[Samba] Samba 4.2.2 AD Server - Winbind CPU 100% Password Expired

[Christopher Roberts]

I installed a new Linux server for remote user access using Ubuntu 14.04 and
x2goserver, authenticating against our existing Samba 4.2.2 AD server.

All was working beautifully for a couple of days, with myself and one other
user. Then the other user's AD password expired, after which when they
attempted to log in winbindd spiralled out of control. Ended up with several
100% CPU winbindd processes and the server almost completely unresponsive.

Errors in logs stating "Exceeding 200 client connections". Auth.log
indicated an authorisation failure.

I changed the max connections from 200 to 50, in the hope that at least the
server would remain responsive (which worked). Stopping Winbind and killing
the hung processes cleared the problem, until they tried again, when the
problem repeated itself.

Even a simple SSH login triggered the problem, so this would not appear to
be anything to do with x2go.

It turned out to be a simple password expiry. Logging onto a Windows client
prompted for the password change and all was well, but a single user's
password expiring shouldn't really hang the server.

It is quite possible that I have misconfigured the Linux Samba, Pam, SSH,
Kerberos etc configuration on this x2goserver, as finding an up-to-date
howto proved difficult. For example:

https://wiki.samba.org/index.php/Configuring_a_Linux_client_for_AD

I seemed to recall that you shouldn't use likewise open or its successor,
and in the end I did something along these lines:

http://ubuntuforums.org/showthread.php?t=91510

If anyone has any suggestions for configuring the linux client to cope with
password expiry, I would appreciate it.

Thanks,

Chris.