Hi,
our virtual DCs specs are:
1vCPU, 1GB RAM
System is running on iSCSI Storage in an Openstack Enviroment.
Smb.conf on our DC 03 and 04:
=================# Global parameters
[global]
workgroup = NLI
realm = nli.local
netbios name = dc04
server role = active directory domain controller
allow dns updates = nonsecure
dns forwarder = xxx.xxx.xxx.xxx
ldap server require strong auth = no
[netlogon]
path = /var/lib/samba/sysvol/nli.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
=================
Smb.conf on our clients:
=================#Ansible managed
# global options
[global]
workgroup = NLI
realm = NLI.LOCAL
netbios name = xxxxxx
server string = Samba AD Client Version %v
security = ads
password server = dc3.nli.local, dc4.nli.local, dc2.nli.local, dc1.nli.local,
*
server role = member server
socket options = TCP_NODELAY SO_KEEPALIVE=4
deadtime = 15
# winbind options
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = true
winbind nested groups = yes
winbind use default domain = yes
winbind cache time = 300
winbind nss info = template
template shell = /bin/bash
template homedir = /home/NLI.LOCAL/%U
# local user id mapping
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# domain user id mapping
idmap config NLI : backend = rid
idmap config NLI : range = 10000-999999
# log configuration
log file = /var/log/samba/log.%m
log level = 1
max log size = 1000
# root to domain admin mapping
username map = /etc/samba/user.map
=================
Dc03 and dc04 in our cloud replicate to our dc01 and dc02 in our HQ.
- Julian
-----Ursprüngliche Nachricht-----
Von: Andrew Bartlett [mailto:abartlet at samba.org]
Gesendet: Dienstag, 25. April 2017 11:45
An: Julian Zielke <jzielke at next-level-integration.com>; samba at
lists.samba.org
Betreff: Re: [Samba] Flooding Samba DC with random requests
On Tue, 2017-04-25 at 09:05 +0000, Julian Zielke via samba
wrote:> Hi,
>
> yesterday we experienced a heavy request flooding from multiple
> servers being a domain member against our Samba Sernet DCs.
> All those servers are domain members and allow login using PAM
> (Samba+Winbind).
Currently we only have one process handling the LDAP traffic, which would
explain why a traffic flood like this:
> Running TCPDump we had like 400 Requests per 5 seconds like this:
...
Still only gives busy CPU, but not I/O wait:
> Due to that flooding, even logins via ssh on our servers timed out.
> CPU Load on both DCs went up to 95% without high I/O wait.
> After restarting the sernet-samba-ad service on both DCs, the Problem
> went away.
My first guess is that the multiple connections caused timeouts on the clients,
causing the clients to reconnect and try again, magnifying the load. However it
is really hard to tell with the limited information provided.
I'm working to make our LDAP server multi-process, more efficient and able
to use all the available CPUs.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht
Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.
On Tue, 25 Apr 2017 12:07:35 +0000 Julian Zielke via samba <samba at lists.samba.org> wrote:> Smb.conf on our clients: > =================> #Ansible managed > # global options > [global] > workgroup = NLI > realm = NLI.LOCAL > netbios name = xxxxxx > server string = Samba AD Client Version %v > security = ads > password server = dc3.nli.local, dc4.nli.local, dc2.nli.local, > dc1.nli.local, * server role = member server > socket options = TCP_NODELAY SO_KEEPALIVE=4 > deadtime = 15 > > # winbind options > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = true > winbind nested groups = yes > winbind use default domain = yes > winbind cache time = 300 > > winbind nss info = template > template shell = /bin/bash > template homedir = /home/NLI.LOCAL/%U > > # local user id mapping > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > # domain user id mapping > idmap config NLI : backend = rid > idmap config NLI : range = 10000-999999 > > # log configuration > log file = /var/log/samba/log.%m > log level = 1 > max log size = 1000 > > # root to domain admin mapping > username map = /etc/samba/user.mapIt is probably as Andrew has said, but I would make a few changes to the clients smb.conf: Remove the 'password server' line, you should allow the client to find the DC via DNS Remove the 'socket options' line, this really isn't required now. Remove the 'winbind enum' lines, you definitely don't need these. Rowland
OK Thanks for your advise. - Julian -----Ursprüngliche Nachricht----- Von: Rowland Penny [mailto:rpenny at samba.org] Gesendet: Dienstag, 25. April 2017 14:41 An: samba at lists.samba.org Cc: Julian Zielke <jzielke at next-level-integration.com> Betreff: Re: [Samba] Flooding Samba DC with random requests On Tue, 25 Apr 2017 12:07:35 +0000 Julian Zielke via samba <samba at lists.samba.org> wrote:> Smb.conf on our clients: > =================> #Ansible managed > # global options > [global] > workgroup = NLI > realm = NLI.LOCAL > netbios name = xxxxxx > server string = Samba AD Client Version %v > security = ads > password server = dc3.nli.local, dc4.nli.local, dc2.nli.local, > dc1.nli.local, * server role = member server > socket options = TCP_NODELAY SO_KEEPALIVE=4 > deadtime = 15 > > # winbind options > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = true > winbind nested groups = yes > winbind use default domain = yes > winbind cache time = 300 > > winbind nss info = template > template shell = /bin/bash > template homedir = /home/NLI.LOCAL/%U > > # local user id mapping > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > # domain user id mapping > idmap config NLI : backend = rid > idmap config NLI : range = 10000-999999 > > # log configuration > log file = /var/log/samba/log.%m > log level = 1 > max log size = 1000 > > # root to domain admin mapping > username map = /etc/samba/user.mapIt is probably as Andrew has said, but I would make a few changes to the clients smb.conf: Remove the 'password server' line, you should allow the client to find the DC via DNS Remove the 'socket options' line, this really isn't required now. Remove the 'winbind enum' lines, you definitely don't need these. Rowland Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.