[Samba] BLOATED LDAP Traffic from Samba
Joseph Williams
joewjr at temple.edu
Tue Apr 24 23:00:52 GMT 2007
Hello All,
I am having an issue with a samba 3.0.21a with LDAP backened installation.
My Samba PDC is sending tons of traffic my ldapserver(iplanet) and is
causing the ldap server load to peak consitently over a ridiculous 91%.
Logons come to a crawl because the ldap load is so high. I don't not have
roaming profiles enabled.
Here is an excerpt from a logfile (log level=2):
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua19847
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua05996
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua68562
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: dhs
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua05938
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua15265
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua18897
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua03367
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tmarti03
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua61714
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua40746
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua05048
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua10708
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: koldacre
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua01257
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua56483
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua43553
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: aseward
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: ironman8
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua51360
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: ehlee
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua37090
When users log onto SAMBA domain, Samba queries ldap for the user
authentication credentials, if the user and passwords match, the users are
then able to log onto the client.
A registry value is then entered in HKLM\Software\Microsoft\Windows\Windows
NT\CurrentVersion\ProfileList\S-1-21-DOMAIN SIDS-other values\tuaxxxx.
The registry entry is expected and normal and all authenticated domain users
will have an registry entry on any machine they use.
the SAMBA request traffic was enough to increase the LDAP system load and
force me to redreict request from SAMBA from the production LDAP servers to
an offsite LDAP server, and then eventually to my own slave ldap server.
This move was necessary so that other university distributed systems would
not be adversely affected.
The queries that SAMBA is requesting from LDAP are for all domain users that
have an registry entry in the aforementioned hive location. Please bare in
mind that this enumeration occurs in the background whether or not the XP
systems are:
1. at the logon screen
2. after a user has successfully authenticated (the request will occur for
the current logon user and enumerate for ALL domain users in the hive).
During my testing,tuning, and log observation, I have noticed that the
request do not happen at any specific interval for a specific client, rather
they just occur often enough to cause too much load on the LDAP servers.
How can I get this to stop? Is this normal behaviour?
In my research I noticed a smb.conf parameter setting of winbind enum group
and winbind enum users. I am not using windbind, so this will not work for
me.
I've manually deleted the domain users that exists in the HKLM reg hive I
mentioned above and that stops the traffic request from samba to ldap.
However each new user of a particular workstation will continue to have an
entry cached in this hive. I've looked for a way to stop the caching using
regedit and gpedit.msc....but wasn't successful.
I should also mentioned that I've been using this version of samba for over
1.5 years and it has proven to be stable for me. I do plan to upgrade at
the end of the semester however this issue has started in the past 3 weeks
only. The only change has been on the client, and that was an upgrade of
symantec antivirus client from 10.0.1.1000 to 10.1.4.4000.
My smb.conf is as follows:
init_sam_from_ldap: Entry found for user: tua44411
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua19847
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua05996
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua68562
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: dhs
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua05938
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua15265
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua18897
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua03367
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tmarti03
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua61714
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua40746
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua05048
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua10708
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: koldacre
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua01257
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua56483
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua43553
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: aseward
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: ironman8
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua51360
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: ehlee
[2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: tua37090
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]#
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# samba at lists.samba.org
bash: samba at lists.samba.org: command not found
[root at valdez samba]# testparm
Load smb config files from /etc/samba/smb.conf
Can't find include file /etc/samba/.conf
Processing section "[netlogon]"
Processing section "[e-PrimeData]"
Processing section "[HIMS]"
Processing section "[TEST2]"
Processing section "[TempDir]"
Processing section "[Apps]"
Processing section "[Photography]"
Processing section "[admintools]"
Processing section "[magazine]"
Loaded services file OK.
WARNING: passdb expand explicit = yes is deprecated
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
workgroup = ACSLABS
server string = "TUfiles"
passdb backend = ldapsam:ldap://ldap-tech.ocis.temple.edu:11389/
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
addprinter command = /etc/samba/scripts/smbaddprinter.pl
deleteprinter command = /etc/samba/scripts/smbdelprinter.pl
add machine script = /etc/samba/scripts/addworkstation.pl %u
logon script = login.bat
logon path =
domain logons = Yes
domain master = Yes
wins server = 155.247.225.230, 155.247.225.231
ldap admin dn = cn=sambaLabs2,ou=roles,dc=temple,dc=edu
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=temple,dc=edu
ldap user suffix = ou=People
add share command = /etc/samba/scripts/modify_samba_config.pl
delete share command = /etc/samba/scripts/modify_samba_config.pl
panic action = "/bin/sleep 90000"
winbind enum users = No
winbind enum groups = No
inherit acls = Yes
ea support = Yes
map acl inherit = Yes
include = /etc/samba/.conf
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = "@Domain Admins"
guest ok = Yes
browseable = No
locking = No
[magazine]
comment = SCT Magazine
path = /ACSLABS/Magazine
valid users = @magazine
read only = No
create mask = 0775
veto files =
/*.php/*.xml/*.css/.htaccess/*.com/*.bat/*.exe/*.scr/*.pif/*.dll/
volume = SCT Magazine
......some share info deleted to allow for shorter message
I don't want to add a WMI or VB script to delete the registry hive values
because this is a new problem and did exist prior to three weeks ago.
Thanks for your assistance,
joe
More information about the samba
mailing list