[Samba] How to diagnose a busy LDAP server process in the Samba AD DC

Andrew Bartlett abartlet at samba.org
Mon Mar 11 00:31:35 UTC 2024


Thanks for getting back to me.
It seems to me the LDAP process being busy would be the root cause
here.  Working out what is going on here shouldn't is a detective task
- I always start with a wireshark trace.  The client making all the
noise/traffic will be the one causing the trouble.
If it isn't clear from that, then look into the DB audit logging for
perhaps busy writes
https://wiki.samba.org/index.php/Setting_up_Audit_Logging#Enabling_AD_DC_Database_Audit_Logging
Finally, set 'log level = 5' and look for logs like: LDAP Query:
Duration was 
This will tell you about how long each query is taking, potentially
showing a particularly slow query that needs to be stopped.
Andrew Bartlett
On Sun, 2024-03-10 at 19:46 -0300, Elias Pereira wrote:
> > Is the drepl local processes very busy doing inbound replication?
> 
> How can I check this?
> 
> > My instinct is either the server is very busy (and this should show
> > up in CPU use) or a transaction is being held open excessively.
>  
> I use VMs on Proxmox. In DC1, I installed the Proxmox agent, and CPU
> usage via the dashboard is very low. However, when I checked using
> 'top,' the LDAP process is consuming around 94/96% of the CPU. Very
> strange.

It is probably 94% of a single CPU, but you might have 8 CPUs in the
VM, so overall use is low. 
> The VM has 4 CPUs and 6GB of memory.
> 
> 
> 
> On Sun, Mar 10, 2024 at 5:55 PM Andrew Bartlett <abartlet at samba.org>
> wrote:
> > Either the local server is busy, or possibly (but it would not
> > explain the samba_kcc) Samba's drepl process is stuck talking to a
> > remote server.
> > 
> > Is the drepl local processes very busy doing inbound replication?  
> > 
> > My instinct is either the server is very busy (and this should show
> > up in CPU use) or a transaction is being held open excessively. 
> > 
> > Andrew Bartlett
> > 
> > On Sat, 2024-03-09 at 19:11 -0300, Elias Pereira via samba wrote:
> > > I've been grappling with a recurring set of errors for quite some
> > > time now:- UpdateRefs failed with NT_STATUS_IO_TIMEOUT- Failed
> > > samba_kcc - NT_STATUS_IO_TIMEOUT- IRPC callback failed for
> > > DsReplicaSync - NT_STATUS_IO_TIMEOUT
> > > Despite cranking up the log level to 10, the returned information
> > > remainsfrustratingly cryptic and hard to decipher.
> > > This error, being overly generic, continues to elude
> > > identification evenwiththe heightened log verbosity. The
> > > challenge lies in tracing its origin.
> > > Running samba-tool dbcheck doesn't reveal any problems, yet
> > > executing thecommand while monitoring the Samba log with "tail
> > > -f" exposes errorsidenticalto those described above.
> > > Interestingly, samba-tool drs showrepl doesn't report any errors.
> > > So, what additional steps can be taken to unearth the root
> > > causeof these persistent NT_STATUS_IO_TIMEOUT errors?
> > > 
> > > On Fri, Mar 1, 2024 at 10:32 PM Elias Pereira <empbilly at gmail.com
> > > > wrote:
> > > > There is probably nothing wrong with your log, but Firefox
> > > > doesn't
> > > > > like it, it thinks it contains a virus.
> > > > 
> > > > I just saw now that your response ended up in spam, probably
> > > > because ofthe link with the log. O.o
> > > > I still receive the error in the
> > > > logs:source4/dsdb/kcc/kcc_periodic.c:790: Failed samba_kcc
> > > > -NT_STATUS_IO_TIMEOUT
> > > > The strangest thing is that it occurs when the command is
> > > > executed:samba-tool dbcheck --cross-ncs --fix --yes
> > > > Could it be some object causing this error?
> > > > On Mon, Feb 12, 2024 at 4:40 PM Rowland Penny via samba <
> > > > samba at lists.samba.org> wrote:
> > > > > On Mon, 12 Feb 2024 16:20:27 -0300Elias Pereira via samba <
> > > > > samba at lists.samba.org> wrote:
> > > > > > hi,
> > > > > > My saga continues...
> > > > > > I've configured the audit log for drs_repl in smb.conf, and
> > > > > > below isthe log generated.
> > > > > > https://transfer.sh/7fen4qCNIQ/drs_repl.log
> > > > > > 
> > > > > > The log level was 5.drs_repl:5@/var/log/samba/drs_repl.log
> > > > > > Could someone take a look and help me understand the log?
> > > > > 
> > > > > There is probably nothing wrong with your log, but Firefox
> > > > > doesn'tlike it, it thinks it contains a virus.
> > > > > Rowland
> > > > > 
> > > > > 
> > > > > --To unsubscribe from this list go to the following URL and
> > > > > read theinstructions:  
> > > > > https://lists.samba.org/mailman/options/samba
> > > > > 
> > > > 
> > > > --Elias Pereira
> > > 
> > > -- Elias Pereira
> > -- 
> > Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Team Lead                
> > https://catalyst.net.nz/services/samba
> > Catalyst.Net Ltd
> > 
> > 
> > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> > company
> > 
> > Samba Development and Support: 
> > https://catalyst.net.nz/services/samba
> > 
> > Catalyst IT - Expert Open Source Solutions
> > 
> > 
> > 
> 
> -- 
> Elias Pereira
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions





More information about the samba mailing list