Samba 100% cpu usage

In this moments Samba is using 100% cpu… what can I do to solve it? reboot the server?

image

I do this, and the “issue” looks mitigated.
systemctl -M nsdc restart samba
image
What can I check to see what happens?

Some info, this proxmox/NS vm was running for a lot of days, the past Tuesday I need to shutdown because we have an hurricane alert, next day was started and I see an update today that I apply.

Package Arch Version Repository Size

Updating:
nethserver-dc x86_64 1.5.7-1.ns7 nethserver-updates 14 M
nethserver-mail-smarthost noarch 2.3.1-1.ns7 nethserver-updates 42 k
nethserver-mysql noarch 1.1.4-1.ns7 nethserver-updates 28 k

Transaction Summary

Upgrade 3 Packages

Total size: 14 M
Is this ok [y/d/N]: y
Running transaction
Updating : nethserver-mysql-1.1.4-1.ns7.noarch 1/6
Updating : nethserver-mail-smarthost-2.3.1-1.ns7.noarch 2/6
Updating : nethserver-dc-1.5.7-1.ns7.x86_64 3/6
Cleanup : nethserver-mysql-1.1.3-1.ns7.noarch 4/6
Cleanup : nethserver-mail-smarthost-2.3.0-1.ns7.noarch 5/6
Cleanup : nethserver-dc-1.5.6-1.ns7.x86_64 6/6
Verifying : nethserver-dc-1.5.7-1.ns7.x86_64 1/6
Verifying : nethserver-mail-smarthost-2.3.1-1.ns7.noarch 2/6
Verifying : nethserver-mysql-1.1.4-1.ns7.noarch 3/6
Verifying : nethserver-mysql-1.1.3-1.ns7.noarch 4/6
Verifying : nethserver-dc-1.5.6-1.ns7.x86_64 5/6
Verifying : nethserver-mail-smarthost-2.3.0-1.ns7.noarch 6/6

Updated:
nethserver-dc.x86_64 0:1.5.7-1.ns7 nethserver-mail-smarthost.noarch 0:2.3.1-1.ns7
nethserver-mysql.noarch 0:1.1.4-1.ns7

I don’t see any issues with the update.

Regards

Wow! I see the graph cpu of this vm and there is a lot of spikes in the graph.
image

The “sad” thing is that in this moment they are just a few users/computers joined. I need to take time to migrate a lot more +25 and move some files there.

I wonder if I need to be aware of something before trying our mass migration.

Regards

This are the proxmox server graph.
image

image

image

This proxmox is using ZFS for what is worth.
image

Backups runs at this time:
At 3AM the proxmox backup
At 2AM the Nethserver files backup
image

To find out what the server is doing at this time you should have a look at the samba logs and perhaps messages log too.

Please post the entry at the logs at the time the samba uses 100%.

1 Like

Thank you for the advice.
The logs looks good (on NethServer), need to check the proxmox logs.

The firewall.log got lots of events. So I decide to enable the firewall on this VM (it was disabled) for the interface of the public IP. This NS got a lot of logs from the outside but Shorewall:net2fw stops all (hopefully)

The other service/add-on that have lots of events is “smbaudit”, but no every day, maybe when I was testing/checking the access/audit.

I haven’t read the logs in the proxmox server, but checking the firewall logs I see and Old (maybe XP) system (not joined yet) that is hammering the NS server:


I read this post in Stack Exchange

The net use command, browsing network shares, or any other SMB-related command will make use of these services.

What are the security risks of having this service running, if any?

It’s often a necessary service to have running as it provides the backbone of a great deal of Windows network sharing services. I wouldn’t be concerned so much on it running as I would be concerned if it were exposed outside your network. I believe service enumeration and possible undocumented exploits are the two current risks. Because this is a remote procedure call service, it does have some of the same excitement as any application service – think of requests passed there in terms of a web query. They ask for a service (page) and pass certain relevant parameters (GET or POST options). Something on the service’s back-end runs and returns a result.

I don’t understand completely, so I will go on that PC just to be sure there is not something weird running on it. In the second link some comments scares me.

Best would be to look with a rescue disk like kaspersky or other have. Also malwarebytes is a good scanner, you can work with the free version.

2 Likes

Some update:
After adding some machines and users, the past Monday I upgrade my Proxmox version, then yesterday I increase some resources to my Nethserver vm: 10Gb RAM, 4 CPUs, the load is now pretty decent:

2 Likes

Mhh I talk “too soon”… I see now from 4 cpu, the #3 with high usage:

image
The other 3 are with 98-99% idle.

Did you find the “XP PC hammering the Nethserver” problem?

Could it be a filesystem or hardware problem?

The log/firewall stills shows that XP (is Vista) ringing bells on our Nethserver :anger:
For some reason or other the old XP/vista PC is there; lucky me today arrive 4 new PCs… time to get rid of that bugger :bug:
I reboot the server and the %cpu goes down but still the logs shows it:

Dec 21 08:10:10 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=23313 DF PROTO=TCP SPT=54561 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
Dec 21 08:10:11 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23314 DF PROTO=TCP SPT=54561 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
Dec 21 08:10:11 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=23317 DF PROTO=TCP SPT=54562 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0 Dec 21 08:10:12 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de:f7:cb:e8:a4:00:1e:c9:2b:b0:9a:08:00 SRC=192.168.22.103 DST=192.168.16.3 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=23318 DF PROTO=TCP SPT=54562 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
Dec 21 08:10:12 ads kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=b2:de::08:00 SRC=192.168.xx.103 DST=192.168.xx.3 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23319 DF PROTO=TCP SPT=54562 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0 

It was a Windows Vista, someone use and save an user account “reserved only for us” with the password saved!, that account is restricted but can open lot of doors.
I change the password, to detect if exists some other users using it.

The W.Vista was replaced for a New Windows 7 (not a joke):sweat:

9 months of updates…