Hi Mark,
> I'm investigating high CPU load on a domain member server (file server)
> after an upgrade from 4.5.5 to 4.6.2. The problem continued after a
> subsequent upgrade to 4.6.7.
>
> I turned up the log level to 3 for a short time and looked at the logs. One
> thing I notice is some entries like this:
>
> [2018/01/24 18:28:37.933498, 3]
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> get_user_from_kerberos_info: Username STA\I7X4-42G-12$ is invalid on this
> system
> [2018/01/24 18:28:37.933525, 3]
> ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
> auth3_generate_session_info_pac: Failed to map kerberos principal to
> system user (NT_STATUS_LOGON_FAILURE)
> [2018/01/24 18:28:37.933582, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
> [2018/01/24 18:28:37.934058, 2]
> ../source3/smbd/close.c:788(close_normal_file)
> STA\jimenez closed file 2017dwgs/17020/Revit/633 Folsom
> Street_TSE_Struct_backup/_contents.2154.dat (numopen=504) NT_STATUS_OK
> [2018/01/24 18:28:37.934320, 3]
> ../source3/smbd/server_exit.c:246(exit_server_common)
> [2018/01/24 18:28:37.934340, 3] ../source3/smbd/dir.c:656(dptr_create)
> Server exit (NT_STATUS_CONNECTION_RESET)
>
> The name STA\I7X4-42G-12$ is a machine name. Is this one of those normal
> and expected error messages or does it indicate a problem?
Computer accounts are mostly like user accounts, and it can be used to
connect to network shares. For example workstation computer account is
used to connect to SYSVOL share to download GPO at machine startup.
It is uncommon to have a workstation connect to a fileserver, although
there are some use cases. If my memory is right, the server is
configured with rfc2307, so it get uidnumber and gidnumber from LDAP
tree, and there is probably no uidnumber on workstation accounts.
One option is to add uidnumber/gidnumber to workstations to avoid this
error message, or to switch to rid mapping (but you'll need to remap ACL
on network shares). But anyway, like I said before, there is probably no
use for you workstation to connect to the server, so you may have to
check why it is doing that.
For the high load, I don't know if it is linked to that. If the query
non resolving query is coming in all the time, it may be usefull to add
some negative cache time on winbind.
Cheers,
Denis
>
> When I run "wbinfo -i" it returns valid info for domain users. Is
it
> supposed to do the same for machine accounts?
>
> If this is a red herring, do you have any suggestions on how to proceed?
> Thanks.
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr