[Samba] Error SAMBA4.19.2

Kees van Vloten keesvanvloten at gmail.com
Wed Oct 9 07:55:47 UTC 2024


On 09-10-2024 01:27, Gabriel via samba wrote:
> Thanks, Douglas.
>
> Due to these recurring incidents, we have migrated the entire SAMBA 4 farm
> (11 domain controllers) to version 4.20.5.
>
> We have realized that the current issue is caused by LDAP queries,
> primarily coming from port 3269 (Global Catalog). There is a proxy service
> that queries our domain controller to authenticate the user and authorize
> access via security groups, assigning the corresponding navigation profile.
>
> During peak demand hours, this service temporarily delegates tasks, driving
> the CPU usage of all controllers to 100% due to the prefork ldap process.
>
> We are currently working with the owner of this service to optimize queries
> to our Global Catalog. The query is currently composed as follows:
>
> User logon ID attribute: uid
> First name attribute: givenname
> Last name attribute: sn
> Group attribute: cn
> MemberOf attribute: memberOf
> User search filter: (objectclass=person)
> Group search filter: (cn=INT*)
> Domain search filter:
> (|(objectclass=organizationalUnit)(objectclass=organization)(objectclass=domain))
> User's group search filter: (|(member=%dn)(uniquemember=%dn))
>
> Unfortunately, on the Samba4 side, we cannot prevent this behavior. We have
> increased the number of preforks and attempted to configure LDAP caching,
> but all attempts have recently.
If this is something that can be achieved with openldap (which I don't 
know), you might consider to put an openldap-proxy between the 
application and Samba-AD.

I am using different openldap-proxies to allow anonymous queries from 
certain printers and another to enforce very limited sub-DN visibility 
from less trusted network zones. That works fine, I have never looked at 
its caching options but it might be worth checking.

- Kees.

>
> Thanks.
> Gabriel
>
>
>
> El mar, 8 oct 2024 a las 19:26, Douglas Bagnall (<
> douglas.bagnall at catalyst.net.nz>) escribió:
>
>> hi Gabriel,
>>
>>>> /usr/local/samba/private/sam.ldb: Error (24) Too many open files -
>> I have not seen other reports of 4.19 or similar versions running out of
>> open files, so I suspect it is a peculiarity of your machine.
>>
>> This message from 2018 has some hints for diagnosis and fixes:
>>
>> https://lists.samba.org/archive/samba/2018-April/215130.html
>>
>> And you could also look at the output of `lsof` to see what has which
>> files open.
>>
>> If it does seem like Samba is leaking files, please tell us!
>>
>> cheers,
>> Douglas
>>
>>
>> On 4/10/24 03:26, Gabriel via samba wrote:
>>> Good evening,
>>>
>>>> We have been dealing with an incident for several weeks during peak load
>>>> times, either due to authentications or service accesses that rely on
>> Samba
>>>> 4 AD. Below are the details of the current Samba version and OS:
>>>>
>>>> **Samba version 4.19.2**
>>>>
>>>> ```bash
>>>> ~$ uname -r
>>>> 5.15.0-41-generic
>>>> ~$ sudo lsb_release
>>>> No LSB modules are available.
>>>> ~$ sudo lsb_release -a
>>>> No LSB modules are available.
>>>> Distributor ID: Ubuntu
>>>> Description:    Ubuntu 20.04.2 LTS
>>>> Release:        20.04
>>>> Codename:       focal
>>>> The first error that appeared in the logs since September 10 is as
>> follows:
>>>> bash
>>>> Copiar código
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.301924,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module encrypted_secrets
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module group_audit_log
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module repl_meta_data
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module subtree_delete
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module aclread
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module acl initialization
>>>> failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module descriptor
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module objectclass
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module audit_log
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module asq initialization
>>>> failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module server_sort
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module vlv initialization
>>>> failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module dsdb_paged_results
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module dirsync
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module schema_load
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module dsdb_notification
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module rootdse
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: module samba_dsdb
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]:   ldb: Unable to load modules for
>>>> /usr/local/samba/private/sam.ldb: Error (24) Too many open files -
>> Opening
>>>> encrypted_secrets key file
>>>> The current configuration file is:
>>>>
>>>> bash
>>>> Copiar código
>>>> # Global parameters
>>>> [global]
>>>>           bind interfaces only = Yes
>>>>           dns forwarder = x.x.x.x x.x.x.x
>>>>           interfaces = lo ens3
>>>>           netbios name = xxxxxx
>>>>           realm = xxxxxx
>>>>           server role = active directory domain controller
>>>>           workgroup = xxxxx
>>>>
>>>>           tls enabled  = yes
>>>>           tls keyfile  = /usr/local/xxxxx/private/tls/key.pem
>>>>           tls certfile = /usr/local/xxxxx/private/tls/cert.pem
>>>>           tls cafile   = /usr/local/xxxxx/private/tls/ca.pem
>>>>
>>>>           log level = 1 dsdb_json_audit:2 dsdb_password_json_audit:2
>>>> dsdb_group_json_audit:2 dsdb_transaction_json_audit:2 auth_json_audit:3@
>>>> /usr/local/samba/var/log.samba
>>>>           max log size = 100000
>>>>
>>>>           tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
>>>>           restrict anonymous = 2
>>>>           disable netbios = yes
>>>>           smb ports = 445
>>>>           printcap name = /dev/null
>>>>           load printers = no
>>>>           disable spoolss = yes
>>>>           printing = bsd
>>>>
>>>> [sysvol]
>>>>           path = /usr/local/samba/var/locks/sysvol
>>>>           read only = No
>>>>
>>>> [netlogon]
>>>>           path = /usr/local/samba/var/locks/sysvol/xxxxxxx/scripts
>>>>           read only = No
>>>>   From September 10 onwards, we have continuously seen errors similar to
>> the
>>>> following in the event logs:
>>>>
>>>> bash
>>>> Copiar código
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.301924,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302148,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302159,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302169,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302179,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302192,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302365,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302387,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302398,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302408,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302417,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302426,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302439,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302459,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302649,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302672,  0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>>
>>>>
>>>> We are actively looking for information regarding this error but have
>> not
>>>> been able to pinpoint the root cause.
>>>>
>>>> Please feel free to reach out to me.
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>



More information about the samba mailing list