[Samba] CLDAP using CPU alltime on Samba 4.8.4
Rowland Penny
rpenny at samba.org
Thu Nov 29 13:24:52 UTC 2018
On Thu, 29 Nov 2018 10:43:23 -0200
Rodrigo Sirio Coelho via samba <samba at lists.samba.org> wrote:
> Hi,
>
> My Samba AD-DC installation is using CPU all time on a process. I'm
> trying everything to fix it, but without success.
> It started when using it on Ubuntu 16.04, I upgraded o Ubuntu 18.04,
> and now Ubuntu 18.10, that is using Samba 4.8.4 and the problem
> persist.
>
> Using samba-tool process, I could see that the process using
> resources is CLDAP.
> I did samba-tool dbcheck --cross-ncs
> samba-tool dbcheck
> and no problem.
>
> samba-tool processes
> cldap_server 19864
>
> 19864 is the process with problem, related to cldap_server.
>
> My smb.conf is the following:
>
> # Global parameters
> [global]
> get quota command = /opt/bin/samba-btrfs-quota.sh
> rpc_daemon:fssd = fork
> registry shares = yes
> # include = registry
> # log level = 3 passdb:5 auth:5
> log level = 0
> template homedir = /home/%U
> # idmap uid = 500-10000000
> # idmap gid = 500-10000000
> idmap config DOMAIN : unix_nss_info = yes
> winbind use default domain = yes
> winbind nested groups = yes
> username map = /etc/samba/user.map
> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
> allow dns updates
> acl allow execute always = yes
> wide links = yes
> unix extensions = no
> # allow insecure wide links = yes
> follow symlinks = yes
> workgroup = FRATAR
> netbios name = SERVER
> os level = 20
> preferred master = yes
> # idmap config * : backend = tdb
> # idmap config * : range = 1000000 - 1999999
> # idmap config FRATAR : backend = rid
> # idmap config FRATAR : range = 10000 - 999999
> # idmap config FRATAR : schema mode = rfc2307
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> wins support = true
> winbind nss info = rfc2307
> tls enabled = yes
> # winbind trusted domains only = yes
> ldap server require strong auth = no
> server role = active directory domain controller
> allow insecure wide links = yes
> template shell = /bin/bash
> realm = FRATAR.LOCAL
> winbind enum users = true
> winbind enum groups = true
> # host msdfs = yes
> [netlogon]
> path = /var/lib/samba/sysvol/fratar.local/scripts
> read only = No
> vfs objects = btrfs
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> vfs objects = btrfs
> [proxmox]
> path = /mnt/backupinterno/proxmox
> read only = No
> # follow symlinks = yes
> # wide links = yes
> vfs objects = btrfs
> dont descend = .snapshots
> [fratar]
> path = /mnt/fratar-btrfs/Fratar
> read only = No
> follow symlinks = yes
> wide links = yes
> # vfs objects = recycle btrfs
> vfs objects = snapper btrfs
> dont descend = .snapshots
> # vfs objects = recycle shadow_copy2 btrfs
> # shadow:sort = desc
> # shadow:basedir = /mnt/fratar-btrfs/Fratar
> # shadow:snapdir = /mnt/fratar-btrfs/.snapshots/Fratar
> # shadow:format = SNAPFratar_%Y%m%d%H%M
> # recycle:repository = /mnt/fratar-btrfs/Fratar/lixeira/%U
> # recycle:touch = Yes
> # recycle:keeptree = Yes
> # recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
> # recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP
> [backup]
> path = /mnt/backupinterno/BACKUP
> vfs objects = btrfs
> read only = No
>
> [backup-modelle]
> path = /mnt/backupinterno/BACKUP/BACKUP-MODELLE
> vfs objects = btrfs
> read only = No
>
> [profiles]
> path = /mnt/fratar-btrfs/profiles
> read only = No
> hide files = /desktop.ini/$RECYCLE.BIN/
> vfs objects = btrfs
> [users]
> path = /mnt/fratar-btrfs/users
> read only = No
> vfs objects = btrfs
>
I would start by removing these lines from [global]:
idmap config DOMAIN : unix_nss_info = yes
winbind use default domain = yes
username map = /etc/samba/user.map
os level = 20
preferred master = yes
wins support = true
winbind nss info = rfc2307
winbind nested groups = yes
follow symlinks = yes
tls enabled = yes
winbind enum users = true
winbind enum groups = true
They are either defaults, slow things down or shouldn't be in a DC
smb.conf
I would also remove the server services line, this is again a default.
Do you have any shares in a registry ?
If not remove 'registry shares = yes'
Do you really need 'wide links' ?
If not remove:
allow insecure wide links = yes
wide links = yes
unix extensions = no
The line 'allow dns updates' isn't complete, there should a '='
followed by a value, see 'man smb.conf'
By repeatedly setting 'vfs objects = btrfs' you are turning off the
default dfs_samba4 and acl_xattr vfs objects.
Rowland
More information about the samba
mailing list