Bug 9226 - 100% cpu on lsass.exe when linked to Active Directory 2008R2
Summary: 100% cpu on lsass.exe when linked to Active Directory 2008R2
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.8
Hardware: x86 Linux
: P5 critical
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-30 15:30 UTC by David Touzeau
Modified: 2012-10-05 11:29 UTC (History)
1 user (show)

See Also:

Attachments
Winbind daemon debug mode level 10 (2.50 MB, application/octet-stream)
2012-09-30 15:30 UTC, David Touzeau 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Touzeau 2012-09-30 15:30:51 UTC 
Created attachment 7962 [details]
Winbind daemon debug mode level 10

We have an Active Directory with about 1500 users.
The Samba 3.6.8 service is used to perform NTLM feature with the squid-cache server.
We have successfully connected the Linux server to our Active Directory Windows 2008 R2.
After 2 or 3 minutes the Active Directory lsass.exe run to 100% CPU all the times on the Windows Active Directory server.
When stopping winbindd daemon the lsass.exe down to 0%

Here it is the smb.conf

[global]
	workgroup = AFEONLINE
	kerberos method = dedicated keytab
	dedicated keytab file = /etc/krb5.keytab
	realm = AFEONLINE.NET
	security = ads
	winbind enum groups = yes
	winbind enum users = yes
	idmap config * : range = 10000 - 20000
	idmap config * : backend = tdb
	idmap config AFEONLINE : backend = tdb
	idmap config AFEONLINE : range = 20000 - 20000000
	client ntlmv2 auth = Yes
	client lanman auth = No
	winbind normalize names = Yes
	winbind separator = /
	winbind use default domain = yes
	winbind nested groups = Yes
	winbind nss info = rfc2307
	winbind reconnect delay = 30
	winbind offline logon = true
	winbind cache time = 1800
	winbind refresh tickets = true
	allow trusted domains = Yes
	server signing = auto
	client signing = auto
	lm announce = No
	ntlm auth = No
	lanman auth = No
	preferred master = No
	encrypt passwords = yes
	password server = 10.33.252.30
	printing = bsd
	load printers = no
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192


Added the winbind daemon debug log.
Comment 1 Volker Lendecke 2012-10-01 03:52:22 UTC 
Have you tried with "winbind normalize names = no"?
Comment 2 David Touzeau 2012-10-01 14:14:12 UTC 
(In reply to comment #1)
> Have you tried with "winbind normalize names = no"?

We have changed to "winbind normalize names = no" but this does not resolve this issue, after 2s the lsass.exe run to 100% cpu.
Comment 3 Volker Lendecke 2012-10-02 06:00:37 UTC 
I think we need a network trace between your Samba server and the Domain Controller to nail this down. Please take a look at http://wiki.samba.org/index.php/Capture_Packets for information on how to create useful network traces.
Comment 4 Volker Lendecke 2012-10-02 06:01:29 UTC 
Ah, together with the network trace please also upload your debug level 10 logs of all winbind processes. These include not only the log.winbindd-*, but also the log.wb-* files.
Comment 5 David Touzeau 2012-10-05 11:29:49 UTC 
(In reply to comment #4)
> Ah, together with the network trace please also upload your debug level 10 logs
> of all winbind processes. These include not only the log.winbindd-*, but also
> the log.wb-* files.

We have recompiled samba, clear the Active directory connection and join again to the Active Directory and it seems the issue disappears.
We can close this ticket
Thanks,Thanks,Thanks, Many Thanks for your help...