[Samba] System load problem with samba 4.4.2 caused by many ntlm auth client requests

Mon Oct 2 14:41:54 UTC 2017

On Mon, 2 Oct 2017 14:51:54 +0200
Rainer Krienke via samba <samba at lists.samba.org> wrote:

> Hello,
> ....
>  [2017/10/02 11:07:47.046715,  2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password:  Authentication for user [HOSTNAME$] ->
> [HOSTNAME$] FAILED with error NT_STATUS_NO_SUCH_USER
> 

It looks fairly obvious to me, the Samba machine doesn't know the user
trying to connect.

> 
> All these windows clients are domain clients of our local windows
> domain "MYREALM.UNI-KOBLENZ.DE" served by a real windows domain
> server. From a users point of view everything works fine allthough
> things could still speed up if the load was lower.
> 
> The really strange thing about this problem is that it occured first
> about 2 weeks ago, but in this time there was no new samba version
> installed or any change in configuration. The time before the load
> went up to 5 or 10 but not more.

Has anything changed on the windows machines ? any updates etc.

> 
> Here is my smb.conf without shares:
> 
> [global]
>         workgroup = MYREALM
>         domain master = no
>         local master = no
>         preferred master = no
>         ntlm auth = no
>         lanman auth = no
>         lm announce = no
>         encrypt passwords = Yes
>         unix extensions = no
>         wide links = yes
>         kernel oplocks = no
>         oplocks = yes
>         posix locking = no
>         blocking locks = no
>         acl allow execute always = yes
>         socket options = TCP_NODELAY
>         max open files = 32808
>         read raw = yes
>         write raw = yes
>         max xmit = 262144
>         dead time = 15
>         getwd cache = yes
>         stat cache = yes
>         disable netbios = yes
>         smb ports = 445
> 
>         dos charset = CP850
>         unix charset = CP850
>         name resolve order = host wins bcast
>         passdb backend = tdbsam
>         vfs objects = fileid
> 
>         realm = MYREALM.UNI-KOBLENZ.DE
>         security = ADS
>         map untrusted to domain = yes
>         map to guest = never
>         idmap config MYREALM : backend = nss
>         idmap config MYREALM : range = 0-2000000
>         idmap config MYREALM : read only = yes
>         idmap config * : backend = tdb
>         idmap config * : range = 3000000-4000000
>         idmap config * : read only = no
> 

Is there any reason for using the idmap_nss backend ?
With this, you need users on the Samba machine with the same name as
the Domain users i.e. for DOMAIN\jsmith there must be a Unix user
called jsmith.

I would suggest you change it to:

        idmap config MYREALM : backend = rid
        idmap config MYREALM : range = 0-2000000
        idmap config * : backend = tdb
        idmap config * : range = 3000000-4000000 

This would mean the users and groups IDs would change.

I think this is what is happening, a user is trying to connect, this
user doesn't have a corresponding Unix user, so gets rejected, even
though it is a valid domain user.

Rowland