15278 – samba doesn't cleanup samba-dcerpcd processes

Bug 15278 - samba doesn't cleanup samba-dcerpcd processes

Summary: samba doesn't cleanup samba-dcerpcd processes

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	4.19.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-06 01:00 UTC by Michael Prohm
Modified:	2024-03-14 15:00 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Prohm 2023-01-06 01:00:44 UTC

Setup:
Version 4.17.4 as active directory domain controller
Docker version 20.10.22, build 3a2c30b: Debian-Bullseye with bullseye-backports repository

     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   Jan05   0:00 [samba-dcerpcd] <defunct>
     Zs   00:04   0:00 [samba-dcerpcd] <defunct>
     Zs   00:21   0:00 [samba-dcerpcd] <defunct>
     Zs   00:26   0:00 [samba-dcerpcd] <defunct>
     Zs   00:31   0:00 [samba-dcerpcd] <defunct>
     Zs   00:35   0:00 [samba-dcerpcd] <defunct>
     Zs   00:41   0:00 [samba-dcerpcd] <defunct>
     Zs   00:48   0:00 [samba-dcerpcd] <defunct>
     Zs   00:53   0:00 [samba-dcerpcd] <defunct>
     Zs   00:59   0:00 [samba-dcerpcd] <defunct>
     Zs   01:04   0:00 [samba-dcerpcd] <defunct>
     Zs   01:21   0:00 [samba-dcerpcd] <defunct>
     Zs   01:26   0:00 [samba-dcerpcd] <defunct>
     Zs   01:31   0:00 [samba-dcerpcd] <defunct>
     Zs   01:36   0:00 [samba-dcerpcd] <defunct>
     Zs   01:48   0:00 [samba-dcerpcd] <defunct>
     Ss   01:53   0:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=49 --np-helper --debuglevel=1
     S    01:53   0:00  \_ /usr/libexec/samba/rpcd_classic --configfile=/etc/samba/smb.conf --worker-group=0 --worker-index=0 --debuglevel=1
     S    01:53   0:00  \_ /usr/libexec/samba/rpcd_winreg --configfile=/etc/samba/smb.conf --worker-group=1 --worker-index=5 --debuglevel=1


The processes are starting but after exiting they are stay as zombies.

Log: log.samba-dcerpcd:
[2023/01/06 00:53:07,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 00:53:07,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 00:59:43,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 00:59:43,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:04:44,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:04:44,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:04:44.720739,  1] ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
  rpc_worker_exited: No worker with PID 3445
[2023/01/06 01:21:03,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:21:03,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:21:03.762757,  1] ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
  rpc_worker_exited: No worker with PID 3515
[2023/01/06 01:26:04,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:26:04,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:31:04,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:31:04,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:36:05,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:36:05,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:48:06,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:48:06,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:48:07.030338,  1] ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
  rpc_worker_exited: No worker with PID 3660
[2023/01/06 01:53:07,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:53:07,  0] ../../source3/rpc_server/rpc_host.c:2966(main)
  samba-dcerpcd version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:53:07.983766,  1] ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
  rpc_worker_exited: No worker with PID 3703

Log: log.rpcd_classic:
[2023/01/06 01:26:04,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:26:04,  0] ../../source3/rpc_server/rpc_worker.c:1105(rpc_worker_main)
  rpcd_classic version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:26:04,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:31:05,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:31:05,  0] ../../source3/rpc_server/rpc_worker.c:1105(rpc_worker_main)
  rpcd_classic version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:31:05,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:36:06,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:36:06,  0] ../../source3/rpc_server/rpc_worker.c:1105(rpc_worker_main)
  rpcd_classic version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:36:06,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:48:07,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:48:07,  0] ../../source3/rpc_server/rpc_worker.c:1105(rpc_worker_main)
  rpcd_classic version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:48:07,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:53:08,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2023/01/06 01:53:08,  0] ../../source3/rpc_server/rpc_worker.c:1105(rpc_worker_main)
  rpcd_classic version 4.17.4-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/01/06 01:53:08,  1] ../../lib/param/loadparm.c:1911(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated

Comment 1 Volker Lendecke 2023-01-06 15:05:49 UTC

Can you post your complete process table and your smb.conf? In particular, what is the parent of those zombies?

Comment 2 Michael Prohm 2023-01-26 15:31:24 UTC

Process tree:
/usr/bin/containerd-shim-runc-v2 -namespace moby -id f65b285eea4b06df267c55a63e3e1af5af3c11fcd8bdad91966e922709de1971 -address /run/containerd/containerd.sock
 \_ samba: root process
     \_ samba: task[s3fs_parent]
     |   \_ samba: tfork waiter process(29)
     |       \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
     |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
     |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
     |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
     |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
     |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
     \_ samba: task[dcesrv]
     \_ samba: task[nbtd]
     \_ samba: task[wrepl]
     \_ samba: task[ldapsrv]
     \_ samba: task[cldapd]
     \_ samba: conn[kdc_tcp] c[ipv4:FIRSTIP:62032] s[ipv4:SECONDIP:88] server_id[31.38]
     \_ samba: task[dreplsrv]
     \_ samba: task[winbindd_parent]
     |   \_ samba: tfork waiter process(39)
     |       \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
     |           \_ winbindd: domain child [DOMAIN]
     |           \_ winbindd: idmap child
     \_ samba: task[ntp_signd]
     \_ samba: task[kccsrv]
     \_ samba: task[dnsupdate]
     \_ samba: conn[dns_tcp] c[ipv4:FIRSTIP:49190] s[ipv4:SECONDIP:53] server_id[38.38]
     \_ [samba-dcerpcd] <defunct>
     \_ [samba-dcerpcd] <defunct>
     \_ [samba-dcerpcd] <defunct>
     \_ [samba-dcerpcd] <defunct>
     \_ [samba-dcerpcd] <defunct>
     \_ [samba-dcerpcd] <defunct>
     \_ [samba-dcerpcd] <defunct>
     \_ /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=92 --np-helper --debuglevel=1
         \_ /usr/libexec/samba/rpcd_classic --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=0 --debuglevel=1



Full config:


[global]
   workgroup = DOMAIN
   realm = HE.DOMAIN.DE
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = false
   winbind offline logon = false

        netbios name = SERV
        interfaces = lo, br-vlan1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

        winbind enum users = yes
        winbind enum groups = yes

        log file = /var/log/samba/samba.log
        log level = 3


[netlogon]
        path = /var/lib/samba/sysvol/he.domain.de/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Data]
        comment = data
        path = /export/data
        read only = No

[users]
        path = /export/users
        read only = No

[Profiles]
        path = /export/profiles
        read only = no



root@dc1:/# samba-tool processes
 Service:                          PID
--------------------------------------
cldap_server                        30
dnssrv                              38
dnsupdate                           36
dreplsrv                            32
kccsrv                              35
kdc_server                          31
ldap_server                         28
nbt_server                          25
notify-daemon                       46
rpc_server                          24
samba                                1
winbind_server                      39



Dockerfile:


FROM debian:bullseye-backports
MAINTAINER Michael Prohm "michael@prohm.de"

....

RUN apt-get update && \
    apt-get install  -y -t bullseye-backports acl attr samba samba-dsdb-modules samba-vfs-modules winbind krb5-config krb5-user dnsutils libnss-winbind && \
    apt-get install -y tzdata && \
    apt-get upgrade -y && \
    chmod 0755 /usr/local/bin/entrypoint.sh

RUN mkdir /export
VOLUME /etc/samba /var/lib/samba /export
EXPOSE 53 53/udp 88 88/udp 135 137-138/udp 139 389 389/udp 445 464 464/udp 636 3268-3269 49152-65535

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

Comment 3 Stefan Metzmacher 2024-03-14 14:58:05 UTC

I think we should enforce 'rpc start on demand helpers = no' for the ad dc
case and let 'samba' start 'samba-dcerpcd' in a similar way as
smbd and winbindd.

Comment 4 Stefan Metzmacher 2024-03-14 15:00:59 UTC

Using 'rpc start on demand helpers = no' in smb.conf
and starting (all in one line, the rpcd_ binaries are arguments):
"/usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_classic /usr/libexec/samba/rpcd_winreg"

Is temporary solution, but we may want a way only provide ncacn_np
in that case too...