[Samba] BLOATED LDAP Traffic from Samba

Joseph Williams joewjr at temple.edu
Tue Apr 24 23:00:52 GMT 2007 

Hello All,

I am having an issue with a samba 3.0.21a with LDAP backened installation.  

My Samba PDC is sending tons of traffic my ldapserver(iplanet) and is
causing the ldap server load to   peak consitently over a ridiculous 91%.
Logons come to a crawl because the ldap load is so high.  I don't not have
roaming profiles enabled.

 Here is an excerpt from a logfile (log level=2): 

[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua19847
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05996
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua68562
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: dhs
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05938
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua15265
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua18897
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua03367
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tmarti03
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua61714
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua40746
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05048
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua10708
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: koldacre
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua01257
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua56483
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua43553
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: aseward
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: ironman8
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua51360
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: ehlee
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua37090

When users log onto SAMBA domain, Samba queries ldap for the user
authentication credentials, if the user and passwords match, the users are
then able to log onto the client. 

A registry value is then entered in HKLM\Software\Microsoft\Windows\Windows
NT\CurrentVersion\ProfileList\S-1-21-DOMAIN SIDS-other values\tuaxxxx.

The registry entry is expected and normal and all authenticated domain users
will have an registry entry on any machine they use. 

 the SAMBA request traffic was enough to increase the LDAP system load and
force me to redreict request from SAMBA from the production LDAP servers to
an offsite LDAP server, and then eventually to my own slave ldap server.
This move was necessary so that other university distributed systems would
not be adversely affected.

The queries that SAMBA is requesting from LDAP are for all domain users that
have an registry entry in the aforementioned hive location.  Please bare in
mind that this enumeration occurs in the background whether or not the XP
systems are:

1.  at the logon screen
2.  after a user has successfully authenticated (the request will occur for
the current logon user and enumerate for ALL domain users in the hive).

During my testing,tuning,  and log observation, I have noticed that the
request do not happen at any specific interval for a specific client, rather
they just occur often enough to cause too much load on the LDAP servers.

How can I get this to stop?  Is this normal behaviour?  
In my research I noticed a smb.conf parameter setting of winbind enum group
and winbind enum users.  I am not using windbind, so this will  not work for
me.

I've manually deleted the domain users that exists in the HKLM reg hive I
mentioned above and that stops the traffic request from samba to ldap.
However each new user of a particular workstation will continue to have an
entry cached in this hive.  I've looked for a way to stop the caching using
regedit and gpedit.msc....but wasn't successful.  

I should also mentioned that I've been using this version of samba for over
1.5 years and it has proven to be stable for me.  I do plan to upgrade at
the end of the semester however this issue has started in the past 3 weeks
only.  The only change has been on the client, and that was an upgrade of
symantec antivirus client from 10.0.1.1000 to 10.1.4.4000.

My smb.conf is as follows:
  init_sam_from_ldap: Entry found for user: tua44411
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua19847
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05996
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua68562
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: dhs
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05938
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua15265
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua18897
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua03367
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tmarti03
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua61714
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua40746
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua05048
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua10708
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: koldacre
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua01257
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua56483
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua43553
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: aseward
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: ironman8
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua51360
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: ehlee
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tua37090
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]#
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# testparm
Load smb config files from /etc/samba/smb.conf
Can't find include file /etc/samba/.conf
Processing section "[netlogon]"
Processing section "[e-PrimeData]"
Processing section "[HIMS]"
Processing section "[TEST2]"
Processing section "[TempDir]"
Processing section "[Apps]"
Processing section "[Photography]"
Processing section "[admintools]"
Processing section "[magazine]"
Loaded services file OK.
WARNING: passdb expand explicit = yes is deprecated
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
        workgroup = ACSLABS
        server string = "TUfiles"
        passdb backend = ldapsam:ldap://ldap-tech.ocis.temple.edu:11389/
        enable privileges = Yes
        username map = /etc/samba/smbusers
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 0
        smb ports = 139
        name resolve order = wins bcast hosts
        time server = Yes
        addprinter command = /etc/samba/scripts/smbaddprinter.pl
        deleteprinter command = /etc/samba/scripts/smbdelprinter.pl
        add machine script = /etc/samba/scripts/addworkstation.pl %u
        logon script = login.bat
        logon path =
        domain logons = Yes
        domain master = Yes
        wins server = 155.247.225.230, 155.247.225.231
        ldap admin dn = cn=sambaLabs2,ou=roles,dc=temple,dc=edu
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=temple,dc=edu
        ldap user suffix = ou=People
        add share command = /etc/samba/scripts/modify_samba_config.pl
        delete share command = /etc/samba/scripts/modify_samba_config.pl
        panic action = "/bin/sleep 90000"
        winbind enum users = No
        winbind enum groups = No
        inherit acls = Yes
        ea support = Yes
        map acl inherit = Yes
        include = /etc/samba/.conf

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = "@Domain Admins"
        guest ok = Yes
        browseable = No
        locking = No


[magazine]
        comment = SCT Magazine
        path = /ACSLABS/Magazine
        valid users = @magazine
        read only = No
        create mask = 0775
        veto files =
/*.php/*.xml/*.css/.htaccess/*.com/*.bat/*.exe/*.scr/*.pif/*.dll/
        volume = SCT Magazine
......some share info deleted to allow for shorter message

I don't want to add a WMI or VB script to delete the registry hive values
because this is a new problem and did exist prior to three weeks ago.

Thanks for your assistance,
joe

More information about the samba mailing list