[Samba] Samba 4.2.2 AD Server - Winbind CPU 100% Password Expired
Rowland Penny
rowlandpenny at googlemail.com
Mon Jun 29 11:09:58 MDT 2015
On 29/06/15 17:51, Christopher Roberts wrote:
> I installed a new Linux server for remote user access using Ubuntu 14.04 and
> x2goserver, authenticating against our existing Samba 4.2.2 AD server.
>
> All was working beautifully for a couple of days, with myself and one other
> user. Then the other user's AD password expired, after which when they
> attempted to log in winbindd spiralled out of control. Ended up with several
> 100% CPU winbindd processes and the server almost completely unresponsive.
>
> Errors in logs stating "Exceeding 200 client connections". Auth.log
> indicated an authorisation failure.
>
> I changed the max connections from 200 to 50, in the hope that at least the
> server would remain responsive (which worked). Stopping Winbind and killing
> the hung processes cleared the problem, until they tried again, when the
> problem repeated itself.
>
> Even a simple SSH login triggered the problem, so this would not appear to
> be anything to do with x2go.
>
> It turned out to be a simple password expiry. Logging onto a Windows client
> prompted for the password change and all was well, but a single user's
> password expiring shouldn't really hang the server.
>
> It is quite possible that I have misconfigured the Linux Samba, Pam, SSH,
> Kerberos etc configuration on this x2goserver, as finding an up-to-date
> howto proved difficult. For example:
>
> https://wiki.samba.org/index.php/Configuring_a_Linux_client_for_AD
>
> I seemed to recall that you shouldn't use likewise open or its successor,
> and in the end I did something along these lines:
>
> http://ubuntuforums.org/showthread.php?t=91510
>
> If anyone has any suggestions for configuring the linux client to cope with
> password expiry, I would appreciate it.
>
> Thanks,
>
> Chris.
>
OK, What you have to remember/realise is a samba AD client is not much
different from a samba member server, it doesn't serve (unless you want
it to) files but you should set it up in the same way, have a look here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Rowland
More information about the samba
mailing list