I've currently got a samba 4.0.6-GIT-3f8ea16 deployment that's spawning
many (250 or more) smbd processes whenever a backup runs and starts backing up
files that have samba ACL's attached to them. (Such as the 'sysvol'
volume) This will effectively lock up the machine until I've restarted
samba and killed the backup job. If the backup is still running, samba will
immediately spawn smbd processes again.
My machine is a 64-bit CentOS 6.4 server with 16 GB of RAM and an Intel 8-core
Xeon processor. Kernel is the stock CentOS 2.6.32-358.2.1.el6.x86_64. The
Samba part of this runs fine from the Windows perspective (that is, until the
backup system kicks in).
I setup my samba4 server per the instructions on the samba wiki. Specifically,
I followed the winbind setup instructions from here:
http://wiki.samba.org/index.php/Samba4/Winbind
In a nutshell, I had to create these sym-links:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
and edit my nsswitch.conf file as follows:
passwd: files winbind
shadow: files
group: files winbind
All of the suggested testing on that page works great.
After a fresh samba restart, without anything running, things look like this:
[root at server ~]# ps ax | grep samba
21420 ? Ss 0:00 /usr/local/samba/sbin/samba
21422 ? S 0:00 /usr/local/samba/sbin/samba
21423 ? S 0:00 /usr/local/samba/sbin/samba
21424 ? Ss 0:00 /usr/local/samba/sbin/smbd --option=server role
check:inhibit=yes --foreground
21425 ? S 0:00 /usr/local/samba/sbin/samba
21426 ? S 0:00 /usr/local/samba/sbin/samba
21427 ? S 0:00 /usr/local/samba/sbin/samba
21428 ? S 0:00 /usr/local/samba/sbin/samba
21429 ? S 0:00 /usr/local/samba/sbin/samba
21430 ? S 0:00 /usr/local/samba/sbin/samba
21431 ? S 0:00 /usr/local/samba/sbin/samba
21432 ? S 0:00 /usr/local/samba/sbin/samba
21433 ? S 0:00 /usr/local/samba/sbin/samba
21434 ? S 0:00 /usr/local/samba/sbin/samba
21435 ? S 0:00 /usr/local/samba/sbin/samba
21438 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role
check:inhibit=yes --foreground
[root at server ~]# ps ax | grep samba | wc -l
17
When a backup job kicks in, I'll see hundreds of lines similar to :
22026 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role
check:inhibit=yes --foreground
22043 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role
check:inhibit=yes --foreground
22044 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role
check:inhibit=yes --foreground
and I have the approximate number of samba processes:
[root at server ~]# ps ax | grep samba | wc -l
258
smbstatus will look like this, but with many more lines:
[root at server ~]# smbstatus
Samba version 4.0.6-GIT-3f8ea16
PID Username Group Machine
-------------------------------------------------------------------
21809 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1
(ipv4:192.168.150.1:56761)
21796 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1
(ipv4:192.168.150.1:56748)
21771 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1
(ipv4:192.168.150.1:56722)
If I engage Name Service Cache Daemon (nscd), then the backup will run just
fine, and I don't sen to get an extraordinary number of samba processes.
(It will bump up to about 27, but stays there.) Unfortunately, nscd
doesn't' seem to play well with Samba4's internal winbind system.
The "id <username>" command will only return results for some of
the users. And Apache PAM authentication stops working with unusual errors.
(Both of which work fine when nscd isn't running.)
I've been looking at setting up SSSD, but I get the feeling that's not
quite what I'm looking for either. I get the impression that it does
it's own ID mapping, which would probably differ from the internal
winbind's mapping. Please correct me if I'm wrong on this.
If I turn off the libnss_winbind part, there seem to be some other issues that
crop up, such as users unable to log into their own home folders.
It seems that I need to either:
1.) Figure out how to make the internal winbind server behave when doing lots
of libnss_winbind look-ups
2.) Figure out how to take the load off winbind by using nscd and figure out
how to make that work reliably with other things (like id <username> or
apache mod_auth_pam)
3.) Perhaps figure out sssd (which I haven't gotten to work yet, but
haven't spent a ton of time on.)
If anyone has some suggestions or pointers, I'd be eternally grateful.
Thanks!
-Joe
My smb.conf:
# Global parameters
[global]
workgroup = KAUKAUNA
realm = KAUKAUNA.NEWSPUB
netbios name = SERVER
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, winbind,
drepl, ntp_signd, kcc, dnsupdate, dns
log level = 1
#idmap config * : range = 16777216-33554431
#idmap config * : backend = ad
hide unreadable = yes
allow dns updates = enabled
dns forwarder = 8.8.8.8
nsupdate command = /usr/local/samba/sbin/samba_dnsupdate
map archive = no
map readonly = no
map hidden = no
map system = no
store dos attributes = yes
winbind enum users = yes
winbind enum groups = yes
[netlogon]
path = /home/samba/sysvol/kaukauna.newspub/scripts
read only = No
browseable = No
[sysvol]
path = /home/samba/sysvol
read only = No
browseable = No
[homes]
path = /home/KAUKAUNA/%S
browsable = no
writeable = yes
valid users = %S
create mask = 0600
directory mask = 0700
root preexec = /usr/local/sbin/mkhomedir.sh %U
kernel oplocks = no
level2 oplocks = yes
