I've currently got a samba 4.0.6-GIT-3f8ea16 deployment that's spawning many (250 or more) smbd processes whenever a backup runs and starts backing up files that have samba ACL's attached to them. (Such as the 'sysvol' volume) This will effectively lock up the machine until I've restarted samba and killed the backup job. If the backup is still running, samba will immediately spawn smbd processes again.
My machine is a 64-bit CentOS 6.4 server with 16 GB of RAM and an Intel 8-core Xeon processor. Kernel is the stock CentOS 2.6.32-358.2.1.el6.x86_64. The Samba part of this runs fine from the Windows perspective (that is, until the backup system kicks in). I setup my samba4 server per the instructions on the samba wiki. Specifically, I followed the winbind setup instructions from here: http://wiki.samba.org/index.php/Samba4/Winbind In a nutshell, I had to create these sym-links: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 and edit my nsswitch.conf file as follows: passwd: files winbind shadow: files group: files winbind All of the suggested testing on that page works great. After a fresh samba restart, without anything running, things look like this: [root@server ~]# ps ax | grep samba 21420 ? Ss 0:00 /usr/local/samba/sbin/samba 21422 ? S 0:00 /usr/local/samba/sbin/samba 21423 ? S 0:00 /usr/local/samba/sbin/samba 21424 ? Ss 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 21425 ? S 0:00 /usr/local/samba/sbin/samba 21426 ? S 0:00 /usr/local/samba/sbin/samba 21427 ? S 0:00 /usr/local/samba/sbin/samba 21428 ? S 0:00 /usr/local/samba/sbin/samba 21429 ? S 0:00 /usr/local/samba/sbin/samba 21430 ? S 0:00 /usr/local/samba/sbin/samba 21431 ? S 0:00 /usr/local/samba/sbin/samba 21432 ? S 0:00 /usr/local/samba/sbin/samba 21433 ? S 0:00 /usr/local/samba/sbin/samba 21434 ? S 0:00 /usr/local/samba/sbin/samba 21435 ? S 0:00 /usr/local/samba/sbin/samba 21438 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground [root@server ~]# ps ax | grep samba | wc -l 17 When a backup job kicks in, I'll see hundreds of lines similar to : 22026 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 22043 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 22044 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground and I have the approximate number of samba processes: [root@server ~]# ps ax | grep samba | wc -l 258 smbstatus will look like this, but with many more lines: [root@server ~]# smbstatus Samba version 4.0.6-GIT-3f8ea16 PID Username Group Machine ------------------------------------------------------------------- 21809 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1 (ipv4:192.168.150.1:56761) 21796 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1 (ipv4:192.168.150.1:56748) 21771 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1 (ipv4:192.168.150.1:56722) If I engage Name Service Cache Daemon (nscd), then the backup will run just fine, and I don't sen to get an extraordinary number of samba processes. (It will bump up to about 27, but stays there.) Unfortunately, nscd doesn't' seem to play well with Samba4's internal winbind system. The "id <username>" command will only return results for some of the users. And Apache PAM authentication stops working with unusual errors. (Both of which work fine when nscd isn't running.) I've been looking at setting up SSSD, but I get the feeling that's not quite what I'm looking for either. I get the impression that it does it's own ID mapping, which would probably differ from the internal winbind's mapping. Please correct me if I'm wrong on this. If I turn off the libnss_winbind part, there seem to be some other issues that crop up, such as users unable to log into their own home folders. It seems that I need to either: 1.) Figure out how to make the internal winbind server behave when doing lots of libnss_winbind look-ups 2.) Figure out how to take the load off winbind by using nscd and figure out how to make that work reliably with other things (like id <username> or apache mod_auth_pam) 3.) Perhaps figure out sssd (which I haven't gotten to work yet, but haven't spent a ton of time on.) If anyone has some suggestions or pointers, I'd be eternally grateful. Thanks! -Joe My smb.conf: # Global parameters [global] workgroup = KAUKAUNA realm = KAUKAUNA.NEWSPUB netbios name = SERVER server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, winbind, drepl, ntp_signd, kcc, dnsupdate, dns log level = 1 #idmap config * : range = 16777216-33554431 #idmap config * : backend = ad hide unreadable = yes allow dns updates = enabled dns forwarder = 8.8.8.8 nsupdate command = /usr/local/samba/sbin/samba_dnsupdate map archive = no map readonly = no map hidden = no map system = no store dos attributes = yes winbind enum users = yes winbind enum groups = yes [netlogon] path = /home/samba/sysvol/kaukauna.newspub/scripts read only = No browseable = No [sysvol] path = /home/samba/sysvol read only = No browseable = No [homes] path = /home/KAUKAUNA/%S browsable = no writeable = yes valid users = %S create mask = 0600 directory mask = 0700 root preexec = /usr/local/sbin/mkhomedir.sh %U kernel oplocks = no level2 oplocks = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
