Could not connect to accounts provider!

Monday: The issues isn’t repeated, the server shows a decent load:


Then I’m almost sure, that all my issues was the mixture of antivirus + Sambaaudit (not SambaStatus) logs.
If I need to choose about an stable system or “known” who-what-when is accessing files, I always choose stability. Of course if the antivirus was not needed in this world, this will be another story.

Now I check the ‘interface’ activity, and looks: good ? :

I’ll keep an eye for this week on the NS system, so far this looks good.



The DoS hasn’t occurred this week.

Some graphs of the load:

Hopefully the issue doesn’t appear never.

Hi @MrE
This is some weird story! Is your conclusion that AV and SambaAudit don’t go well together? I think I have them both running on my fileserver too, but I only have a few users and the shares are not accessed that often. But I have never seen such behavior.

I’m trying to collect all the elements to get a conclusion. But looks the real conclusion.

Avast published a new version some weeks ago, we are still migrating users to the NS/domain and upgrading the AV.

The AV, is configured (isn’t by default) to scan the network shares, and when the AV is upgraded it scans and “hits” each .exe file on the shared folders.

This shared folders has a lot of program files, one is the “setup” share for a lot of software that we need, our ERP by ex. need them (activeX files, dll, setup, you name it).

The “lucky hint” was that some new joined users don’t need to use those files (ever), so I began to wonder the reason. That is when the AV came to the scene.

After some updates-reboots of the (Proxmox/NethServer) servers, and seeing the hits of that users, I remember to check the SambaAudit logs, yikes! thousands of entries in the logs, not, I mean hundred thousands of entries, that’s “normal”? I don’t think so.

Lucky me, the first entries in the SambaAudit logs are users that don’t need the ERP software and they where the last on the AV upgrade process.

Quickly, I disable the auditing of the shared folders. (Friday night)

On Saturday, the load now is normal, yes!, On Monday, the same, I can see network load graph a little heavy, but I don’t see the audit logs be bombed by the AV artillery.

I can’t disable the AV network scan, we where hit twice, and I found the guilty users (both wife and husband), but I can’t make then to pay for their sins, yet.

I will create some filters on the AV, to disable the scan on that network shares, by another pinch of luck that shares are accessed but not need to be mounted.


—Note # 1:
This graph show the year in the interface, you can see the traffic grows when users and added and how the AV/Audit is ruining my day:

—Note # 2:
AV filters to ignored the folder shared has been created.

So, if I interpret the situation correctly:
You use a non default AV solution: Avast
Avast gives a shitload of false positives because it points any .exe / .dll / ActiveX file as (possible) unwanted file. Because every user that has access to your shares initiates this behavior, you end up with huge load and accumulation of SambaAudit log files…
Can’t Avast be tweaked to not generate those (false) positives? Why use Avast (in my experience a resource hungry AV solution, at least on Win clients) while we have clamav by default on NethServer?

Greetings, well,

We need the AV, because we have a lot of windows PC, I don’t use all the NS’s features. Mainly I use it for authentication, later I plan to use to apply GPOs and some other services joined on the AD.

From some years ago I use (Citadel) as our mail server, is very good and “simple” to setup, but I got an old version that I plan to upgrade. This mail server has clamav + spamassassin, but some nasty stuff can go though and is there when the AV is a need, the infections we where having occurs via USB sticks, and there clamav can’t help.

It can be adjusted to be more or less strict; but yesterday I add some scan exceptions for the shared folders on NS, that I’m still monitoring.

I don’t want to overload the principal role of this NS (Active Directory / Authentication) and want to keep this NS as simple as I can, for easy backup and recovery; I likely want to install more slaves of NS for the other features. But, I want to use a NAS for our users files, currently evaluating if buying a Synology or just buy hardware/server to install Nas4Free now Xigmanas.

Yesterday, after the upgrading NS, I got this issue: LDAP client internal error (AccountProvider_Error_82), that’s why I want a simple and stable NS, without many services to monitor.

I wonder if having so many servers is more that I can chew :cold_sweat:.

(Proxmox) + (NS)
(~70 windows clients)
(1 sql server/w2012r2) + (ERP, Payroll system, and a lot of apps)
(2 mail servers)
(3 small NAS for backups)
(NAS for files and storage buy or build)
(2 web servers | DNS servers | )
(The old w2k server, soon to be decommissioned - hopefully)


You still can use Avast for your client pc’s. (although personally I would not choose Avast because of the resource hog it is) You could opt to use default ClamAV for NS

Alas! yes it is.

So, @robb; I’m guessing right that after some ssd updates, something need to be rebuilding like a database?
This because when the AV was scanning the shared folders that process takes a long time to finish.
And yesterday, after the update, I see that something was happening that I don’t see the full information of the Domain accounts. And today morning the whole info is there again.

So, I wonder what log file need to check to see if this process is happening. Any guess?


Please look at the memory usage graph: I’m afraid your system is in short of memory and random processes get killed by the kernel.

Thank you @davidep, It was using 10GB now increased to 12GB, I will schedule a reboot later to apply this 12GB assigned.
Or maybe I need to add more RAM, but, how much can you recommend?

This is the yearly memory graph:


@davidep, OK RAM increased to 12GB and server restarted.
Now to wait and get some :popcorn:

Just to clarify, I don’t think more ram is a solution. There could be a memory leakage that slows down the system at a certain point. You should identify the memory consuming process when the load starts to grow.

Could you post the swap graph in the same period?

Let me connect remotely to get it.
And yes, I see the memory graph today before the reboot (today) and on those days
It show the “cached” memory on blue at high levels just as above.

But at this moment, there is no significative memory usage:

Each gap is a restart event.

Ooops you mean the swap (auch!), there is, nothing “bad” I see:

Two weeks are passed, the previous one, is reported here.

So, after this time, I know that the issues that NS was having from some months ago where caused by the savage antivirus we use, not a bad thing (but worse :no_mouth: ), mental note to remember that security tools can create issues in a local and weak network: Deny Of Service galore.

Using some filters for the antivirus ‘fix’ the thing.

Maybe avast treat/see the file system in different way on Nethserver (samba shares) than in windows (shared folders) :thinking: because I don’t see the old file server stressed by the scanning (right now). Ah some users report slow response from time to time on the network.

When our new NAS arrive, the issue can reappear but in another device.

Time to learn how to scan our network traffic, maybe with wire shark or some tool related. Any ideas?

Thanks and regards.

Change the AV configuration about automated scanning network drives, disabling it.
Consider the opportunity for a full filesystem check from ONE client on a timed schedule (once a month during the night?)

Hey! Thank you @pike , I was thinking the same after my previous post. The problem we live some months ago was this:

  • 9AM - user put usb stick with “old” virus/trojan
  • User open false ‘document’ (was an executable), we have some lemmings PEBKAC.
  • The virus, put their exe hidden in the local disks, seeks for office files, create access links to this files, and do the same on the shared folders that it can see.
  • 10AM - other users start to work in the shared folders, open their ‘documents’ that open the virus and repeat the process.
  • 11AM, I don’t know what, someone calls, or just blind luck that I see a lot of files opened by some users. Then I start learning what is happening.
  • The antivirus, IGNORE the treat just because it was old, even malware bytes (now part of avast) reject the reported sample, because is ‘old’. WTH!
  • After reporting to avast and maybe some hours later (or a day), it began to recognize the threat and blocks the executable. But before the ‘real’ antivirus was myself (search, detect, move, delete).

Lessons learned:

  1. Deactivate the usb storage use on each computer
  2. Need to activate to scan the shared folders at runtime
  3. Create filters to ignore shared folders (nethserver) that we I.T. knows are safe-clean and read-only
  4. (Today) Choose a few users to Scan always the network shares (the writable ones)
  5. Avast, needs to create a good update program. The new version came some months ago and it can’t be upgraded/installed if we don’t remove the old one :face_with_symbols_over_mouth:

The difficult part is choose the right ones, when some or all stops scanning and something similar appear, Oh my!, not need another week like that.

Scanning just at night or on timed scheduled looks pretty dangerous.


By the way, I pretend to use snapshots in the new NAS.
But I wonder, is you guys, that use Nextcloud (NC), think is more safe NC that only use a network shared folder for the users.
I know some of the benefits of NC; and of course if the user get hit by virus, they can ‘lost’ their files (unless backups exists);

So if I install the NC on the NAS with snapshots (yes, with backup prevention); I wonder how the restore process can be made. Because I barely knows NC, I recall it uses a database, but alas! I can’t grasp the process to full protect our users documents in NC+snapshot+recovery. Maybe NC see that there are files restored (with previous dates) and it starts updating its database, don’t know.

Regards (LOL I hijacked my own post :thinking::wink:)

You can’t solve this issue. But you can use a different AV.

IMVHO Avast is not a good choice, but i used only the “desktop product”, without the admin console.
I had experiences on McAfee VSE (with ePO Orchestrator), ESET Business, Symantec Enterprise, Sophos Home (web console), GData, TrendMicro OfficeScan. Most of them have issues, others do not recognize every detail. Most of these experiences are quite old, but i do not want to start to know Avast.

IMVHO this issue appeared tell me to look for another option for AV. Some are quite cheap (Sophos is quite affordable, as far as I can remember).
If you have to workaround servers for the issues for the Antivirus, maybe this product is not the best option, therefore you should at least try another one.

Well, we use a little program and right now, all my users doesn’t have usb enabled anymore. We use some little utility (DisableUSB_Free.exe) that disables the usb storage feature. Is good and works.

Good one, but we got 3 yrs license for avast. But you hit the nail and I’ll try another one.
Maybe what I need is an antivirus for Linux servers (not that Linux need it) so windows users are a little safe, but don’t know if this can stops and prevent the files to be contaminated from the network.

Before using avast, we test some of you mentioned but it was a better time with simple virus, not cryptoware or ransomware, (do you remember seeing the ping-pong virus?)

For me McCrapy was the worst, but this was ages ago. Now it came with dell computers and when I got a new one I just delete the hard disk to start clean without the bloatware.

Thank you for the av suggestions, some of them I have forgot.

Ransomware are quite issues for people who don’t have a good backup policy and a Disaster Recovery plan, IMVHO.
These programs are not viruses…