The Samba-Bugzilla – Bug 9226
100% cpu on lsass.exe when linked to Active Directory 2008R2
Last modified: 2012-10-05 11:29:49 UTC
Created attachment 7962 [details]
Winbind daemon debug mode level 10
We have an Active Directory with about 1500 users.
The Samba 3.6.8 service is used to perform NTLM feature with the squid-cache server.
We have successfully connected the Linux server to our Active Directory Windows 2008 R2.
After 2 or 3 minutes the Active Directory lsass.exe run to 100% CPU all the times on the Windows Active Directory server.
When stopping winbindd daemon the lsass.exe down to 0%
Here it is the smb.conf
workgroup = AFEONLINE
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
realm = AFEONLINE.NET
security = ads
winbind enum groups = yes
winbind enum users = yes
idmap config * : range = 10000 - 20000
idmap config * : backend = tdb
idmap config AFEONLINE : backend = tdb
idmap config AFEONLINE : range = 20000 - 20000000
client ntlmv2 auth = Yes
client lanman auth = No
winbind normalize names = Yes
winbind separator = /
winbind use default domain = yes
winbind nested groups = Yes
winbind nss info = rfc2307
winbind reconnect delay = 30
winbind offline logon = true
winbind cache time = 1800
winbind refresh tickets = true
allow trusted domains = Yes
server signing = auto
client signing = auto
lm announce = No
ntlm auth = No
lanman auth = No
preferred master = No
encrypt passwords = yes
password server = 10.33.252.30
printing = bsd
load printers = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
Added the winbind daemon debug log.
Have you tried with "winbind normalize names = no"?
(In reply to comment #1)
> Have you tried with "winbind normalize names = no"?
We have changed to "winbind normalize names = no" but this does not resolve this issue, after 2s the lsass.exe run to 100% cpu.
I think we need a network trace between your Samba server and the Domain Controller to nail this down. Please take a look at http://wiki.samba.org/index.php/Capture_Packets for information on how to create useful network traces.
Ah, together with the network trace please also upload your debug level 10 logs of all winbind processes. These include not only the log.winbindd-*, but also the log.wb-* files.
(In reply to comment #4)
> Ah, together with the network trace please also upload your debug level 10 logs
> of all winbind processes. These include not only the log.winbindd-*, but also
> the log.wb-* files.
We have recompiled samba, clear the Active directory connection and join again to the Active Directory and it seems the issue disappears.
We can close this ticket
Thanks,Thanks,Thanks, Many Thanks for your help...