[Samba] Samba4 Centos 7 - CPU 100%

[Maiquel Consalter via samba]

Hi Group,
i have 3 DC with samba4 with Centos 7, they are showing the CPU with 100%
in all DC. The centos 7 is the basic installation and samba4 compile.I have
2.000 machine authenticated in this DC, is WinX, Win7, Win8 and Win10 .
Someone have problem with samba4 with centos cpu 100%. ?

Attached my config.

Tks.

[Marc Muehlfeld via samba]

Hi Maiquel,

Am 19.08.2016 um 19:29 schrieb Maiquel Consalter via samba:
> i have 3 DC with samba4 with Centos 7, they are showing the CPU with 100%
> in all DC. The centos 7 is the basic installation and samba4 compile.I have
> 2.000 machine authenticated in this DC, is WinX, Win7, Win8 and Win10 .
> Someone have problem with samba4 with centos cpu 100%. ?

* Which process consumes the 100% of your CPU? samba, smbd, winbind...?

* Does the CPU load goes up directly after you start up Samba? When does
this happen?

* What version are you currently running? Your "server string" says
4.3.1. Is this correct? What happens if you update to 4.4.5? A lot of
things have been fixed in the meantime.



> Attached my config.

Sorry. Can you please show us your existing smb.conf - without all that
defaults and unnecessary stuff.

By the way, it's not important for your problem, but I'm missing the
[sysvol] share in your smb.conf. Are you really only having a [netlogon]
share?



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny via samba]

Could you please post your smb.conf as it is stored on the DC, not the
result of 'samba-tool testparm -v'

Rowland

[Rowland Penny via samba]

On Fri, 19 Aug 2016 20:48:19 +0200
Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:

> Hi Maiquel,
>
> Am 19.08.2016 um 19:29 schrieb Maiquel Consalter via samba:
> > i have 3 DC with samba4 with Centos 7, they are showing the CPU
> > with 100% in all DC. The centos 7 is the basic installation and
> > samba4 compile.I have 2.000 machine authenticated in this DC, is
> > WinX, Win7, Win8 and Win10 . Someone have problem with samba4 with
> > centos cpu 100%. ?
>
> * Which process consumes the 100% of your CPU? samba, smbd,
> winbind...?
>
> * Does the CPU load goes up directly after you start up Samba? When
> does this happen?
>
> * What version are you currently running? Your "server string" says
> 4.3.1. Is this correct? What happens if you update to 4.4.5? A lot of
> things have been fixed in the meantime.
>
>
>
> > Attached my config.
>
> Sorry. Can you please show us your existing smb.conf - without all
> that defaults and unnecessary stuff.
>
> By the way, it's not important for your problem, but I'm missing the
> [sysvol] share in your smb.conf. Are you really only having a
> [netlogon] share?
>
>
>
> Regards,
> Marc
>

Hi Marc, it is there, I suppose you were a bit like me, your eyes
glazed over looking at all those lines LOL

Rowland

[Maiquel Consalter via samba]

Follow:

* Which process consumes the 100% of your CPU? samba, smbd, winbind...?

A: samba

* Does the CPU load goes up directly after you start up Samba? When does
this happen?

A: load goes up 1 minute after start samba.

* What version are you currently running? Your "server string" says
4.3.1. Is this correct? What happens if you update to 4.4.5? A lot of
things have been fixed in the meantime.

A.: String its wrong. The verion is 4.4.5

Sorry. Can you please show us your existing smb.conf - without all that
defaults and unnecessary stuff.

# Global parameters
[global]
workgroup = LA.BR
realm = lala.br
netbios name = DC-SERVER1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 189.90.65.11
dsdb:schema update allowed = true
#rpc_server:epmapper = disabled
winbind max clients = 2000
bind interfaces only = yes
interfaces = eth0 lo
server services = -dns
smb2 leases = yes
allow dns updates = nonsecure

log file = /var/log/samba/%m.log
log level = 1

[netlogon]
path = /usr/local/samba/var/locks/sysvol/campus.uel.br/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

By the way, it's not important for your problem, but I'm missing the
[sysvol] share in your smb.conf. Are you really only having a [netlogon]
share?

Tkanks.

--
Att,
Maiquel

[Rowland Penny via samba]

Looking at this:

dns forwarder = 189.90.65.11

and this:

server services = -dns

You only need one or the other, the first is only required if you use
the internal DNS server and the second says you are using Bind9
instead.

try removing 'smb2 leases = yes'

I would also remove 'dsdb:schema update allowed = true' , you only need
this to update the schema, which brings up a point, have you extended
the schema. If so, with what and how ?

[Maiquel Consalter via samba]

Tks Rowland for your feedback.

I will make the change that you post-me and report for all.
I does not use schema, i belevie that is legacy.

--
Att,
Maiquel

[barış tombul]

Your problem is winbind max clients = 2000

Change winbind max clients = 200

19 Ağu 2016 ÖS 8:57 tarihinde "Maiquel Consalter via samba" <
sa...@lists.samba.org> yazdı:

[Marc Muehlfeld via samba]

Am 19.08.2016 um 20:55 schrieb Rowland Penny via samba:
> Hi Marc, it is there, I suppose you were a bit like me, your eyes
> glazed over looking at all those lines LOL

No, it was caused by a bug in gedit:

I opened the file in gedit in full screen mode. The last line I see, if
I scroll down to the end, is the empty line after the [netlogon] section:
http://picpaste.de/pics/screenshot-CVHeNuVX.1471697959.png

If gedit is not in fullscreen mode, I also see the 3 additional lines
with the [sysvol] section. :-)


Regards,
Marc

[Maiquel Consalter via samba]

Hi Marc,
I need remove some line in smb.conf for sysvol ? or just is bug in gedit
for view ?
tks.

--
Att,
Maiquel

[Maiquel Consalter via samba]

Hi tombul,
i will change and report for you.

tks.

--
Att,
Maiquel

[Marc Muehlfeld via samba]

Hi Maiquel,

Am 20.08.2016 um 21:03 schrieb Maiquel Consalter via samba:
> I need remove some line in smb.conf for sysvol ? or just is bug in gedit
> for view ?

It's a bug in gedit that it doesn't show me the last few lines. So
nothing to fix here. Anyway, the [sysvol] section isn't your problem.

One thing to check is your log file. Does anything interesting appears
if the load grows? If not, increase the "log level" and additionally the
"max log size".

Does the load also grows if only one DC is up?

[Maiquel Consalter via samba]

Hi,
i changed the options but the problem it's the same.
I removed the dns forward, schema and smb2 leases = yes, but after 5
minutes the process smbd groes up for 100%.
Follow the error (log leve = 3). http://pasted.co/6f36cf12

2016-08-21 5:54 GMT-03:00 Marc Muehlfeld <mmueh...@samba.org>:

> Hi Maiquel,
>
> Am 20.08.2016 um 21:03 schrieb Maiquel Consalter via samba:
> > I need remove some line in smb.conf for sysvol ? or just is bug in gedit
> > for view ?
>
> It's a bug in gedit that it doesn't show me the last few lines. So
> nothing to fix here. Anyway, the [sysvol] section isn't your problem.
>
> One thing to check is your log file. Does anything interesting appears
> if the load grows? If not, increase the "log level" and additionally the
> "max log size".
>
> Does the load also grows if only one DC is up?
>
>
> Regards,
> Marc
>
>


--

Att,
Maiquel

[mathias dufresne via samba]

If your issue is not solved, did you tried what proposed barış tombul 3
days ago?

2016-08-22 19:36 GMT+02:00 Maiquel Consalter via samba <
sa...@lists.samba.org>:

[Denis Cardon via samba]

Hi Maiquel,

> i changed the options but the problem it's the same.
> I removed the dns forward, schema and smb2 leases = yes, but after 5
> minutes the process smbd groes up for 100%.
> Follow the error (log leve = 3). http://pasted.co/6f36cf12

could you try the "top" command to see which samba process id is running
100%, then run "samba-tool processes" to see what is the purpose of the
samba process that is causing trouble.

Cheers,

Denis

>
> 2016-08-21 5:54 GMT-03:00 Marc Muehlfeld <mmueh...@samba.org>:
>
>> Hi Maiquel,
>>
>> Am 20.08.2016 um 21:03 schrieb Maiquel Consalter via samba:
>>> I need remove some line in smb.conf for sysvol ? or just is bug in gedit
>>> for view ?
>>
>> It's a bug in gedit that it doesn't show me the last few lines. So
>> nothing to fix here. Anyway, the [sysvol] section isn't your problem.
>>
>> One thing to check is your log file. Does anything interesting appears
>> if the load grows? If not, increase the "log level" and additionally the
>> "max log size".
>>
>> Does the load also grows if only one DC is up?
>>
>>
>> Regards,
>> Marc
>>
>>
>
>

--

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

[Maiquel Consalter via samba]

i put the sever in shutdown. Make a new instalation, but when i try put in
domain its not possible.
The /etc/resolv.conf /etc/hosts it´s ok
The krb5.conf its ok too.

But when i try join the domain show-me this error:

Partition[DC=campus,DC=uel,DC=br] objects[27035/35135] linked_values[0/0]
Join failed - cleaning up
checking sAMAccountName
Deleted CN=DC-SERVER4,OU=Domain Controllers,DC=campus,DC=uel,DC=br
Deleted CN=NTDS
Settings,CN=DC-SERVER4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=uel,DC=br
Deleted
CN=DC-SERVER4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=uel,DC=br
ERROR(runtime): uncaught exception - (8409, 'WERR_DS_DATABASE_ERROR')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 651, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1192, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1096, in do_join
ctx.join_replicate()
File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
838, in join_replicate
replica_flags=ctx.domain_replica_flags)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 253, in replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)

Someone can help-me ?



2016-08-23 6:30 GMT-03:00 Denis Cardon <denis....@tranquil-it-systems.fr>
:

Att,
Maiquel

[Maiquel Consalter via samba]

Hi Denis,

Follow the output.

TOP
29723 root 20 0 1617024 487668 383560 R 99,7 6,1 54:25.11 samba

Service: PID
-----------------------------
dnsupdate 29734
cldap_server 29727
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
rpc_server 29723
nbt_server 29724
winbind_server 29731
kdc_server 29728
notify-daemon 29738
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
ldap_server 29726
kccsrv 29733
samba 0
dreplsrv 29729

2016-08-23 6:30 GMT-03:00 Denis Cardon <denis....@tranquil-it-systems.fr>
:

Att,
Maiquel

[Rowland Penny via samba]

Try running 'samba-tool dbcheck'

If it finds any errors, try 'samba-tool dbcheck --fix'

Rowland

[Maiquel Consalter via samba]

Tks Rowland, its work.
But same with the new installation the server goes up for 100%.
We dont have the Iptables enabled. Maybe if enable the iptables the cpu is
goes down. what do you think ?

--
Att,
Maiquel

[Maiquel Consalter via samba]

Hi Folks,
i tryed make some tests, but the problem it the same. Someone have some
idea how i solve my problem ? I try the new instalation, upgrade all
packates but before 1 minute the process still in 100% and the process is
rpc_server.

tks for any advise.

[mathias dufresne via samba]

Did you tried, as proposed by Baris, to lower "winbind max clients"?

2016-08-29 13:09 GMT+02:00 Maiquel Consalter via samba <
sa...@lists.samba.org>:

[Rowland Penny via samba]

On Mon, 29 Aug 2016 08:09:46 -0300
Maiquel Consalter via samba <sa...@lists.samba.org> wrote:

> Hi Folks,
> i tryed make some tests, but the problem it the same. Someone have
> some idea how i solve my problem ? I try the new instalation, upgrade
> all packates but before 1 minute the process still in 100% and the
> process is rpc_server.
>

You say you have compiled Samba yourself, so I take it that Samba is
installed at /usr/local/samba, if so, is the new samba in your PATH and
are there any OS Samba packages installed ?

Is there a firewall running, if so, try turning it off
Is Selinux running, if so, try disabling it.

What packages did you install before compiling Samba ?

[Maiquel Consalter via samba]

>You say you have compiled Samba yourself, so I take it that Samba is

i>nstalled at /usr/local/samba, if so, is the new samba in your PATH and

>are there any OS Samba packages installed ?

I compile myself. I removed all packets for samba before start the
instalation.
My options: ./configure --sysconfdir=/etc/samba/ --mandir=/usr/share/man/
--enable-debug --enable-selftest && make && make instasll

>Is there a firewall running, if so, try turning it off // Is Selinux

running, if so, try disabling it.

setenforce 0
service firewalld stop
service iptables stop
service ip6tables stop
systemctl disable firewalld
systemctl disable iptables
systemctl disable ip6tables

>What packages did you install before compiling Samba ?

yum install libacl-devel e2fsprogs-devel gnutls-devel readline-devel
python-devel gdb pkgconfig gcc libblkid-devel zlib-devel
setroubleshoot-server setroubleshoot-plugins policycoreutils-python
libsemanage-python setools-libs-python setools-libs popt-devel
libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel
libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel
krb5-workstation perl openldap-devel bind bind-sdb

Tks

--
Att,
Maiquel

[Rowland Penny via samba]

On Mon, 29 Aug 2016 09:53:33 -0300
Maiquel Consalter <maiquelc...@gmail.com> wrote:

> >You say you have compiled Samba yourself, so I take it that Samba is
> i>nstalled at /usr/local/samba, if so, is the new samba in your PATH

> i>and

> >are there any OS Samba packages installed ?
> I compile myself. I removed all packets for samba before start the
> instalation.
> My options: ./configure --sysconfdir=/etc/samba/
> --mandir=/usr/share/man/ --enable-debug --enable-selftest && make &&
> make instasll

So you have smb.conf at /etc/samba, the manpages at /usr/share/man and
everything else at /usr/local/samba.
If you open a terminal and type 'echo $PATH' , do you have
'/usr/local/samba/bin:/usr/local/samba/sbin:' at the start ?

>
> >Is there a firewall running, if so, try turning it off // Is Selinux
> running, if so, try disabling it.
> setenforce 0
> service firewalld stop
> service iptables stop
> service ip6tables stop
> systemctl disable firewalld
> systemctl disable iptables
> systemctl disable ip6tables

Does this change anything ?

>
> >What packages did you install before compiling Samba ?
>
> yum install libacl-devel e2fsprogs-devel gnutls-devel readline-devel
> python-devel gdb pkgconfig gcc libblkid-devel zlib-devel
> setroubleshoot-server setroubleshoot-plugins policycoreutils-python
> libsemanage-python setools-libs-python setools-libs popt-devel
> libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel
> libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel
> krb5-workstation perl openldap-devel bind bind-sdb

If you look here:

https://wiki.samba.org/index.php/Operating_system_requirements/Dependencies_-_Libraries_and_programs#Red_Hat_Enterprise_Linux_.2F_CentOS_.2F_Scientific_Linux

and compare it with your list, there are these extra packages:

attr libaio-devel perl-ExtUtils-MakeMaker perl-Parse-Yapp perl-Test-Base
cups-devel bind-utils libxslt docbook-style-xsl autoconf python-crypto
pam-devel

These may be packages that are already installed, but I suggest you try
to install them and if any get installed, you will have to recompile
Samba.

[Maiquel Consalter via samba]

> >You say you have compiled Samba yourself, so I take it that Samba is
> i>nstalled at /usr/local/samba, if so, is the new samba in your PATH
> i>and
> >are there any OS Samba packages installed ?
> I compile myself. I removed all packets for samba before start the
> instalation.
> My options: ./configure --sysconfdir=/etc/samba/
> --mandir=/usr/share/man/ --enable-debug --enable-selftest && make &&
> make instasll

> So you have smb.conf at /etc/samba, the manpages at /usr/share/man and
> everything else at /usr/local/samba.
> If you open a terminal and type 'echo $PATH' , do you have
> '/usr/local/samba/bin:/usr/local/samba/sbin:' at the start ?

Follow my echo $PATH =>
usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/local/samba/bin:/usr/local/samba/sbin:/root/bin

>
> >Is there a firewall running, if so, try turning it off // Is Selinux
> running, if so, try disabling it.
> setenforce 0
> service firewalld stop
> service iptables stop
> service ip6tables stop
> systemctl disable firewalld
> systemctl disable iptables
> systemctl disable ip6tables

> Does this change anything ?

No, i just stop the problem it´s the same.

>
> >What packages did you install before compiling Samba ?
>
> yum install libacl-devel e2fsprogs-devel gnutls-devel readline-devel
> python-devel gdb pkgconfig gcc libblkid-devel zlib-devel
> setroubleshoot-server setroubleshoot-plugins policycoreutils-python
> libsemanage-python setools-libs-python setools-libs popt-devel
> libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel
> libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel
> krb5-workstation perl openldap-devel bind bind-sdb

> If you look here:

> and compare it with your list, there are these extra packages:

> attr libaio-devel perl-ExtUtils-MakeMaker perl-Parse-Yapp perl-Test-Base
> cups-devel bind-utils libxslt docbook-style-xsl autoconf python-crypto
> pam-devel

> These may be packages that are already installed, but I suggest you try
> to install them and if any get installed, you will have to recompile

Ok, I will install and recompile the samba. Soon i will give feedback for
you.
Tks.

--
Att,
Maiquel

[Rowland Penny via samba]

On Mon, 29 Aug 2016 10:48:15 -0300
Maiquel Consalter <maiquelc...@gmail.com> wrote:

> usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/local/samba/bin:/usr/local/samba/sbin:/root/bin

Your PATH should start with '/usr/local/samba/bin:/usr/local/samba/sbin'
That way you are certain to use the Samba components you have compiled.

[Rowland Penny via samba]

On Mon, 29 Aug 2016 13:20:48 -0300
Maiquel Consalter <maiquelc...@gmail.com> wrote:

OK, you now have samba compiled correctly (if it wasn't before), you
have turned off the firewall and selinux and you use bind9 as the dns
server. It should work ok, but it obviously doesn't.

Can we recap some settings etc and get them all in the same place. I
know you will have posted most of them already, but they are scattered
in several posts.

How did you provision samba, what were the exact commands used ?

please post the following:

/etc/resolv.conf
/etc/hosts
/etc/hostname
/etc/named.conf or /etc/named/named.conf
/etc/krb5.conf

If you need to, change the names and IPs, but please use the same ones.

Finally (for the time being) can you check if there is another kerberos
server running on the DC (just to rulle it out).

[Maiquel Consalter via samba]

Let-me explain my environment. I have 3 DCI 105 (Principal) 106 and 101
(where i use for test). All DC its CPU for grow up for 100%. I just make
the change in one DC, not all ok ?

> How did you provision samba, what were the exact commands used ?

samba-tool domain provision --realm=DOMAIN.BR --domain=DOMAIN
--server-role=dc --adminpass=pwd

> /etc/resolv.conf
search domain.br
nameserver 10.10.10.105
nameserver 10.10.10.106

> /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
10.10.10.101 dc-server4.domain.br dc-server4
!
> /etc/hostname
dc-server4.domain.br
!
/etc/named.conf or /etc/named/named.conf
I dont have named configured in this DC, i put the dns forwarder =
10.10.10.11.

> /etc/krb5.conf
libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = true
default_realm = DOMAIN.BR
!
> smb.conf
# Global parameters
[global]
bind interfaces only = Yes
interfaces = lo ens32
netbios name = DC-SERVER4
realm = DOMAIN.BR
dns forwarder = 10.10.10.11
workgroup = DOMAIN.BR

server role = active directory domain controller

ldap server require strong auth = no
comment =
log level = 3
log file = /var/log/samba.log
[netlogon]
path = /usr/local/samba/var/locks/sysvol/DOMAIN.BR/scripts

read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

!

>Finally (for the time being) can you check if there is another kerberos
>server running on the DC (just to rulle it out).

Ticket cache: KEYRING:persistent:0:0
Default principal: admini...@DOMAIN.BR

Valid starting Expires Service principal
29-08-2016 11:26:41 29-08-2016 21:26:41 krbtgt/DOMA...@DOMAIN.BR
renew until 05-09-2016 11:26:34


Some errors:

2016/08/29 14:19:11.836901, 3]
../source4/auth/ntlm/auth.c:675(auth_register)
AUTH backend 'winbind_wbclient' registered
[2016/08/29 14:19:11.836940, 3]
../source4/auth/ntlm/auth.c:675(auth_register)
AUTH backend 'name_to_ntstatus' registered
[2016/08/29 14:19:11.836969, 3]
../source4/auth/ntlm/auth.c:675(auth_register)
AUTH backend 'unix' registered
[2016/08/29 14:19:11.844165, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/08/29 14:19:11.844364, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2016/08/29 14:19:11.847261, 3]
../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/292929
[2016/08/29 14:19:11.849417, 3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/29 14:19:11.855367, 3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/29 14:19:11.856999, 3]
../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/292929
[2016/08/29 14:19:11.861331, 3]
../source3/smbd/negprot.c:711(reply_negprot)
Selected protocol SMB 2.???
[2016/08/29 14:22:57.715099, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_PATH_NOT_FOUND] || at
../source3/smbd/smb2_create.c:293
[2016/08/29 14:22:57.828768, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
../source3/smbd/smb2_create.c:293
[2016/08/29 14:23:11.282681, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_PATH_NOT_FOUND] || at
../source3/smbd/smb2_create.c:293
[2016/08/29 14:23:19.261429, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[STATUS_NO_MORE_FILES] || at
../source3/smbd/smb2_query_directory.c:154
[2016/08/29 14:23:19.687733, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9]
status[NT_STATUS_INFO_LENGTH_MISMATCH] || at
../source3/smbd/smb2_query_directory.c:154
[2016/08/29 14:23:19.974391, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[STATUS_NO_MORE_FILES] || at
../source3/smbd/smb2_query_directory.c:154

--
Att,
Maiquel

[Rowland Penny via samba]

On Mon, 29 Aug 2016 14:25:25 -0300
Maiquel Consalter <maiquelc...@gmail.com> wrote:

> Let-me explain my environment. I have 3 DCI 105 (Principal) 106 and
> 101 (where i use for test). All DC its CPU for grow up for 100%. I
> just make the change in one DC, not all ok ?
>
> > How did you provision samba, what were the exact commands used ?
> samba-tool domain provision --realm=DOMAIN.BR --domain=DOMAIN
> --server-role=dc --adminpass=pwd
>

The only thing I can see that is possibly wrong, (depending on what you
call wrong), you didn't provision with '--use-rfc2307 --use-xattrs=yes'
The last one isn't really a problem as it will be set to 'auto' and
xattrs will be used if they can. Not using the first means that the
ypserver ldif won't have been added. As this is the only thing
possibly wrong, you could try reading this:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

[Maiquel Consalter via samba]

Hi Rowland,
we make the classic upgrade samba3 fo samba4. We use this link
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)

tks.

--
Att,
Maiquel

[Rowland Penny via samba]

On Mon, 29 Aug 2016 15:14:07 -0300
Maiquel Consalter <maiquelc...@gmail.com> wrote:

> Hi Rowland,
> we make the classic upgrade samba3 fo samba4. We use this link
> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)
>
> tks.
>

Pardon ???

I said 'How did you provision samba, what were the exact commands
used ?'

and you then said 'samba-tool domain provision --realm=DOMAIN.BR --domain=DOMAIN
--server-role=dc --adminpass=pwd'

You are only supposed to provision one DC in the domain and the
classicupgrade does that for you, so have you actually provisioned any
DCs ? i.e. did you run the command you posted.

[Maiquel Consalter via samba]

Sorry Rowland, my mistake.

We used this command:

samba-tool domain classicupgrade --dbdir=/usr/local/samba.PDC/dbdir
--use-xattrs=yes --realm=domain.br --dns-backend=SAMBA_INTERNAL
/usr/local/samba.PDC/etc/samba/smb.conf.PDC

Sorry about wrong information.

--
Att,
Maiquel

[Rowland Penny via samba]

On Mon, 29 Aug 2016 15:31:40 -0300
Maiquel Consalter <maiquelc...@gmail.com> wrote:

> Sorry Rowland, my mistake.
>
> We used this command:
>
> samba-tool domain classicupgrade --dbdir=/usr/local/samba.PDC/dbdir
> --use-xattrs=yes --realm=domain.br --dns-backend=SAMBA_INTERNAL
> /usr/local/samba.PDC/etc/samba/smb.conf.PDC
>

You got me worried there ;-)

try running 'samba-tool dbcheck' again, you could also check
replication 'samba-tool drs showrepl'

After this, I am running out of suggestions, I am beginning to think
that something went wrong with the classicupgrade, but this usually
throws an error during the upgrade, not some time later.

Anybody else got any suggestions ????

[Maiquel Consalter via samba]

Rowland,
the problem show up after upgrade. When we had the samba 3 the cpu not was
100%.
The poblem just show me after classic-upgrade.

--
Att,
Maiquel

[L.P.H. van Belle via samba]

im not at a computer ti look some things up but im thinking..


dbdir=/usr/local/samba.PDC/dbdirwhat is the size of this dir.


what is the size of the ad db dir on every server now.


i think, something in the old db import causes a resyncwhen you modify something in the db 
so i suggest try monitoring, disk io and cpu, look for buzzy files. 
if we know the files, we know the processes using it. if one all servers the same files are buzy. 
then maybe you found an unknown bug.


the old db came from which  samba version, tell about the old setup, did you use a ldap backend for example?
maybe a post of your old config can be handy also.


greetz,


Louis





Op 29 aug. 2016 om 20:46 heeft Rowland Penny via samba <sa...@lists.samba.org> het volgende geschreven:


dbdir=/usr/local/samba.PDC/dbdir

[lingpanda101--- via samba]

On 8/29/2016 2:43 PM, Rowland Penny via samba wrote:
> On Mon, 29 Aug 2016 15:31:40 -0300
> Maiquel Consalter <maiquelc...@gmail.com> wrote:
>
>> Sorry Rowland, my mistake.
>>
>> We used this command:
>>
>> samba-tool domain classicupgrade --dbdir=/usr/local/samba.PDC/dbdir
>> --use-xattrs=yes --realm=domain.br --dns-backend=SAMBA_INTERNAL
>> /usr/local/samba.PDC/etc/samba/smb.conf.PDC
>>
> You got me worried there ;-)
>
> try running 'samba-tool dbcheck' again, you could also check
> replication 'samba-tool drs showrepl'
>
> After this, I am running out of suggestions, I am beginning to think
> that something went wrong with the classicupgrade, but this usually
> throws an error during the upgrade, not some time later.
>
> Anybody else got any suggestions ????
>
> Rowland
>
>

Is port 135 open? Can you run the following command?

'nmap -sT -O localhost'

If you do not have nmap installed what about

'netstat -vatn'


'

--
-James

[Maiquel Consalter via samba]

Follow, our old config: http://pastebin.com/kpfATT0h

tks.

2016-08-29 16:18 GMT-03:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>:

--
Att,
Maiquel

[Maiquel Consalter via samba]

>Is port 135 open? Can you run the following command?

>'nmap -sT -O localhost'

>If you do not have nmap installed what about

>'netstat -vatn'

Yes, it´s Open.
135/tcp open msrpc

Tks.

2016-08-29 16:19 GMT-03:00 lingpanda101--- via samba <sa...@lists.samba.org>
:

--
Att,
Maiquel

[Maiquel Consalter via samba]

My version is 4.4.5.
Thanks.

2016-08-29 16:41 GMT-03:00 lingpanda101--- via samba <sa...@lists.samba.org>
:

> Never mind. I think this option only exists in 4.3.8. Not yours which is
> 4.3.1.
>
> --
> -James

[Andrew Bartlett via samba]

On Fri, 2016-08-19 at 14:29 -0300, Maiquel Consalter via samba wrote:
> Hi Group,
> i have 3 DC with samba4 with Centos 7, they are showing the CPU with
> 100%
> in all DC. The centos 7 is the basic installation and samba4
> compile.I have
> 2.000 machine authenticated in this DC, is WinX, Win7, Win8 and Win10
> .
> Someone have problem with samba4 with centos cpu 100%. ?
>
> Attached my config.

Where is it spinning?

With all the required debug packages installed, then run it under perf
and generate a flame graph per:

http://www.brendangregg.com/FlameGraphs/cpuflamegraphs.html

The resulting .svg file is often quite enlightening.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[lingpanda101--- via samba]

On 8/29/2016 3:33 PM, Maiquel Consalter via samba wrote:
> Follow, our old config: http://pastebin.com/kpfATT0h
>
> tks.
>
> 2016-08-29 16:18 GMT-03:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>> :
>> im not at a computer ti look some things up but im thinking..
>>
>>
>> dbdir=/usr/local/samba.PDC/dbdirwhat is the size of this dir.
>>
>>
>> what is the size of the ad db dir on every server now.
>>
>>
>> i think, something in the old db import causes a resyncwhen you modify
>> something in the db
>> so i suggest try monitoring, disk io and cpu, look for buzzy files.
>> if we know the files, we know the processes using it. if one all servers
>> the same files are buzy.
>> then maybe you found an unknown bug.
>>
>>
>> the old db came from which samba version, tell about the old setup, did
>> you use a ldap backend for example?
>> maybe a post of your old config can be handy also.
>>
>>
>> greetz,
>>
>>
>> Louis
>>
>>
>>
>>
>>
>> Op 29 aug. 2016 om 20:46 heeft Rowland Penny via samba <
>> sa...@lists.samba.org> het volgende geschreven:
>>
>>
>> dbdir=/usr/local/samba.PDC/dbdir
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>

Never mind. I think this option only exists in 4.3.8. Not yours which is
4.3.1.

--
-James

[lingpanda101--- via samba]

On 8/29/2016 3:45 PM, Maiquel Consalter wrote:
> My version is 4.4.5.
> Thanks.
>
> 2016-08-29 16:41 GMT-03:00 lingpanda101--- via samba

> <sa...@lists.samba.org <mailto:sa...@lists.samba.org>>:

>
> On 8/29/2016 3:33 PM, Maiquel Consalter via samba wrote:
>
> Follow, our old config: http://pastebin.com/kpfATT0h
>
> tks.
>
> 2016-08-29 16:18 GMT-03:00 L.P.H. van Belle via samba

> <sa...@lists.samba.org <mailto:sa...@lists.samba.org>

>
> :
> im not at a computer ti look some things up but im thinking..
>
>
> dbdir=/usr/local/samba.PDC/dbdirwhat is the size of this dir.
>
>
> what is the size of the ad db dir on every server now.
>
>
> i think, something in the old db import causes a
> resyncwhen you modify
> something in the db
> so i suggest try monitoring, disk io and cpu, look for
> buzzy files.
> if we know the files, we know the processes using it. if
> one all servers
> the same files are buzy.
> then maybe you found an unknown bug.
>
>
> the old db came from which samba version, tell about the
> old setup, did
> you use a ldap backend for example?
> maybe a post of your old config can be handy also.
>
>
> greetz,
>
>
> Louis
>
>
>
>
>
> Op 29 aug. 2016 om 20:46 heeft Rowland Penny via samba <

> sa...@lists.samba.org <mailto:sa...@lists.samba.org>> het

> volgende geschreven:
>
>
> dbdir=/usr/local/samba.PDC/dbdir
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions:
> https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
>
>
>
>
> Never mind. I think this option only exists in 4.3.8. Not yours
> which is 4.3.1.
>
> --
> -James
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
>
>
>
>
> --
> Att,
> Maiquel

You should have that option. I didn't see it in your initial post. Can
you confirm? Thanks.

[lingpanda101--- via samba]

On 8/29/2016 3:33 PM, Maiquel Consalter via samba wrote:

> Follow, our old config: http://pastebin.com/kpfATT0h
>
> tks.
>
> 2016-08-29 16:18 GMT-03:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>> :
>> im not at a computer ti look some things up but im thinking..
>>
>>
>> dbdir=/usr/local/samba.PDC/dbdirwhat is the size of this dir.
>>
>>
>> what is the size of the ad db dir on every server now.
>>
>>
>> i think, something in the old db import causes a resyncwhen you modify
>> something in the db
>> so i suggest try monitoring, disk io and cpu, look for buzzy files.
>> if we know the files, we know the processes using it. if one all servers
>> the same files are buzy.
>> then maybe you found an unknown bug.
>>
>>
>> the old db came from which samba version, tell about the old setup, did
>> you use a ldap backend for example?
>> maybe a post of your old config can be handy also.
>>
>>
>> greetz,
>>
>>
>> Louis
>>
>>
>>
>>
>>
>> Op 29 aug. 2016 om 20:46 heeft Rowland Penny via samba <
>> sa...@lists.samba.org> het volgende geschreven:
>>
>>
>> dbdir=/usr/local/samba.PDC/dbdir
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>

Do you have this option in your smb.conf?

'allow dcerpc auth level connect = No'


--
-James

[Maiquel Consalter via samba]

This option is not default:

2016-08-29 16:47 GMT-03:00 lingpa...@gmail.com <lingpa...@gmail.com>:

> On 8/29/2016 3:45 PM, Maiquel Consalter wrote:
>
> My version is 4.4.5.
> Thanks.
>
> 2016-08-29 16:41 GMT-03:00 lingpanda101--- via samba <
> sa...@lists.samba.org>:
>
>> On 8/29/2016 3:33 PM, Maiquel Consalter via samba wrote:
>>
>>> Follow, our old config: http://pastebin.com/kpfATT0h
>>>
>>> tks.
>>>
>>> 2016-08-29 16:18 GMT-03:00 L.P.H. van Belle via samba <
>>> sa...@lists.samba.org
>>>

>>>> :
>>>> im not at a computer ti look some things up but im thinking..
>>>>
>>>>
>>>> dbdir=/usr/local/samba.PDC/dbdirwhat is the size of this dir.
>>>>
>>>>
>>>> what is the size of the ad db dir on every server now.
>>>>
>>>>
>>>> i think, something in the old db import causes a resyncwhen you modify
>>>> something in the db
>>>> so i suggest try monitoring, disk io and cpu, look for buzzy files.
>>>> if we know the files, we know the processes using it. if one all servers
>>>> the same files are buzy.
>>>> then maybe you found an unknown bug.
>>>>
>>>>
>>>> the old db came from which samba version, tell about the old setup, did
>>>> you use a ldap backend for example?
>>>> maybe a post of your old config can be handy also.
>>>>
>>>>
>>>> greetz,
>>>>
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Op 29 aug. 2016 om 20:46 heeft Rowland Penny via samba <

>>>> sa...@lists.samba.org> het volgende geschreven:
>>>>
>>>>
>>>> dbdir=/usr/local/samba.PDC/dbdir
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>

>> Never mind. I think this option only exists in 4.3.8. Not yours which is
>> 4.3.1.
>>
>> --
>> -James
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>

> --
> Att,
> Maiquel
>
>
> You should have that option. I didn't see it in your initial post. Can you
> confirm? Thanks.
>
> --
> -James
>
>


--

Att,
Maiquel

[L.P.H. van Belle via samba]

Just checked you smb.conf

 

Now i dont know the exact working of : samba-tool domain classicupgrade

Rowland know all about that but i see some things which might give the problems.

I’ll have to ask rowland to have a look in this..

 

But i do thinks that the “old samba 3 “ domain was not a domain.

I dont know if that hurts the upgrade.

 

Can you check if you have “2 x “ Administrator in your domain?

 

And can you run :

samba-tool dapcmp --filter="whenChanged" ldap://DC1 ldap://DC2  

 

but im did see what you old samba version was.

And you didnt tell how big the DB sized are.

That can really be handy to know.

 

Greetz,

 

Louis

[Andrew Bartlett via samba]

On Tue, 2016-08-30 at 07:46 +1200, Andrew Bartlett via samba wrote:
> On Fri, 2016-08-19 at 14:29 -0300, Maiquel Consalter via samba wrote:
> >
> > Hi Group,
> > i have 3 DC with samba4 with Centos 7, they are showing the CPU
> > with
> > 100%
> > in all DC. The centos 7 is the basic installation and samba4
> > compile.I have
> > 2.000 machine authenticated in this DC, is WinX, Win7, Win8 and
> > Win10
> > .
> > Someone have problem with samba4 with centos cpu 100%. ?
> >
> > Attached my config.
>
> Where is it spinning?
>
> With all the required debug packages installed, then run it under
> perf
> and generate a flame graph per:
>
> http://www.brendangregg.com/FlameGraphs/cpuflamegraphs.html
>
> The resulting .svg file is often quite enlightening.
>
> Andrew Bartlett

Also, how many users, groups and in particular group members in each
group (and in total)?

If you have large numbers of group members, then Samba 4.5 will help a
lot.

Thanks,

[Rowland Penny via samba]

On Tue, 30 Aug 2016 10:05:34 +0200
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:

> Just checked you smb.conf
>
>  
>
> Now i dont know the exact working of : samba-tool domain
> classicupgrade
>
> Rowland know all about that but i see some things which might give
> the problems.
>
> I’ll have to ask rowland to have a look in this..
>
>  
>
> But i do thinks that the “old samba 3 “ domain was not a domain.
>
> I dont know if that hurts the upgrade.

From reading his old smb.conf it appears it was, but I noticed
something:

Maiquel, can you run this command on a DC and report back with the
result.

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com'
-s sub '(objectClass=msSFU30DomainInfo)' cn | grep 'cn:' | awk '{print
$NF}'

Replace 'DC=samdom,DC=example,DC=com' with your domain DN

I also it take that ldap was running on the machine when you upgraded
it to an AD DC

Rowland

>
>  
>
> Can you check if you have “2 x “ Administrator in your domain?
>
>  
>
> And can you run :
>
> samba-tool dapcmp --filter="whenChanged" ldap://DC1 ldap://DC2  
>
>  
>
> but im did see what you old samba version was.
>
> And you didnt tell how big the DB sized are.
>
> That can really be handy to know.
>
>  
>
> Greetz,
>
>  
>

[Maiquel Consalter via samba]

>From reading his old smb.conf it appears it was, but I noticed
>something:
>Maiquel, can you run this command on a DC and report back with the
>result.
>ldbsearch -H /usr/local/samba/private/sam.ldb -b
>'CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com'
>-s sub '(objectClass=msSFU30DomainInfo)' cn | grep 'cn:' | awk '{print
>$NF}'
>Replace 'DC=samdom,DC=example,DC=com' with your domain DN
>I also it take that ldap was running on the machine when you upgraded
>it to an AD DC

Follow the output.
#> ldbsearch -H /usr/local/samba/private/sam.ldb -b \
'CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=campus,DC=domain,DC=br'

-s sub '(objectClass=msSFU30DomainInfo)' cn | grep 'cn:' | awk '{print \
$NF}'

domain.br

--
Att,
Maiquel

[Maiquel Consalter via samba]

Hi Louis, Tks for your feedback. Sorry about delay.

>Just checked you smb.conf
>Now i dont know the exact working of : samba-tool domain classicupgrade
<Rowland know all about that but i see some things which might give the
problems.
>I’ll have to ask rowland to have a look in this..
>But i do thinks that the “old samba 3 “ domain was not a domain.

OK, that option not exist in my smb.conf.

>I dont know if that hurts the upgrade.
>Can you check if you have “2 x “ Administrator in your domain?
>And can you run :

>samba-tool ldapcmp --filter="whenChanged" ldap://DC1 ldap://DC2
Follow the output:
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
* Comparing [DOMAIN] context...
* DN lists have different size: 35029 != 35030

CN=05\0ACNF:7f5f0d89-ff0f-42c1-a359-f5bc1de6ff4b,CN=Computers,DC=campus,DC=domain,DC=br
* Objects to be compared: 35029
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_CONNECTION_DISCONNECTED
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py",
line 983, in run
if b1 == b2:
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py",
line 774, in __eq__
outf=self.outf, errf=self.errf)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py",
line 396, in __init__
self.attributes = self.con.get_attributes(self.dn)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py",
line 207, in get_attributes
res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])

>but im did see what you old samba version was.
>And you didnt tell how big the DB sized are.
>That can really be handy to know.

Here do you said for check the DB Size correct ? Exist some special command
for check thist, or you want to know how many users exist in my enviroment
?


2016-08-30 5:05 GMT-03:00 L.P.H. van Belle via samba <sa...@lists.samba.org>
:

[Maiquel Consalter via samba]

Hi Andrew,

>Also, how many users, groups and in particular group members in each
>group (and in total)?
>If you have large numbers of group members, then Samba 4.5 will help a
>lot.

We have 53k users and 580 groups.

Att,
Maiquel

[Rowland Penny via samba]

On Tue, 30 Aug 2016 11:15:30 -0300
Maiquel Consalter <maiquelc...@gmail.com> wrote:

> >From reading his old smb.conf it appears it was, but I noticed
> >something:
> >Maiquel, can you run this command on a DC and report back with the
> >result.
> >ldbsearch -H /usr/local/samba/private/sam.ldb -b
> >'CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com'
> >-s sub '(objectClass=msSFU30DomainInfo)' cn | grep 'cn:' | awk
> >'{print $NF}'
> >Replace 'DC=samdom,DC=example,DC=com' with your domain DN
> >I also it take that ldap was running on the machine when you upgraded
> >it to an AD DC
> Follow the output.
> #> ldbsearch -H /usr/local/samba/private/sam.ldb -b \
> 'CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=campus,DC=domain,DC=br'
> -s sub '(objectClass=msSFU30DomainInfo)' cn | grep 'cn:' | awk
> '{print \ $NF}'
> domain.br
>

OK, that confirms it, in the last smb.conf you posted for the DC, there
are these lines:

realm = DOMAIN.BR
workgroup = DOMAIN.BR

You have just posted that your workgroup name is 'domain.br' now
leaving aside that having '.' in a workgroup name doesn't seem to be a
good idea, your workgroup and realm in smb.conf are the same, yet the
alterations you made to the command I posted are
'DC=campus,DC=domain,DC=br'.
This means your dns name is 'campus.domain.br' and as your realm is
supposed to be the uppercase dns name, the line in smb.conf should be:

realm = CAMPUS.DOMAIN.BR

Yet you also posted that you used '--realm=domain.br' during the
classicupgrade, so I am getting really confused now ;-)

Rowland

[Maiquel Consalter via samba]

Let me show-you myconfig. Can be the error in CTRL V + CTRL C sorry about
that


/etc/samba/smb.conf
workgroup = DOMAIN.BR
realm = CAMPUS.DOMAIN.BR

/etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = true

default_realm = CAMPUS.DOMAIN.BR

--
Att,
Maiquel

[Rowland Penny via samba]

On Tue, 30 Aug 2016 11:51:35 -0300

OK, that it, I give up, every time you ask something, you get a
different answer, first they provisioned the domain and then it was
classicupgraded, first the realm is this, then it is this, I am
beginning to think we are dealing with another 'steve' entity ;-)

[Maiquel Consalter via samba]

Ok thanks.

--
Att,
Maiquel

[Andrew Bartlett via samba]

On Tue, 2016-08-30 at 11:15 -0300, Maiquel Consalter wrote:
> Hi Andrew, 
>
> >Also, how many users, groups and in particular group members in each
> >group (and in total)?
> >If you have large numbers of group members, then Samba 4.5 will help
> a
> >lot.
> We have 53k users and 580 groups. 

OK.  Then your spinner is the client-side replication code.  Samba 4.5
will fix most of that.  See

https://www.samba.org/~dbagnall/perf-tests/

Further work can be done however, and I would strongly suggest you
contact a commercial support provider to quote on that, as at your
scale you will need the last of the O(N^2) loops fixed.

In the meantime, set 'drs:max link sync=50' and that will help a lot. 

Thanks,

Andrew Bartlett

--
Andrew Bartlett

https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba

[Maiquel Consalter via samba]

Hi Andrew,
I put i all DC or just in DC1 ?
Tks.

Em terça-feira, 30 de agosto de 2016, Andrew Bartlett <abar...@samba.org>
escreveu:

> On Tue, 2016-08-30 at 11:15 -0300, Maiquel Consalter wrote:
> > Hi Andrew,
> >
> > >Also, how many users, groups and in particular group members in each
> > >group (and in total)?
> > >If you have large numbers of group members, then Samba 4.5 will help
> > a
> > >lot.
> > We have 53k users and 580 groups.
>
> OK. Then your spinner is the client-side replication code. Samba 4.5
> will fix most of that. See
>
> https://www.samba.org/~dbagnall/perf-tests/
>
> Further work can be done however, and I would strongly suggest you
> contact a commercial support provider to quote on that, as at your
> scale you will need the last of the O(N^2) loops fixed.
>
> In the meantime, set 'drs:max link sync=50' and that will help a lot.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>

--

Att,
Maiquel

[Andrew Bartlett via samba]

On Tue, 2016-08-30 at 19:08 -0300, Maiquel Consalter wrote:
> Hi Andrew, 

> I put i all DC or just in DC1 ? 
> Tks. 

Every DC.  

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba





--

[Maiquel Consalter via samba]

Thanks a lot Andrew.
Tomorrow I will test and report for you.

Em terça-feira, 30 de agosto de 2016, Andrew Bartlett <abar...@samba.org>
escreveu:

> On Tue, 2016-08-30 at 19:08 -0300, Maiquel Consalter wrote:
> > Hi Andrew,
> > I put i all DC or just in DC1 ?
> > Tks.
>
> Every DC.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>

--

Att,
Maiquel

[Maiquel Consalter via samba]

Hi Andrew, sorry about delay.

I make the change in smb.conf but the problem still the same.
I think i have problem with DNS, i check all config in DNS.

Tks for your feedback.

[Andrew Bartlett via samba]

Samba 4.5 has been released, please retry with that.

Andrew Bartlett

On Wed, 2016-09-07 at 10:15 -0300, Maiquel Consalter wrote:
> Hi Andrew, sorry about delay. 
>
> I make the change in smb.conf but the problem still the same. 
> I think i have problem with DNS, i check all config in DNS. 
>
> Tks for your feedback. 
>

> 2016-08-30 20:34 GMT-03:00 Maiquel Consalter <maiquelconsalter@gmail.
> com>:
> > Thanks a lot Andrew. 
> > Tomorrow I will test and report for you. 
> >

> > Em terça-feira, 30 de agosto de 2016, Andrew Bartlett <abartlet@sam

> > ba.org> escreveu:
> > > On Tue, 2016-08-30 at 19:08 -0300, Maiquel Consalter wrote:
> > > > Hi Andrew, 
> > > > I put i all DC or just in DC1 ? 
> > > > Tks. 
> > >
> > > Every DC.  
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett
> > > https://samba.org/~abartlet/
> > > Authentication Developer, Samba Team         https://samba.org
> > > Samba Development and Support, Catalyst IT
> > > https://catalyst.net.nz/services/samba
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
--

Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba