[Samba] Error SAMBA4.19.2
Kees van Vloten
keesvanvloten at gmail.com
Wed Oct 9 07:55:47 UTC 2024
On 09-10-2024 01:27, Gabriel via samba wrote:
> Thanks, Douglas.
>
> Due to these recurring incidents, we have migrated the entire SAMBA 4 farm
> (11 domain controllers) to version 4.20.5.
>
> We have realized that the current issue is caused by LDAP queries,
> primarily coming from port 3269 (Global Catalog). There is a proxy service
> that queries our domain controller to authenticate the user and authorize
> access via security groups, assigning the corresponding navigation profile.
>
> During peak demand hours, this service temporarily delegates tasks, driving
> the CPU usage of all controllers to 100% due to the prefork ldap process.
>
> We are currently working with the owner of this service to optimize queries
> to our Global Catalog. The query is currently composed as follows:
>
> User logon ID attribute: uid
> First name attribute: givenname
> Last name attribute: sn
> Group attribute: cn
> MemberOf attribute: memberOf
> User search filter: (objectclass=person)
> Group search filter: (cn=INT*)
> Domain search filter:
> (|(objectclass=organizationalUnit)(objectclass=organization)(objectclass=domain))
> User's group search filter: (|(member=%dn)(uniquemember=%dn))
>
> Unfortunately, on the Samba4 side, we cannot prevent this behavior. We have
> increased the number of preforks and attempted to configure LDAP caching,
> but all attempts have recently.
If this is something that can be achieved with openldap (which I don't
know), you might consider to put an openldap-proxy between the
application and Samba-AD.
I am using different openldap-proxies to allow anonymous queries from
certain printers and another to enforce very limited sub-DN visibility
from less trusted network zones. That works fine, I have never looked at
its caching options but it might be worth checking.
- Kees.
>
> Thanks.
> Gabriel
>
>
>
> El mar, 8 oct 2024 a las 19:26, Douglas Bagnall (<
> douglas.bagnall at catalyst.net.nz>) escribió:
>
>> hi Gabriel,
>>
>>>> /usr/local/samba/private/sam.ldb: Error (24) Too many open files -
>> I have not seen other reports of 4.19 or similar versions running out of
>> open files, so I suspect it is a peculiarity of your machine.
>>
>> This message from 2018 has some hints for diagnosis and fixes:
>>
>> https://lists.samba.org/archive/samba/2018-April/215130.html
>>
>> And you could also look at the output of `lsof` to see what has which
>> files open.
>>
>> If it does seem like Samba is leaking files, please tell us!
>>
>> cheers,
>> Douglas
>>
>>
>> On 4/10/24 03:26, Gabriel via samba wrote:
>>> Good evening,
>>>
>>>> We have been dealing with an incident for several weeks during peak load
>>>> times, either due to authentications or service accesses that rely on
>> Samba
>>>> 4 AD. Below are the details of the current Samba version and OS:
>>>>
>>>> **Samba version 4.19.2**
>>>>
>>>> ```bash
>>>> ~$ uname -r
>>>> 5.15.0-41-generic
>>>> ~$ sudo lsb_release
>>>> No LSB modules are available.
>>>> ~$ sudo lsb_release -a
>>>> No LSB modules are available.
>>>> Distributor ID: Ubuntu
>>>> Description: Ubuntu 20.04.2 LTS
>>>> Release: 20.04
>>>> Codename: focal
>>>> The first error that appeared in the logs since September 10 is as
>> follows:
>>>> bash
>>>> Copiar código
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.301924, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module encrypted_secrets
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module group_audit_log
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module repl_meta_data
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module subtree_delete
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module aclread
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module acl initialization
>>>> failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module descriptor
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module objectclass
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module audit_log
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module asq initialization
>>>> failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module server_sort
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module vlv initialization
>>>> failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module dsdb_paged_results
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module dirsync
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module schema_load
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module dsdb_notification
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module rootdse
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: module samba_dsdb
>>>> initialization failed : Operations error
>>>> Sep 10 09:41:36 domain samba[1658021]: ldb: Unable to load modules for
>>>> /usr/local/samba/private/sam.ldb: Error (24) Too many open files -
>> Opening
>>>> encrypted_secrets key file
>>>> The current configuration file is:
>>>>
>>>> bash
>>>> Copiar código
>>>> # Global parameters
>>>> [global]
>>>> bind interfaces only = Yes
>>>> dns forwarder = x.x.x.x x.x.x.x
>>>> interfaces = lo ens3
>>>> netbios name = xxxxxx
>>>> realm = xxxxxx
>>>> server role = active directory domain controller
>>>> workgroup = xxxxx
>>>>
>>>> tls enabled = yes
>>>> tls keyfile = /usr/local/xxxxx/private/tls/key.pem
>>>> tls certfile = /usr/local/xxxxx/private/tls/cert.pem
>>>> tls cafile = /usr/local/xxxxx/private/tls/ca.pem
>>>>
>>>> log level = 1 dsdb_json_audit:2 dsdb_password_json_audit:2
>>>> dsdb_group_json_audit:2 dsdb_transaction_json_audit:2 auth_json_audit:3@
>>>> /usr/local/samba/var/log.samba
>>>> max log size = 100000
>>>>
>>>> tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
>>>> restrict anonymous = 2
>>>> disable netbios = yes
>>>> smb ports = 445
>>>> printcap name = /dev/null
>>>> load printers = no
>>>> disable spoolss = yes
>>>> printing = bsd
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>> [netlogon]
>>>> path = /usr/local/samba/var/locks/sysvol/xxxxxxx/scripts
>>>> read only = No
>>>> From September 10 onwards, we have continuously seen errors similar to
>> the
>>>> following in the event logs:
>>>>
>>>> bash
>>>> Copiar código
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.301924, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302148, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302159, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302169, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302179, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302192, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302365, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302387, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302398, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302408, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302417, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302426, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302439, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302459, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302649, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>> Sep 10 09:41:36 domain samba[1658021]: [2024/09/10 09:41:36.302672, 0]
>>>> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>>>
>>>>
>>>> We are actively looking for information regarding this error but have
>> not
>>>> been able to pinpoint the root cause.
>>>>
>>>> Please feel free to reach out to me.
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list