[Samba] System load problem with samba 4.4.2 caused by many ntlm auth client requests

Rowland Penny rpenny at samba.org
Wed Oct 4 07:53:00 UTC 2017 

On Wed, 4 Oct 2017 08:12:12 +0200
Rainer Krienke <krienke at uni-koblenz.de> wrote:

> Am 02.10.2017 um 16:41 schrieb Rowland Penny via samba:
> > On Mon, 2 Oct 2017 14:51:54 +0200
> > Rainer Krienke via samba <samba at lists.samba.org> wrote:
> > 
> >> Hello,
> >> ....
> >>  [2017/10/02 11:07:47.046715,  2]
> >> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> >> check_ntlm_password:  Authentication for user [HOSTNAME$] ->
> >> [HOSTNAME$] FAILED with error NT_STATUS_NO_SUCH_USER
> >>
> > 
> > It looks fairly obvious to me, the Samba machine doesn't know the
> > user trying to connect.
> > 
> 
> Hello,
> 
> Thanks for your answer. I doubt that this is a user authentication. On
> the system with the "ntlm every second auth" problem I saw the logged
> in user had his shares connected in smbstatus, and no user would be
> able to try to connect each second as the ntlm log messages indicate.
> 
> Moreover if this was a problem of a user trying to connect to a share,
> then I would expect to hear complaints from exactly those users where
> the connections obviously fail with the message from above. But there
> are no complaints. And as far as I understand windows and samba ADS
> security, authentication is done by the domaincontroller (which is not
> our smb server) via kerberos and not via ntlm.

You understand it wrong then ;-)
Yes, authentication ultimately comes from a DC, but your Unix domain
member has to ask if the user trying to connect is valid and the auth
type is set by the client and if is asking in 'ntlm' this will be
checked.

> 
> The guess of our windows admin is that the clients with this behaviour
> talk to the samba server like they should do to the domain controller
> for domain-client management. But on the domaincontroller there are no
> error messages or hints to what this is all about.

There wouldn't be any error messages on the DC, they are getting
rejected on the Unix domain member.

> 
> 
> > Is there any reason for using the idmap_nss backend ?
> > With this, you need users on the Samba machine with the same name as
> > the Domain users i.e. for DOMAIN\jsmith there must be a Unix user
> > called jsmith.
> 
> Yes this is true. We have many people at our sites working with
> windows and also people working with linux. Sometimes people are even
> using both systems. So all user-ids always exist on unix and windows,
> so that it does not matter on which system a file has been
> created/edited, it will be available on all systems with proper
> ownership and permissions.

Most people use idmap_ad or idmap_rid, this way you do not need the
users in /etc/passwd

> 
> > Has anything changed on the windows machines ? any updates etc.
> 
> Regular MS patches are always installed on the windows clients. So it
> might be such an patch that causes trouble, but after all you can't
> run windows without them....

You can run without the windows patches, but you would be a fool if you
did. If nothing has changed on the Unix machines, but you suddenly
started to get problems, I would look at what windows updates got
installed around the time the problems started.

Rowland

More information about the samba mailing list