[Samba] 3.6.8: Winbind/Active Directory: lsass.exe process run cpu to 100%

Rowland Penny rpenny at f2s.com
Sat Sep 29 14:21:50 MDT 2012 

On 29/09/12 20:31, David Touzeau wrote:
> nsswitch as been changed to
>
> passwd:         files ldap winbind
> group:          files ldap winbind
> shadow:         files ldap winbind
>
> But lsass.exe still run at 100% cpu and winbind still want to parse 
> the full AD
> I think i will create a ticket on the tracker because we have removed 
> winbind from the nsswitch:
>
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
>
> and lsass.exe still run at 100%
> When stopping winbindd
> lsass.exe is down to 0%
>
> From: Heather Choi
> Sent: Saturday, September 29, 2012 4:26 PM
> To: David Touzeau
> Cc: mario.codeniera at gmail.com ; samba at lists.samba.org
> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe 
> process run cpu to 100%
>
> manpages of nssswitch:  compat support `+/-' in the ``passwd'' and 
> ``group'' databases. If this is present, it must be the only source 
> for that entry. Database Default source list group compat group_compat 
> nis hosts files dns netgroup files [notfound=return] nis passwd compat 
> passwd_compat nis
> On 09/29/2012 05:03 AM, David Touzeau wrote:
> Thanks Heather Choi
>
> But in my nsswitch i have
>
> passwd:         compat ldap winbind
> group:          compat ldap winbind
> shadow:         compat ldap winbind
>
> As compat is and advanced "files" method...
> So my nsswitch is compatible with your suggest...?
>
>
> -----Original Message----- From: Heather Choi
> Sent: Saturday, September 29, 2012 4:52 AM
> To: mario.codeniera at gmail.com
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] 3.6.8: Winbind/Active Directory: lsass.exe 
> process run cpu to 100%
>
> You definitely should have "files" placed *before* winbind of passwd,
> group and shadow, like:
>
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> Otherwise, you will be hitting AD a whole ton for localized users and
> definitely root with services running.
>
> On 09/27/2012 02:00 AM, David Touzeau wrote:
> Dear
> I have connected samba 3.6.8 to my Active Directory in the lsass.exe 
> run to 100%
> When stopping winbind the lsass.exe CPU is down to 0%
> When set winbindd to debug mode, it seems it try to scan the root user 
> every time.
> I would to know how to ban nsswitch to query winbindd for system 
> internal users such has root, apache.....
>
> Here it is my nsswitch.conf :
>
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, 
> try:
> # `info libc "Name Service Switch"' for information about this file.
> bind_policy soft
>
> passwd:         compat ldap winbind
> group:          compat ldap winbind
> shadow:         compat ldap winbind
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netmasks:       files
> netgroup:       files nis
> publickey:      files
> bootparams:     files
> aliases:        files
> automount:      ldap files
>
> Attached file is the winbindd debug mode:
>
>
>
>
Hi, you say that you have connected samba 3.6.8 to your Active 
Directory, How? and where does ldap come into it.
If you join a samba 3.6 machine to Active Directory, you only need 
winbind to be added to nsswitch.conf

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list