The Samba-Bugzilla – Bug 11837
Winbind keeps looking up nonexisting uid's/gid's with idmap_ad
Last modified: 2017-12-05 17:31:04 UTC
Created attachment 11996 [details]
debug output from running winbind interactively (at debug level 3 or 4)
My setup is a Debian fileserver running Samba and Winbind, connected to a Windows Server 2012 DC, so that it can share folders to a Windows network. Winbind uses the idmap_ad backend for consistent id's across the network.
After upgrading to the newest Samba (security) release for Debian Jessie (2:4.2.10+dfsg-0+deb8u1, from 2:4.1.17+dfsg-2+deb8u2) today, winbind constantly stayed at ~60% CPU usage and accessing shared folders was extremely slow (under modest load).
Running winbind in interactive mode with an increased debug level, I noticed that winbind kept looking up the same uid/gid over and over again (see the attached logfile for an excerpt, where it keeps looking for uid 10006). Most interesting is that the uid/gid it kept looking up do not exist (are not present in AD on the DC). After adding the uid/gid to some bogus user/group in Active Directory on the DC the CPU load generated by Winbind dropped and filesharing was usable again.
Created attachment 11997 [details]
contents of my smb.conf (slightly redacted)