[Samba] CPU 100% smbd 4.9.5 debian buster

Francesc Guasch frankie at telecos.upc.edu
Mon Feb 15 12:39:35 UTC 2021 

Hi. I have a samba server that suddenly gets smbd
processes at 100% and becomes unusable.

This is samba release 2:4.9.5+dfsg-5+deb10u1
in this host:

Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-14-amd64

We use only LDAP backend.

The process at 100% are smbd, but they won't show
up in "samba-tool processes". Only that:
notify-daemon           2764

If I check ps I see:
/usr/sbin/smbd --foreground --no-process-group

I tried removing the firewall, I also checked:
samba-tool drs, I get this error but I think it is
normal because we have no ADS:

NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection

I managed to get a
stack trace from one of those processes:

#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fbe6baf2535 in __GI_abort () at abort.c:79
#2  0x00007fbe6c4319e3 in dump_core () from /lib/x86_64-linux-gnu/libsmbconf.so.0
#3  0x00007fbe6c41e22b in smb_panic_s3 () from /lib/x86_64-linux-gnu/libsmbconf.so.0
#4  0x00007fbe6c7fe9df in smb_panic () from /lib/x86_64-linux-gnu/libsamba-util.so.0
#5  0x00007fbe6c7fec16 in ?? () from /lib/x86_64-linux-gnu/libsamba-util.so.0
#6  <signal handler called>
#7  0x00007fbe6c8646fe in __GI___pthread_mutex_lock (mutex=0x55c78fd27c50) at ../nptl/pthread_mutex_lock.c:80
#8  0x00007fbe6aae53e9 in ?? () from /lib/x86_64-linux-gnu/libgnutls.so.30
#9  0x00007fbe6aab962b in gnutls_record_send2 () from /lib/x86_64-linux-gnu/libgnutls.so.30
#10 0x00007fbe6b3d03a2 in ?? () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#11 0x00007fbe6b282108 in ?? () from /lib/x86_64-linux-gnu/liblber-2.4.so.2
#12 0x00007fbe6b283411 in ber_int_sb_write () from /lib/x86_64-linux-gnu/liblber-2.4.so.2
#13 0x00007fbe6b27fb2b in ber_flush2 () from /lib/x86_64-linux-gnu/liblber-2.4.so.2
#14 0x00007fbe6b3bcfa1 in ldap_int_flush_request () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#15 0x00007fbe6b3bd27f in ldap_send_server_request () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#16 0x00007fbe6b3bd5f1 in ldap_send_initial_request () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#17 0x00007fbe6b3b21dc in ldap_sasl_bind () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#18 0x00007fbe6b3b262a in ldap_sasl_bind_s () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#19 0x00007fbe6b3b2eb0 in ldap_simple_bind_s () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#20 0x00007fbe6afb4d69 in ?? () from /lib/x86_64-linux-gnu/libsmbldap.so.2
#21 0x00007fbe6afb5ade in ?? () from /lib/x86_64-linux-gnu/libsmbldap.so.2
#22 0x00007fbe6afb624f in smbldap_search () from /lib/x86_64-linux-gnu/libsmbldap.so.2
#23 0x00007fbe6afb62a9 in smbldap_search_suffix () from /lib/x86_64-linux-gnu/libsmbldap.so.2
#24 0x00007fbe6af93add in smbldap_search_domain_info () from /usr/lib/x86_64-linux-gnu/samba/libsmbldaphelper.so.0
#25 0x00007fbe6c0b7ede in ?? () from /lib/x86_64-linux-gnu/libsamba-passdb.so.0
#26 0x00007fbe6c0d4748 in make_pdb_method_name () from /lib/x86_64-linux-gnu/libsamba-passdb.so.0
#27 0x00007fbe6c0d4a1e in ?? () from /lib/x86_64-linux-gnu/libsamba-passdb.so.0
#28 0x00007fbe6c0d6d19 in initialize_password_db () from /lib/x86_64-linux-gnu/libsamba-passdb.so.0
#29 0x00007fbe6c63932e in smbd_reinit_after_fork () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#30 0x000055c78e2a7b3f in ?? ()
#31 0x00007fbe6bc9803f in tevent_common_invoke_fd_handler () from /lib/x86_64-linux-gnu/libtevent.so.0
#32 0x00007fbe6bc9e05f in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#33 0x00007fbe6bc9c2d7 in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#34 0x00007fbe6bc977e4 in _tevent_loop_once () from /lib/x86_64-linux-gnu/libtevent.so.0

And here is an edited smb.conf

netbios name =  alu-a2
workgroup = ALU
realm = aluete.example.com
interfaces = 127.0.0.1 192.168.68.7 192.168.81.8 192.168.68.11
debug level = 4
log file = /var/log/samba/%m.log
max log size = 25
#socket options = IPTOS_LOWDELAY TCP_NODELAY
load printers = no
keepalive = 600
deadtime = 120
os level = 99
preferred master = yes
domain master = yes
local master = yes
security = user
domain logons = yes
server max protocol = NT1
ldap admin dn = "cn=admin,dc=example,dc=com"
smbpasswd:/etc/samba/smbpasswd
ldap ssl = off
ldap passwd sync = yes
passdb backend = ldapsam:ldaps://mero.example.com/
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = ou=ALUETE,ou=EXAMPLEBCN,dc=example,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -W -t 0 "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
logon path = \\%L\profiles\%U
logon drive = l:
logon home = \\%N\%U
logon script = logon.bat
remote announce = 192.168.81.255 10.1.36.255
wins support = yes
algorithmic rid base = 1000
dns proxy = yes
hosts allow = 192.168.68.  192.168.36. 127.
security = user
max disk size = 60
guest account = nobody
ntlm auth = yes
lanman auth = yes
client ntlmv2 auth = yes
load printers = no

[IPC$]
    path = /tmp
    hosts allow= 10.0.36.0/24, 192.168.36.0/25, 192.168.36.128/25, 192.168.68.0/24, 192.168.81.0/24, 127.0.0.1/32 10.0.68.0/24 10.1.36.0/24
    hosts deny = 0.0.0.0/0

[netlogon]
    path = /samba/netlogon
    read only = yes
    browseable = Yes
    writable = No
    public = No

[profiles]
    path = /samba/profiles
    read only = no
    guest ok = Yes
    create mask = 0600
    directory mask = 0700

[homes]
    Comment = Home Directories
    read only = No
    force create mode = 0700
    browseable = No
    fake oplocks = yes

More information about the samba mailing list