[Samba] System load problem with samba 4.4.2 caused by many ntlm auth client requests
Rowland Penny
rpenny at samba.org
Mon Oct 2 14:41:54 UTC 2017
On Mon, 2 Oct 2017 14:51:54 +0200
Rainer Krienke via samba <samba at lists.samba.org> wrote:
> Hello,
> ....
> [2017/10/02 11:07:47.046715, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [HOSTNAME$] ->
> [HOSTNAME$] FAILED with error NT_STATUS_NO_SUCH_USER
>
It looks fairly obvious to me, the Samba machine doesn't know the user
trying to connect.
>
> All these windows clients are domain clients of our local windows
> domain "MYREALM.UNI-KOBLENZ.DE" served by a real windows domain
> server. From a users point of view everything works fine allthough
> things could still speed up if the load was lower.
>
> The really strange thing about this problem is that it occured first
> about 2 weeks ago, but in this time there was no new samba version
> installed or any change in configuration. The time before the load
> went up to 5 or 10 but not more.
Has anything changed on the windows machines ? any updates etc.
>
> Here is my smb.conf without shares:
>
> [global]
> workgroup = MYREALM
> domain master = no
> local master = no
> preferred master = no
> ntlm auth = no
> lanman auth = no
> lm announce = no
> encrypt passwords = Yes
> unix extensions = no
> wide links = yes
> kernel oplocks = no
> oplocks = yes
> posix locking = no
> blocking locks = no
> acl allow execute always = yes
> socket options = TCP_NODELAY
> max open files = 32808
> read raw = yes
> write raw = yes
> max xmit = 262144
> dead time = 15
> getwd cache = yes
> stat cache = yes
> disable netbios = yes
> smb ports = 445
>
> dos charset = CP850
> unix charset = CP850
> name resolve order = host wins bcast
> passdb backend = tdbsam
> vfs objects = fileid
>
> realm = MYREALM.UNI-KOBLENZ.DE
> security = ADS
> map untrusted to domain = yes
> map to guest = never
> idmap config MYREALM : backend = nss
> idmap config MYREALM : range = 0-2000000
> idmap config MYREALM : read only = yes
> idmap config * : backend = tdb
> idmap config * : range = 3000000-4000000
> idmap config * : read only = no
>
Is there any reason for using the idmap_nss backend ?
With this, you need users on the Samba machine with the same name as
the Domain users i.e. for DOMAIN\jsmith there must be a Unix user
called jsmith.
I would suggest you change it to:
idmap config MYREALM : backend = rid
idmap config MYREALM : range = 0-2000000
idmap config * : backend = tdb
idmap config * : range = 3000000-4000000
This would mean the users and groups IDs would change.
I think this is what is happening, a user is trying to connect, this
user doesn't have a corresponding Unix user, so gets rejected, even
though it is a valid domain user.
Rowland
More information about the samba
mailing list