nis hosts files dns 
netgroup files [notfound=return] nis passwd compat passwd_compat nis
On 09/29/2012 05:03 AM, David Touzeau wrote:
Thanks Heather Choi

But in my nsswitch i have

passwd:         compat ldap winbind
group:          compat ldap winbind
shadow:         compat ldap winbind

As compat is and advanced "files" method...
So my nsswitch is compatible with your suggest...?


-----Original Message----- From: Heather Choi
Sent: Saturday, September 29, 2012 4:52 AM
To: mario.codeniera at gmail.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe process run 
cpu to 100%

You definitely should have "files" placed *before* winbind of passwd,
group and shadow, like:

passwd:     files winbind
shadow:     files winbind
group:      files winbind

Otherwise, you will be hitting AD a whole ton for localized users and
definitely root with services running.

On 09/27/2012 02:00 AM, David Touzeau wrote:
Dear
I have connected samba 3.6.8 to my Active Directory in the lsass.exe run to 
100%
When stopping winbind the lsass.exe CPU is down to 0%
When set winbindd to debug mode, it seems it try to scan the root user every 
time.
I would to know how to ban nsswitch to query winbindd for system internal 
users such has root, apache.....

Here it is my nsswitch.conf :

#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
bind_policy soft

passwd:         compat ldap winbind
group:          compat ldap winbind
shadow:         compat ldap winbind

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netmasks:       files
netgroup:       files nis
publickey:      files
bootparams:     files
aliases:        files
automount:      ldap files

Attached file is the winbindd debug mode:

More information about the samba mailing list