samba - Nov 2010 - Can Constant Failed Connection Attempts Crash a Server?

Hi,

I am responsible for 1000+ Samba servers. One particular server keeps 
crashing every few days.  The server freezes up hard. I have swapped 100 
percent of the hardware (in other words, I replaced Server A with a 
completely new Server B) but the crashing is still occurring.

The server is running Samba 3.4.2 on 64-bit Linux with a custom 
2.6.32.11 kernel and 6 GB RAM.

I am fairly convinced the problem is being caused by a computer 
workstation on the network that is constantly trying to connect to a 
Samba share that does not exist.  Typically, I am seeing between 100,000 
and 200,000 failed attempts to connect to a share EVERY DAY.

For example, in the logs shown below, a video encoding station 
"encoder-pc1" is trying to connect to a Samba share called 
"tx-masters_".  However, the share is actually called
"tx-masters_1".

Nov  7 18:00:55 loaner-1 smbd[2851]: [2010/11/07 18:00:55,  0] 
smbd/service.c:1188(make_connection)
Nov  7 18:00:55 loaner-1 smbd[2851]:   encoder-pc1 
(::ffff:192.168.10.101) couldn't find service tx-masters_
Nov  7 18:00:55 loaner-1 smbd[2851]: [2010/11/07 18:00:55,  0] 
smbd/service.c:1188(make_connection)
Nov  7 18:00:55 loaner-1 smbd[2851]:   encoder-pc1 
(::ffff:192.168.10.101) couldn't find service tx-masters_
Nov  7 18:00:55 loaner-1 smbd[2851]: [2010/11/07 18:00:55,  0] 
smbd/service.c:1188(make_connection)
Nov  7 18:00:55 loaner-1 smbd[2851]:   encoder-pc1 
(::ffff:192.168.10.101) couldn't find service tx-masters_
Nov  7 18:00:55 loaner-1 smbd[2851]: [2010/11/07 18:00:55,  0] 
smbd/service.c:1188(make_connection)
Nov  7 18:00:55 loaner-1 smbd[2851]:   encoder-pc1 
(::ffff:192.168.10.101) couldn't find service tx-masters_
Nov  7 18:00:55 loaner-1 smbd[2851]: [2010/11/07 18:00:55,  0] 
smbd/service.c:1188(make_connection)
Nov  7 18:00:55 loaner-1 smbd[2851]:   encoder-pc1 
(::ffff:192.168.10.101) couldn't find service tx-masters_
Nov  7 18:00:55 loaner-1 smbd[2851]: [2010/11/07 18:00:55,  0] 
smbd/service.c:1188(make_connection)
Nov  7 18:00:55 loaner-1 smbd[2851]:   encoder-pc1 
(::ffff:192.168.10.101) couldn't find service tx-masters

I will see messages like this up to 200,000 times every day.  Just 
before the ABOVE crash, there were 100 failed attempts in one second.  
These messages are almost always the last thing in /var/log/messages 
before a freeze up (then again,  because these messages occupy about 
99.9 percent of the logs anyway, it may not be significant that we see 
them just before the crash).

I saw something similar about 4 years ago when Google came out with a 
"Desktop Search" tool for Windows.  A computer with the brand new
Google
search tool was constantly bombarding one of our servers trying to 
connect to a Samba share without supplying the proper login 
credentials.  In that case, each time there was a login attempt, there 
was a "denied" response from smbd.  After hours of operation, the
server
would always freeze up. The problem went away immediately after 
uninstalling the Google Desktop search tool. I never proved that the 
failed login attempts were causing the server to crash, but the evidence 
was fairly convincing.

And now I have this case.

I would appreciate the opinion of the Samba.org folks.  Does it make 
sense that constant bombardment of a Samba server with failed connection 
attempts could cause the whole server to crash?

Regards,
Andy

On Mon, Nov 08, 2010 at 09:23:06AM -0500, Andy Liebman
wrote:
> 
> I would appreciate the opinion of the Samba.org folks.  Does it make
> sense that constant bombardment of a Samba server with failed
> connection attempts could cause the whole server to crash?
Only if (as root) we were compromising some essential resource.
But simply connecting and being disconnected should not be able
to crash a server, modulo some pretty severe kernel bugs.

Jeremy

On Mon, Nov 08, 2010 at 09:23:06AM -0500, Andy Liebman
wrote:
> And now I have this case.
> 
> I would appreciate the opinion of the Samba.org folks.  Does it make
> sense that constant bombardment of a Samba server with failed
> connection attempts could cause the whole server to crash?
No, definitely not. We could certainly talk about increasing
the debug level of that message from 0 to 1, so that it does
not appear in syslog.

Volker