Web lists-archives.com

Re: [Samba] Troubleshooting high CPU load




Hi Mark,

I'm investigating high CPU load on a domain member server (file server)
after an upgrade from 4.5.5 to 4.6.2. The problem continued after a
subsequent upgrade to 4.6.7.

I turned up the log level to 3 for a short time and looked at the logs. One
thing I notice is some entries like this:

[2018/01/24 18:28:37.933498,  3]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username STA\I7X4-42G-12$ is invalid on this
system
[2018/01/24 18:28:37.933525,  3]
../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)
[2018/01/24 18:28:37.933582,  3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
[2018/01/24 18:28:37.934058,  2]
../source3/smbd/close.c:788(close_normal_file)
  STA\jimenez closed file 2017dwgs/17020/Revit/633 Folsom
Street_TSE_Struct_backup/_contents.2154.dat (numopen=504) NT_STATUS_OK
[2018/01/24 18:28:37.934320,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
[2018/01/24 18:28:37.934340,  3] ../source3/smbd/dir.c:656(dptr_create)
  Server exit (NT_STATUS_CONNECTION_RESET)

The name  STA\I7X4-42G-12$ is a machine name. Is this one of those normal
and expected error messages or does it indicate a problem?

Computer accounts are mostly like user accounts, and it can be used to connect to network shares. For example workstation computer account is used to connect to SYSVOL share to download GPO at machine startup.

It is uncommon to have a workstation connect to a fileserver, although there are some use cases. If my memory is right, the server is configured with rfc2307, so it get uidnumber and gidnumber from LDAP tree, and there is probably no uidnumber on workstation accounts.

One option is to add uidnumber/gidnumber to workstations to avoid this error message, or to switch to rid mapping (but you'll need to remap ACL on network shares). But anyway, like I said before, there is probably no use for you workstation to connect to the server, so you may have to check why it is doing that.

For the high load, I don't know if it is linked to that. If the query non resolving query is coming in all the time, it may be usefull to add some negative cache time on winbind.

Cheers,

Denis


When I run "wbinfo -i" it returns valid info for domain users. Is it
supposed to do the same for machine accounts?

If this is a red herring, do you have any suggestions on how to proceed?
Thanks.


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba