Hello All, I am having an issue with a samba 3.0.21a with LDAP backened installation.
My Samba PDC is sending tons of traffic my ldapserver(iplanet) and is causing the ldap server load to peak consitently over a ridiculous 91%. Logons come to a crawl because the ldap load is so high. I don't not have roaming profiles enabled. Here is an excerpt from a logfile (log level=2): [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua19847 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05996 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua68562 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: dhs [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05938 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua15265 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua18897 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua03367 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tmarti03 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua61714 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua40746 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05048 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua10708 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: koldacre [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua01257 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua56483 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua43553 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: aseward [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: ironman8 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua51360 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: ehlee [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua37090 When users log onto SAMBA domain, Samba queries ldap for the user authentication credentials, if the user and passwords match, the users are then able to log onto the client. A registry value is then entered in HKLM\Software\Microsoft\Windows\Windows NT\CurrentVersion\ProfileList\S-1-21-DOMAIN SIDS-other values\tuaxxxx. The registry entry is expected and normal and all authenticated domain users will have an registry entry on any machine they use. the SAMBA request traffic was enough to increase the LDAP system load and force me to redreict request from SAMBA from the production LDAP servers to an offsite LDAP server, and then eventually to my own slave ldap server. This move was necessary so that other university distributed systems would not be adversely affected. The queries that SAMBA is requesting from LDAP are for all domain users that have an registry entry in the aforementioned hive location. Please bare in mind that this enumeration occurs in the background whether or not the XP systems are: 1. at the logon screen 2. after a user has successfully authenticated (the request will occur for the current logon user and enumerate for ALL domain users in the hive). During my testing,tuning, and log observation, I have noticed that the request do not happen at any specific interval for a specific client, rather they just occur often enough to cause too much load on the LDAP servers. How can I get this to stop? Is this normal behaviour? In my research I noticed a smb.conf parameter setting of winbind enum group and winbind enum users. I am not using windbind, so this will not work for me. I've manually deleted the domain users that exists in the HKLM reg hive I mentioned above and that stops the traffic request from samba to ldap. However each new user of a particular workstation will continue to have an entry cached in this hive. I've looked for a way to stop the caching using regedit and gpedit.msc....but wasn't successful. I should also mentioned that I've been using this version of samba for over 1.5 years and it has proven to be stable for me. I do plan to upgrade at the end of the semester however this issue has started in the past 3 weeks only. The only change has been on the client, and that was an upgrade of symantec antivirus client from 10.0.1.1000 to 10.1.4.4000. My smb.conf is as follows: init_sam_from_ldap: Entry found for user: tua44411 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua19847 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05996 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua68562 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: dhs [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05938 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua15265 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua18897 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua03367 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tmarti03 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua61714 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua40746 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05048 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua10708 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: koldacre [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua01257 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua56483 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua43553 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: aseward [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: ironman8 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua51360 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: ehlee [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua37090 [EMAIL PROTECTED] samba]# samba@lists.samba.org bash: samba@lists.samba.org: command not found [EMAIL PROTECTED] samba]# samba@lists.samba.org bash: samba@lists.samba.org: command not found [EMAIL PROTECTED] samba]# samba@lists.samba.org bash: samba@lists.samba.org: command not found [EMAIL PROTECTED] samba]# [EMAIL PROTECTED] samba]# samba@lists.samba.org bash: samba@lists.samba.org: command not found [EMAIL PROTECTED] samba]# samba@lists.samba.org bash: samba@lists.samba.org: command not found [EMAIL PROTECTED] samba]# testparm Load smb config files from /etc/samba/smb.conf Can't find include file /etc/samba/.conf Processing section "[netlogon]" Processing section "[e-PrimeData]" Processing section "[HIMS]" Processing section "[TEST2]" Processing section "[TempDir]" Processing section "[Apps]" Processing section "[Photography]" Processing section "[admintools]" Processing section "[magazine]" Loaded services file OK. WARNING: passdb expand explicit = yes is deprecated Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = ACSLABS server string = "TUfiles" passdb backend = ldapsam:ldap://ldap-tech.ocis.temple.edu:11389/ enable privileges = Yes username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins bcast hosts time server = Yes addprinter command = /etc/samba/scripts/smbaddprinter.pl deleteprinter command = /etc/samba/scripts/smbdelprinter.pl add machine script = /etc/samba/scripts/addworkstation.pl %u logon script = login.bat logon path = domain logons = Yes domain master = Yes wins server = 155.247.225.230, 155.247.225.231 ldap admin dn = cn=sambaLabs2,ou=roles,dc=temple,dc=edu ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=temple,dc=edu ldap user suffix = ou=People add share command = /etc/samba/scripts/modify_samba_config.pl delete share command = /etc/samba/scripts/modify_samba_config.pl panic action = "/bin/sleep 90000" winbind enum users = No winbind enum groups = No inherit acls = Yes ea support = Yes map acl inherit = Yes include = /etc/samba/.conf [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = "@Domain Admins" guest ok = Yes browseable = No locking = No [magazine] comment = SCT Magazine path = /ACSLABS/Magazine valid users = @magazine read only = No create mask = 0775 veto files = /*.php/*.xml/*.css/.htaccess/*.com/*.bat/*.exe/*.scr/*.pif/*.dll/ volume = SCT Magazine ......some share info deleted to allow for shorter message I don't want to add a WMI or VB script to delete the registry hive values because this is a new problem and did exist prior to three weeks ago. Thanks for your assistance, joe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba