Package: samba Version: 2:4.2.14+dfsg-0+deb8u5 Severity: normal It's unclear whether this is a duplicate of bug #816725, so I filed a separate report. #816725 shows smbd repeatedly starting, failing to delete a pidfile, and presumably terminating, but this is not happening at my site. It may also describe a much higher rate of zombie generation than I'm seeing.
After upgrading a busy server from wheezy with 2:4.1.17+dfsg-1~bpo70+1 to jessie, I'm starting to see zombie smbd processes accumulate at a rate of one to two a day. The server was up for a few weeks before processes started accumulating: > $ ps auxw | grep defunct | grep -v grep ; date; uptime > root 3550 0.0 0.0 0 0 ? Z Apr17 0:00 [smbd] > <defunct> > root 3557 0.0 0.0 0 0 ? Z Apr17 0:00 [smbd] > <defunct> > root 4842 0.0 0.0 0 0 ? Z Apr14 0:00 [smbd] > <defunct> > root 5880 0.0 0.0 0 0 ? Z Apr12 0:00 [smbd] > <defunct> > root 7466 0.0 0.0 0 0 ? Z Apr16 0:00 [smbd] > <defunct> > root 15920 0.0 0.0 0 0 ? Z Apr14 0:00 [smbd] > <defunct> > root 16200 0.0 0.0 0 0 ? Z Apr14 0:08 [smbd] > <defunct> > root 17238 0.0 0.0 0 0 ? Z Apr18 0:01 [smbd] > <defunct> > root 18990 0.0 0.0 0 0 ? Z Apr17 0:00 [smbd] > <defunct> > root 29334 0.0 0.0 0 0 ? Z Apr17 0:02 [smbd] > <defunct> > Wed Apr 19 09:00:09 MDT 2017 > 09:00:09 up 21 days, 14:12, 2 users, load average: 1.24, 1.07, 0.85 The server in question is, for awkward historical reasons, an LDAP-backed NT4-style PDC and a fileserver. Zombie process accumulation has not been observed on other fileservers (NT4 or AD-joined) or on NT4-style BDCs. The server is a VM running on hardware with ECC RAM, so random memory corruption is unlikely. None of the physical servers it could be running on have reported any ECC errors. The server's smb.conf follows. This installation dates back to 2001, so there may be some cruft present: for example, it still uses 'idamp backend', which is deprecated but not removed, and it explicitly sets 'mangling method'. # # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not many any basic syntactic # errors. # #======================= Global Settings ======================= [global] # Change this for the workgroup/NT-domain name your Samba server will part of workgroup = [redacted] # server string is the equivalent of the NT Description field server string = [redacted] netbios name = [redacted] # If you want to automatically load your printer list rather # than setting them up individually then you'll need this load printers = yes ;printcap name = cups ;printcap name = /etc/printcap.cups printing = cups printcap = cups invalid users = root # Put a capping on the size of the log files (in Kb). #max log size = 1000 # no limit max log size = 0 # If you want Samba to log though syslog only then set the following # parameter to 'yes'. Please note that logging through syslog in # Samba is still experimental. ; syslog only = no syslog = 1 passdb:2 auth:2 log level = 1 passdb:1 auth:3 hosts allow = [redacted] interfaces = [redacted] bind interfaces only = yes # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # security_level.txt for details. security = user # You may wish to use password encryption. Please read ENCRYPTION.txt, # Win95.txt and WinNT.txt in the Samba documentation. Do not enable this # option unless you have read those documents encrypt passwords = yes # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY domain logons = yes logon drive = [redacted] logon path = [redacted] logon home = [redacted] # lie to Samba #dfree command = /usr/local/sbin/samba-dfree # Debian panic-action # don't know what version this showed up, but let's see how much it spams # me with name_to_8_3 crashes: panic action = /usr/share/samba/panic-action %d enhanced browsing = yes # an experiment # worked with 3.4.8, does not work with 3.5.5 # See eg: <http://engardelinux.org/modules/index/list_archives.cgi?list=samba-users&page=0004.html&month=2010-06> # and: <http://lists.samba.org/archive/samba/2004-February/080788.html> #server signing = auto kerberos method = secrets and keytab # --- ldap --- passdb backend = ldapsam:"[server list redacted]" idmap backend = ldap:"[server list redacted]" # Note: Either use ldaps:// or "ldap ssl = start tls", but not both # ldap ssl defaults to start tls ldap ssl = start tls ldap suffix = [redacted] ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap # 1.5 seconds, instead of the default 1 second ldap replication sleep = 1500 ldap passwd sync = Yes check password script = [redacted] ldap admin dn = "[redacted]" add machine script = [redacted] # Improves performance, as all group data are in LDAP #ldapsam:trusted = yes # --- Browser Control Options --- # Please _read_ BROWSING.txt and set the next four parameters according # to your network setup. The defaults are specified below (commented # out.) It's important that you read BROWSING.txt so you don't break # browsing in your network! # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable ; os level = 20 # WINDOWS 2003 STOP CLAIMING TO BE MASTER BROWSER os level=255 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job domain master = auto # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election ; preferred master = auto preferred master = yes # --- End of Browser Control Options --- wins support = yes dns proxy = no # For Unix password sync. to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Augustin Luton <alu...@hybrigenics.fr> for # sending the correct chat script for the passwd program in Debian Potato). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . obey pam restrictions = yes # Deprecated as of 3.0.20 - use 'net rpc rights' to grant appropriate access instead #printer admin = [redacted] deadtime = 15 host msdfs = yes rpc_server:spoolss = external rpc_daemon:spoolssd = fork # This was here because this was originally a Samba 2.2 installation # changed from hash to hash2 because hash keeps making smbd crash mangling method = hash2 map archive=no #======================= Share Definitions ======================= browseable = yes # not picking this up from ldap! logon script = %U.bat [homes] comment = Your home directory browseable = no csc policy = disable #nt acl support = no msdfs root = no writable = yes create mask = 0660 directory mask = 0770 hide files = /desktop.ini/ veto oplock files = /*.pst/*.PST/*.mdb/*.MDB/ [netlogon] comment = Network Logon Service path = [redacted] guest ok = yes writable = no veto files = /lost+found/ csc policy = disable [redacted1] comment = Home directories browseable = yes writeable = yes path = /home veto files = /lost+found/.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ hide unreadable = no create mask = 0640 directory mask = 0750 veto oplock files = /*.pst/*.PST/*.mdb/*.MDB/ [redacted2] comment = Redacted browseable = yes writeable = no path = [redacted] hide unreadable = no write list = [redacted] csc policy = programs [redacted3] comment = Redacted path = [redacted] hide unreadable = no guest ok = yes writable = no csc policy = disable [redacted4] comment = Redacted browseable = yes writeable = no path = [redacted] hide unreadable = no csc policy = disable [redacted5] comment = Redacted browseable = yes writeable = yes path = [redacted] hide unreadable = no create mask = 0770 directory mask = 2770 csc policy = disable veto oplock files = /*.pst/*.PST/*.mdb/*.MDB/ map read only = permissions [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes public = no writable = no create mode = 0700 [print$] path = /etc/samba/drivers guest ok = yes browseable = yes read only = yes comment = Printer Driver Download Area write list = [redacted] -- System Information: Debian Release: 8.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages samba depends on: ii adduser 3.113+nmu3 ii dpkg 1.17.27 ii libbsd0 0.7.0-2 ii libc6 2.19-18+deb8u7 ii libhdb9-heimdal [heimdal-hdb-api-8] 1.6~rc2+dfsg-9 ii libldb1 2:1.1.20-0+deb8u1 ii libpam-modules 1.1.8-3.1+deb8u2 ii libpam-runtime 1.1.8-3.1+deb8u2 ii libpopt0 1.16-10 ii libpython2.7 2.7.9-2+deb8u1 ii libtalloc2 2.1.2-0+deb8u1 ii libtdb1 1.3.6-0+deb8u1 ii libtevent0 0.9.28-0+deb8u1 ii lsb-base 4.1+Debian13+nmu1 ii multiarch-support 2.19-18+deb8u7 ii procps 2:3.3.9-9 ii python 2.7.9-1 ii python-dnspython 1.12.0-1 ii python-ntdb 1.0-5 ii python-samba 2:4.2.14+dfsg-0+deb8u5 pn python2.7:any <none> ii samba-common 2:4.2.14+dfsg-0+deb8u5 ii samba-common-bin 2:4.2.14+dfsg-0+deb8u5 ii samba-dsdb-modules 2:4.2.14+dfsg-0+deb8u5 ii samba-libs 2:4.2.14+dfsg-0+deb8u5 ii tdb-tools 1.3.6-0+deb8u1 ii update-inetd 4.43 Versions of packages samba recommends: ii attr 1:2.4.47-2 ii logrotate 3.8.7-1+b1 ii samba-vfs-modules 2:4.2.14+dfsg-0+deb8u5 Versions of packages samba suggests: pn bind9 <none> pn bind9utils <none> pn ctdb <none> pn ldb-tools <none> ii ntp 1:4.2.6.p5+dfsg-7+deb8u2 pn smbldap-tools <none> pn winbind <none> -- debconf information: samba-common/title: * samba/run_mode: daemons * samba/log_files_moved: samba/nmbd_from_inetd: samba/tdbsam: false * samba/generate_smbpasswd: true