[Samba] smbd changeling and strange firewall logs

[Lars Hanke]

I found in my firewall logs something that looked somewhat like a port 
scan originating from my AD DC. So I started to check the machine and 
already found something strange using ps aux:

root at samba:/# samba -V
Version 4.1.11-Debian
root at samba:/# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
[...]
root     10675  0.0  2.8 457368 29620 ?        S    Nov04   0:03 
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root     10684  0.0  3.2 482328 34116 ?        S    Nov04   0:02 
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
3000026  10686  0.0  3.2 482328 34096 ?        S    Nov04   0:01 
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root     10688  0.0  3.2 482328 34100 ?        S    Nov04   0:01 
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root     17934  0.0  0.0  49884     4 ?        Ss   Aug06   0:00 
/usr/sbin/sshd
[...]

Of course there is no login user 3000026 and the machine does not import 
any user accounts from anywhere outside. Apparently the process is 
already running for a week. This has probably been the last upgrade.

A few minutes later I see this:

root     10686  0.0  3.2 482328 34096 ?        S    Nov04   0:01 
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground

Okay, it became root again.

Is there any intended behaviour in smbd, which could explain this?

The original firewall fingerprint were tcp connection attempts from the 
AD DC to all joined workstations in port ranges from 34478 to 60746. The 
machine runs the DC with external Bind9. No other services beyond 
infrastructure to make it run. Has anyone seen this before?

Regards,
  - lars.