[Samba] Windows 10 spawning thousands of child processes on Samba 4.3.11 server

Asbjorn Taugbol asbjornt at gmail.com
Fri May 26 08:56:53 UTC 2017 

Summary:
WIN10 clients opening .exe files on the share starts 5-10 nobody/nogroup
processes on the server that are not killed when application is closed.
This accumulates in the tens of thousands after some hours on a busy server.

I have been using different "max protocol" values in smb.conf global
section and found that only when using NT1 (which WIN10 calls dialect 1.5)
Samba recognises the username as demoUser insted of nobody and no excessive
processes are accumulated. Here are the results:

max protocol = SMB3
Client using SMBv311:
PID     Username      Group         Machine            Protocol Version
------------------------------------------------------------------------------
18299     nobody        nogroup       10.10.1.71   (ipv4:10.10.1.71:56243)
Unknown (0x0311)

--> SMB 311 is not a recognised protocol version (Unknown (0x311))!!

max protocol = SMB2
Client using SMBv210:
PID     Username      Group         Machine            Protocol Version
------------------------------------------------------------------------------
8259      nobody        nogroup       10.10.1.42   (ipv4:10.10.1.42:55938)
SMB2_10

--> Recognised protocol but not the username and processes are still
accumulated.

smb.conf: max protocol = NT1
Client using SMBv1:
PID     Username      Group         Machine            Protocol Version
------------------------------------------------------------------------------
8219      demoUser      demoUser      10.10.1.71   (ipv4:10.10.1.71:57687)
NT1

--> Success! Username recognised! Spawned processes are dropped when not
needed.

Conclusion:
Problem solved with smb.conf global setting: max protocol = NT1

Question:
Microsoft strongly recommends disabling SMBv1 (NT1) for security reasons.
What does the Samba community recommend?

Thank you.

On Thu, May 25, 2017 at 11:16 AM, Asbjorn Taugbol <asbjornt at gmail.com>
wrote:

> I am thankful for all support received so far and I feel I'm getting
> closer to a solution.
>
> To get back to basics and a more transparent setup I have made a clean
> Ubuntu 16.04 installation and followed this guide https://wiki.samba.org/
> index.php/Setting_up_Samba_as_a_Standalone_Server
> Windows clients users are logged in with username Admin (local account,
> administrator).
> The samba share is mounted from "Map network drive..." as
> "\\10.10.1.206\demo" user credentials: demoUser/passw0rd. Access granted,
> read/write ok.
>
> BUT after a while processes are piling up and not released. Read/write
> files is ok. Running .exe-files on the share is not ok. I have been testing
> numerous .exe-files and they all result in a bunch of "nobody"-processes
> that are not terminated after closing the .exe-application. The smbstatus
> output below is shown after starting the putty.exe application.
>
> Samba log file for windows client that covers the event of starting
> putty.exe on the shared drive:
> https://gist.github.com/anonymous/21321cdd410a9cc38b35765144959db6
>
> Any ideas on how to proceed?
>
> Thank you.
>
> -Asbjorn
>
> #####################################
>
>
> root at ubuntuTest:/srv# testparm
> # Global parameters
> [global]
>         server string = %h server (Samba, Ubuntu)        server role =
> standalone server
>         obey pam restrictions = Yes
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>         username map = /usr/local/samba/lib/users.map
>         unix password sync = Yes
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         dns proxy = No
>         panic action = /usr/share/samba/panic-action %d
>         idmap config * : backend = tdb
>
>
> [demo]
>         path = /srv/samba/demo/
>         read only = No
>
> #####################################
>
> root at ubuntuTest:/srv# smbstatus
>
> Samba version 4.3.11-Ubuntu
> PID     Username      Group         Machine            Protocol Version
> ------------------------------------------------------------
> ------------------
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      demoUser      demoUser      10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
> 2981      nobody        nogroup       10.10.1.70   (ipv4:10.10.1.70:50058)
> Unknown (0x0311)
>
> Service      pid     machine       Connected at
> -------------------------------------------------------
> demo         2981   10.10.1.70    Wed May 24 15:29:34 2017
>
> Locked files:
> Pid          Uid        DenyMode   Access      R/W        Oplock
> SharePath   Name   Time
> ------------------------------------------------------------
> --------------------------------------
> 2981         1003       DENY_WRITE 0x1000a1    RDONLY     LEVEL_II
> /srv/samba/demo   putty.exe   Wed May 24 15:30:21 2017
> 2981         1003       DENY_NONE  0x100081    RDONLY     NONE
> /srv/samba/demo   .   Wed May 24 15:30:13 2017
> 2981         1003       DENY_NONE  0x100081    RDONLY     NONE
> /srv/samba/demo   .   Wed May 24 15:30:13 2017
>
> On Tue, May 23, 2017 at 4:54 PM, Rowland Penny <rpenny at samba.org> wrote:
>
>> On Tue, 23 May 2017 16:34:29 +0200
>> Asbjorn Taugbol via samba <samba at lists.samba.org> wrote:
>>
>>
>> > Yes, the users exist as both Linux and Samba users. My question was
>> > if the Windows client user "Admin" also needs to be Linux and Samba
>> > user.
>> >
>>
>> There is no windows user called 'Admin', there is one called
>> 'Administrator', if it is the later, then it is automatically mapped to
>> 'root' on a DC, but, on anything else, you need to map it in smb.conf
>> with a user.map setting.
>> If it is a separate user called 'Admin', then this is treated as just
>> another user and must exist in Samba and Unix on a standalone server.
>>
>> > Could be. This was not a problem in the old Samba 3.4. It all started
>> > after switching to new Samba 4.3.11-Ubuntu.
>>
>> Quite a lot has changed between 3.4 and now.
>>
>> Rowland
>>
>>
>>
>

More information about the samba mailing list