Samba 100% cpu usage

Support
#1

In this moments Samba is using 100% cpu… what can I do to solve it? reboot the server?

image

I do this, and the “issue” looks mitigated.
systemctl -M nsdc restart samba
image
What can I check to see what happens?

Some info, this proxmox/NS vm was running for a lot of days, the past Tuesday I need to shutdown because we have an hurricane alert, next day was started and I see an update today that I apply.

Package Arch Version Repository Size

Updating:
nethserver-dc x86_64 1.5.7-1.ns7 nethserver-updates 14 M
nethserver-mail-smarthost noarch 2.3.1-1.ns7 nethserver-updates 42 k
nethserver-mysql noarch 1.1.4-1.ns7 nethserver-updates 28 k

Transaction Summary

Upgrade 3 Packages

Total size: 14 M
Is this ok [y/d/N]: y
Running transaction
Updating : nethserver-mysql-1.1.4-1.ns7.noarch 1/6
Updating : nethserver-mail-smarthost-2.3.1-1.ns7.noarch 2/6
Updating : nethserver-dc-1.5.7-1.ns7.x86_64 3/6
Cleanup : nethserver-mysql-1.1.3-1.ns7.noarch 4/6
Cleanup : nethserver-mail-smarthost-2.3.0-1.ns7.noarch 5/6
Cleanup : nethserver-dc-1.5.6-1.ns7.x86_64 6/6
Verifying : nethserver-dc-1.5.7-1.ns7.x86_64 1/6
Verifying : nethserver-mail-smarthost-2.3.1-1.ns7.noarch 2/6
Verifying : nethserver-mysql-1.1.4-1.ns7.noarch 3/6
Verifying : nethserver-mysql-1.1.3-1.ns7.noarch 4/6
Verifying : nethserver-dc-1.5.6-1.ns7.x86_64 5/6
Verifying : nethserver-mail-smarthost-2.3.0-1.ns7.noarch 6/6

Updated:
nethserver-dc.x86_64 0:1.5.7-1.ns7 nethserver-mail-smarthost.noarch 0:2.3.1-1.ns7
nethserver-mysql.noarch 0:1.1.4-1.ns7

I don’t see any issues with the update.

Regards

#2

Wow! I see the graph cpu of this vm and there is a lot of spikes in the graph.
image

image
image.png691×305 30.8 KB

image
image.png692×284 19.8 KB

The “sad” thing is that in this moment they are just a few users/computers joined. I need to take time to migrate a lot more +25 and move some files there.

I wonder if I need to be aware of something before trying our mass migration.

Regards

#3

This are the proxmox server graph.
image

image

image

This proxmox is using ZFS for what is worth.
image

Backups runs at this time:
At 3AM the proxmox backup
At 2AM the Nethserver files backup
image

#4

To find out what the server is doing at this time you should have a look at the samba logs and perhaps messages log too.

Please post the entry at the logs at the time the samba uses 100%.

1 Like
#5

Thank you for the advice.
The logs looks good (on NethServer), need to check the proxmox logs.

The firewall.log got lots of events. So I decide to enable the firewall on this VM (it was disabled) for the interface of the public IP. This NS got a lot of logs from the outside but Shorewall:net2fw stops all (hopefully)

The other service/add-on that have lots of events is “smbaudit”, but no every day, maybe when I was testing/checking the access/audit.

#6

I haven’t read the logs in the proxmox server, but checking the firewall logs I see and Old (maybe XP) system (not joined yet) that is hammering the NS server:

image
image.png1087×315 148 KB

I read this post in Stack Exchange

The net use command, browsing network shares, or any other SMB-related command will make use of these services.

What are the security risks of having this service running, if any?

It’s often a necessary service to have running as it provides the backbone of a great deal of Windows network sharing services. I wouldn’t be concerned so much on it running as I would be concerned if it were exposed outside your network. I believe service enumeration and possible undocumented exploits are the two current risks. Because this is a remote procedure call service, it does have some of the same excitement as any application service – think of requests passed there in terms of a web query. They ask for a service (page) and pass certain relevant parameters (GET or POST options). Something on the service’s back-end runs and returns a result.

I don’t understand completely, so I will go on that PC just to be sure there is not something weird running on it. In the second link some comments scares me.

#7

Best would be to look with a rescue disk like kaspersky or other have. Also malwarebytes is a good scanner, you can work with the free version.

2 Likes
#8

Some update:
After adding some machines and users, the past Monday I upgrade my Proxmox version, then yesterday I increase some resources to my Nethserver vm: 10Gb RAM, 4 CPUs, the load is now pretty decent:

image
image.png782×666 35.3 KB

2 Likes
#9

Mhh I talk “too soon”… I see now from 4 cpu, the #3 with high usage:

image
image.png426×582 23.4 KB

image
The other 3 are with 98-99% idle.

#10

Did you find the “XP PC hammering the Nethserver” problem?

Could it be a filesystem or hardware problem?

#11

The log/firewall stills shows that XP (is Vista) ringing bells on our Nethserver :anger:
For some reason or other the old XP/vista PC is there; lucky me today arrive 4 new PCs… time to get rid of that bugger :bug:
I reboot the server and the %cpu goes down but still the logs shows it:

Dec 21 08:10:10 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=23313 DF PROTO=TCP SPT=54561 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
Dec 21 08:10:11 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23314 DF PROTO=TCP SPT=54561 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
Dec 21 08:10:11 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=23317 DF PROTO=TCP SPT=54562 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0 Dec 21 08:10:12 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de:f7:cb:e8:a4:00:1e:c9:2b:b0:9a:08:00 SRC=192.168.22.103 DST=192.168.16.3 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=23318 DF PROTO=TCP SPT=54562 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
Dec 21 08:10:12 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23319 DF PROTO=TCP SPT=54562 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
#12

It was a Windows Vista, someone use and save an user account “reserved only for us” with the password saved!, that account is restricted but can open lot of doors.
I change the password, to detect if exists some other users using it.

The W.Vista was replaced for a New Windows 7 (not a joke):sweat:

#13

9 months of updates…