[Samba] System load problem with samba 4.4.2 caused by many ntlm auth client requests
Rainer Krienke
krienke at uni-koblenz.de
Mon Oct 2 12:51:54 UTC 2017
Hello,
since a while I experience a strange problem with my samba 4.4.2 running
on a SLES12SP2 system. The server does what it is supposed to do, so
users can work without any problems and access their files via smb but
since some weeks the server shows a strange and unusual very high
system load.
The samba server is not the domaincrontroller (which is a windows
machine) but member of the domain and offers all windows clients access
to shares stored on linux file servers.
When watching processes on the samba server via top I see a system load
with a minimum of 18 and up to 50 (the server VM has 6 CPUs). Over the
weekend I also saw only two connected users and a load of 20. The load
is generated by smb-processes each eating up about 10%-15% CPU time
running as user root.
Watching at the root owned smb pids in top I noticed that their pids are
rapidly counting up, approxemately by a number of about 20 each second.
By trying to strace one of these processes, which mostly failed because
the process had already died when I started strace, I learned that they
only live about a second until a new one is spawned.
After searching log files I found that each of these smb process is
spawned by a windows client request that tries to authenticate via ntlm.
I interpret the log messages I found of these smb processes that the
Windows *machine* (not the user) tries to authenticate against samba. In
the samba log files I see the messages below for many win clients:
[2017/10/02 11:07:46.987944, 2]
../source3/param/loadparm.c:2689(lp_do_section) Processing section
"[share1]"
[2017/10/02 11:07:46.988010, 2]
../source3/param/loadparm.c:2689(lp_do_section) Processing section
"[share2]"
....
[2017/10/02 11:07:47.046715, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [HOSTNAME$] -> [HOSTNAME$]
FAILED with error NT_STATUS_NO_SUCH_USER
These log messages form a loop. This "loop" (client request, new smb
process, failed ntlm authentication, smb process dies, new client
request) repeats about once a second for each affected win client. In
summary this generates the load I see.
For each such authentication request the new smb process that is spawned
parses the whole smb.conf with all shares and then fails to do the
authentication requested by the client, that as far as I know should be
done against the windows domain controller but not against the samba
server.
All these windows clients are domain clients of our local windows domain
"MYREALM.UNI-KOBLENZ.DE" served by a real windows domain server. From a
users point of view everything works fine allthough things could still
speed up if the load was lower.
The really strange thing about this problem is that it occured first
about 2 weeks ago, but in this time there was no new samba version
installed or any change in configuration. The time before the load went
up to 5 or 10 but not more.
Now at semester break only about 120 users are active at a time, during
semester there are usually about 300 active users. But even these 300
users did not cause a load of 50, that I can ovserve now a peek times.
Does anyone have a idea what might be going on here with these large
number of machine ntlm auth tries suddenly?
Thank you very much
Here is my smb.conf without shares:
[global]
workgroup = MYREALM
domain master = no
local master = no
preferred master = no
ntlm auth = no
lanman auth = no
lm announce = no
encrypt passwords = Yes
unix extensions = no
wide links = yes
kernel oplocks = no
oplocks = yes
posix locking = no
blocking locks = no
acl allow execute always = yes
socket options = TCP_NODELAY
max open files = 32808
read raw = yes
write raw = yes
max xmit = 262144
dead time = 15
getwd cache = yes
stat cache = yes
disable netbios = yes
smb ports = 445
dos charset = CP850
unix charset = CP850
name resolve order = host wins bcast
passdb backend = tdbsam
vfs objects = fileid
realm = MYREALM.UNI-KOBLENZ.DE
security = ADS
map untrusted to domain = yes
map to guest = never
idmap config MYREALM : backend = nss
idmap config MYREALM : range = 0-2000000
idmap config MYREALM : read only = yes
idmap config * : backend = tdb
idmap config * : range = 3000000-4000000
idmap config * : read only = no
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
Web: http://userpages.uni-koblenz.de/~krienke
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html
More information about the samba
mailing list