[Samba] CLDAP using CPU alltime on Samba 4.8.4

Rowland Penny rpenny at samba.org
Thu Nov 29 13:24:52 UTC 2018 

On Thu, 29 Nov 2018 10:43:23 -0200
Rodrigo Sirio Coelho via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> My Samba AD-DC installation is using CPU all time on a process. I'm
> trying everything to fix it, but without success.
> It started when using it on Ubuntu 16.04, I upgraded o Ubuntu 18.04,
> and now Ubuntu 18.10, that is using Samba 4.8.4 and the problem
> persist.
> 
> Using samba-tool process, I could see that the process using
> resources is CLDAP.
> I did samba-tool dbcheck --cross-ncs
> samba-tool dbcheck
> and no problem.
> 
> samba-tool processes
> cldap_server           19864
> 
> 19864 is the process with problem, related to cldap_server.
> 
> My smb.conf is the following:
> 
> # Global parameters
> [global]
>         get quota command = /opt/bin/samba-btrfs-quota.sh
>         rpc_daemon:fssd = fork
>         registry shares = yes
> #       include = registry
> #       log level = 3 passdb:5 auth:5
>         log level = 0
>         template homedir = /home/%U
> #       idmap uid = 500-10000000
> #       idmap gid = 500-10000000
>         idmap config DOMAIN : unix_nss_info = yes
>         winbind use default domain = yes
>         winbind nested groups = yes
>         username map = /etc/samba/user.map
>         server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
>         allow dns updates
>         acl allow execute always = yes
>         wide links = yes
>         unix extensions = no
> #       allow insecure wide links = yes
>         follow symlinks = yes
>         workgroup = FRATAR
>         netbios name = SERVER
>         os level = 20
>         preferred master = yes
> #       idmap config * : backend = tdb
> #       idmap config * : range = 1000000 - 1999999
> #       idmap config FRATAR : backend = rid
> #       idmap config FRATAR : range = 10000 - 999999
> #       idmap config FRATAR : schema mode = rfc2307
>         dns forwarder = 8.8.8.8
>         idmap_ldb:use rfc2307 = yes
>         wins support = true
>         winbind nss info = rfc2307
>         tls enabled = yes
> #       winbind trusted domains only = yes
>         ldap server require strong auth = no
>         server role = active directory domain controller
>         allow insecure wide links = yes
>         template shell = /bin/bash
>         realm = FRATAR.LOCAL
>         winbind enum users = true
>         winbind enum groups = true
> #       host msdfs = yes
> [netlogon]
>         path = /var/lib/samba/sysvol/fratar.local/scripts
>         read only = No
>         vfs objects = btrfs
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>         vfs objects = btrfs
> [proxmox]
>         path = /mnt/backupinterno/proxmox
>         read only = No
> #       follow symlinks = yes
> #       wide links = yes
>         vfs objects = btrfs
>         dont descend = .snapshots
> [fratar]
>         path = /mnt/fratar-btrfs/Fratar
>         read only = No
>         follow symlinks = yes
>         wide links = yes
> #       vfs objects = recycle btrfs
>         vfs objects = snapper btrfs
>         dont descend = .snapshots
> #       vfs objects = recycle shadow_copy2 btrfs
> #       shadow:sort = desc
> #       shadow:basedir = /mnt/fratar-btrfs/Fratar
> #       shadow:snapdir = /mnt/fratar-btrfs/.snapshots/Fratar
> #       shadow:format = SNAPFratar_%Y%m%d%H%M
> #       recycle:repository = /mnt/fratar-btrfs/Fratar/lixeira/%U
> #       recycle:touch = Yes
> #       recycle:keeptree = Yes
> #       recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
> #       recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP
> [backup]
>         path = /mnt/backupinterno/BACKUP
>         vfs objects = btrfs
>         read only = No
> 
> [backup-modelle]
>         path = /mnt/backupinterno/BACKUP/BACKUP-MODELLE
>         vfs objects = btrfs
>         read only = No
> 
> [profiles]
>         path = /mnt/fratar-btrfs/profiles
>         read only = No
>         hide files = /desktop.ini/$RECYCLE.BIN/
>         vfs objects = btrfs
> [users]
>         path = /mnt/fratar-btrfs/users
>         read only = No
>         vfs objects = btrfs
> 

I would start by removing these lines from [global]:

        idmap config DOMAIN : unix_nss_info = yes
        winbind use default domain = yes
        username map = /etc/samba/user.map
        os level = 20
        preferred master = yes
        wins support = true
        winbind nss info = rfc2307
        winbind nested groups = yes
        follow symlinks = yes
        tls enabled = yes
        winbind enum users = true
        winbind enum groups = true

They are either defaults, slow things down or shouldn't be in a DC
smb.conf

I would also remove the server services line, this is again a default.

Do you have any shares in a registry ?
If not remove 'registry shares = yes'

Do you really need 'wide links' ?
If not remove:

        allow insecure wide links = yes
        wide links = yes
        unix extensions = no

The line 'allow dns updates' isn't complete, there should a '='
followed by a value, see 'man smb.conf'

By repeatedly setting 'vfs objects = btrfs' you are turning off the
default dfs_samba4 and acl_xattr vfs objects.

Rowland

More information about the samba mailing list