[Samba] Samba 4 AD DC 100% cpu process issues.

Eric Kingston ericnk at esreco.net
Thu Feb 6 08:48:48 MST 2014


We had a bad experience with Samba 4 AD DC on FreeBSD 9.2 Release 
recently that I thought I would share on this mailing list.  As a result 
of this experience we were forced to downgrade back to Samba 3.5 for 
stability.  We performed initial tests on Samba 4 and found it 
adequate.  But, once we brought it up for production, we noticed a deal 
breaking issue.  When browsing a share, 90% of the time, the Samba 
process will get stuck in some kind of loop and start using 100% of the 
CPU it is assigned to.  After scouring through the mailing list archives 
and googling it, we found two bug reports (10158 and 10358) of similar 
issues.  Hoping to correct this problem we applied the provided 
patches.  Unfortunately, neither solved our problem.  Samba processes 
were still getting stuck at 100% cpu usage.  This problem would affect 
multiple Samba processes, sparked by users browsing Samba shares.  After 
two processes reached 100% cpu usage, the entire Samba group of 
processes would freeze, making all shares unresponsive and inaccessible, 
forcing us to restart Samba.  We started monitoring samba processes 
through top and killed any that started to reach 100% cpu usage.  This 
practice, as you can imagine, made for a bad user experience.  The 
smb4.conf file we used is as follows....

# Global parameters
         workgroup = STANCORPBSD
         realm = ESRECO.NET
         netbios name = FRODO
         server role = active directory domain controller
         dns forwarder =
         server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, dns, smb
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver, winreg, srvsvc
         idmap_ldb:use rfc2307 = yes

         logon drive = p:
         logon script = logon.bat
         domain logons = Yes
         preferred master = Yes
         domain master = Yes
         nsupdate command = /usr/local/bin/samba-nsupdate -g
         printing = bsd

         path = /var/db/samba4/sysvol/esreco.net/scripts
         read only = No
         log level = 3

         path = /var/db/samba4/sysvol
         read only = No

         path = /a/standard/home
         read only = No

         path = /a/standard/profiles
         read only = No
         csc policy = documents

         comment = Data Store
         path = /a/standard/data
         write list = @staff, @wheel, @ar
         read only = No
         create mask = 0777
         directory mask = 0777


Needless to say, we will be conducting the acid test on any future Samba 
4 deployments before they're put into production.  We were hoping that 
minimal initial testing would be adequate because the team that develops 
Samba is widely known for it's quality releases, and the Samba 3.x 
series has been nothing but rock solid stable for us, but as you can 
see, we were burned by that assumption.  As for now, the software is, as 
the install process indicates, "..still experimental.." and we will 
remain with Samba 3.x until future Samba 4 releases are available, 
hopefully correcting the nasty CPU usage bug (most likely some kind of 
loop) we ran into.

However, we are not discounting the possibility that there may have been 
a configuration problem.  We suspected a problem with using the ntvfs 
file system as opposed to the s3fs because we were coming from s3fs.  We 
were forced to use ntvfs because we primarily use ZFS as the underlying 
file system on FreeBSD.  We also used the built-in DNS with a a 
forwarding IP for our main DNS server.

System/Software information:

FreeBSD 9.2 release
Samba 4.1.4

The Samba software was installed through the FreeBSD ports system.

Any suggestions or ideas of why Samba 4.1.4 failed us are welcome. We of 
course would like to provide any information that will help track down 
and crush this bug, which does make the software unusable on FreeBSD, IMHO.



More information about the samba mailing list