[Samba] Samba 4.9.4 - high RAM usage - OOM killer

Laurent CARON lcaron at unix-scripts.info
Mon Jan 28 10:45:43 UTC 2019


We upgraded a legacy (NT4) domain from 3.6 series to 4.8 and then 4.9.4 
samba version (using sernet subscription packages / debian stable)

The setup is composed of 4 DCs with each 2 CPU/16GB RAM.

We currently have ~700 user accounts / ~600 computers / ~150 groups

Our mail setup, SSO, ... query the 4 DCs constantly.

Every 5 to 10 days the RAM consumption and CPU usage (due to kswapd) are 

This leads to OOM killer killing samba processes

kernel: [765104.826327] samba invoked oom-killer: 
gfp_mask=0x24201ca(GFP_HIGHUSER_MOVABLE|__GFP_COLD), nodemask=0, 
order=0, oom_score_adj=0
kernel: [765104.826355]  [<ffffffff8c3871ba>] ? oom_kill_process+0x21a/0x3e0
kernel: [765104.826357]  [<ffffffff8c386e3d>] ? oom_badness+0xed/0x170
kernel: [765104.826455] [ pid ]   uid  tgid total_vm      rss nr_ptes 
nr_pmds swapents oom_score_adj name


kernel: [861216.518771] Out of memory: Kill process 603 (samba) score 3 
or sacrifice child
kernel: [861356.048484]  [<ffffffff8c387651>] ? out_of_memory+0x111/0x470

samba[614]:   ../source4/dsdb/kcc/kcc_periodic.c:768: Failed samba_kcc - 

Once this happens, the affected DC is unresponsive for all samba 
authentication processes (including LDAP).

A reboot of the affected VM 'cures' the issue, but only for a short 
amount of time (5 to 10 days).

Apart from either restarting samba processes on a daily basis, or 
rebooting the DCs, is there a way to:

- pinpoint the root cause of the memory consumption (leak, corrupted DB, 

- have the DCs use a more 'normal' amount of RAM ?


Please note:

# samba-tool drs kcc

# samba-tool dbcheck --cross-ncs

are not showing any errors


passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files


         netbios name = VS-DC-001
         realm = CORP.MYDOMAIN
         workgroup = SAMBA

         log file = /var/log/samba/samba.log.%m
         log level = 1 auth_audit:3 auth_json_audit:3
         max log size = 50000
         debug timestamp = yes
         dns forwarder =
         server role check:inhibit=yes
         ldap server require strong auth = no
         wins support = yes
         server role = active directory domain controller
         check password script = /usr/local/bin/crackcheck -c -d 
         idmap_ldb:use rfc2307 = yes
         server schannel = auto

         path = /var/lib/samba/sysvol/corp.lncsa.com/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

# du -shxc sam.ldb*
4.1M    sam.ldb
132M    sam.ldb.d
136M    total

Samba packages:

ii  samba                            99:4.9.4-10  amd64 Glue package for 
ii  samba-common                     99:4.9.4-10  all Glue package for 
ii  samba-common-bin                 99:4.9.4-10  amd64 Glue package for 
ii  sernet-samba                     99:4.9.4-10  amd64 SMB/CIFS file, 
print, and login server for Unix
ii  sernet-samba-ad                  99:4.9.4-10  amd64 Samba Active 
Directory Domain Controller
ii  sernet-samba-client              99:4.9.4-10  amd64        a 
LanManager-like simple client for Unix
ii  sernet-samba-common              99:4.9.4-10  all Samba common files 
used by both the server and the client
ii  sernet-samba-libs:amd64          99:4.9.4-10  amd64 Samba common 
library files used by both the server and the client
ii  sernet-samba-libsmbclient0:amd64 99:4.9.4-10  amd64 Shared library 
that allows applications to talk to SMB servers
ii  sernet-samba-winbind             99:4.9.4-10  amd64 Samba 
nameservice integration server

More information about the samba mailing list