Samba DNS 100% CPU

ansh · October 31, 2024, 1:01pm

My network has two domains and I use two DNS in the TCP/IP settings
DNS1 = 192.168.0.15 (AD1 SAMBA5 on NS8)
DNS2 = 192.168.0.17 (AD2 WINDOWS SERVER 2008)

On WINDOWS 10 computers, names from AD1 will no longer resolve, but names from AD2 will resolve.

PS C:\WINDOWS\system32> nslookup comp1.domain.local
: UnKnown
Address: 192.168.0.15

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
: comp1.domain.local
Address: 192.168.0.219

PS C:\WINDOWS\system32> ping comp1.domain.local
Ping failed to find host comp1.domain.local.
Check the host name and try again.

When I remove DNS2 and leave only DNS1 in TCP/IP settings, then computers in AD1 start resolving.
Most likely due to the long DNS1 response the system switches to DNS2. How can I increase the AD1 response speed on SAMBA5 NS8?

ansh · October 31, 2024, 1:10pm

To install htop, enable epel
yum --enablerepo=extras install epel-release
yum -y install htop

Andy_Wismer · October 31, 2024, 3:10pm

Hi @ansh

You are aware of the fact that in TCP/IP only the first functioning DNS server is used?
With the above settings, DNS2 is normally never queried if DNS1 is available and working.

My 2 cents
Andy

ansh · October 31, 2024, 5:04pm

Sure. Have you seen the CPU load in htop and the long nslookup response?

ansh · November 1, 2024, 2:40pm

on docker host

#cat /etc/resolv.conf
search domain.local
nameserver 127.0.0.1
nameserver 192.168.0.1

#netstat -nvuap|wc -l
28222

#netstat -nvuap|head -n 10
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 192.168.0.15:58272 192.168.0.1:53 ESTABLISHED 12331/samba: task[d
udp 0 0 127.0.0.1:58273 127.0.0.1:53 ESTABLISHED 12331/samba: task[d
udp 0 0 192.168.0.15:58274 192.168.0.1:53 ESTABLISHED 12331/samba: task[d
udp 0 0 127.0.0.1:58275 127.0.0.1:53 ESTABLISHED 12331/samba: task[d
udp 0 0 192.168.0.15:58276 192.168.0.1:53 ESTABLISHED 12331/samba: task[d
udp 0 0 127.0.0.1:58277 127.0.0.1:53 ESTABLISHED 12331/samba: task[d
udp 0 0 127.0.0.1:58278 127.0.0.1:53 ESTABLISHED 12331/samba: task[d
udp 0 0 127.0.0.1:58279 127.0.0.1:53 ESTABLISHED 12331/samba: task[d

in container

#cat /etc/resolv.conf
search domain.local
nameserver 192.168.0.15

#netstat -nvuap|wc -l
28233

#netstat -nvuap|head -n 10
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.1:58272 127.0.0.1:53 ESTABLISHED 58/samba: task[dns]
udp 0 0 192.168.0.15:58273 192.168.0.1:53 ESTABLISHED -
udp 0 0 127.0.0.1:58275 127.0.0.1:53 ESTABLISHED 58/samba: task[dns]
udp 0 0 192.168.0.15:58276 192.168.0.1:53 ESTABLISHED 58/samba: task[dns]
udp 0 0 127.0.0.1:58279 127.0.0.1:53 ESTABLISHED 58/samba: task[dns]
udp 0 0 192.168.0.15:58280 192.168.0.1:53 ESTABLISHED 58/samba: task[dns]
udp 0 0 192.168.0.15:58281 192.168.0.1:53 ESTABLISHED 58/samba: task[dns]
udp 0 0 192.168.0.15:58282 192.168.0.1:53 ESTABLISHED 58/samba: task[dns]

Query time???

#dig @192.168.0.15 google.com
;; communications error to 192.168.0.15#53: timed out
;; communications error to 192.168.0.15#53: timed out

; <<>> DiG 9.18.24-0ubuntu0.23.10.1-Ubuntu <<>> @192.168.0.15 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25986
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 82 IN A 108.177.14.100
google.com. 82 IN A 108.177.14.113
google.com. 82 IN A 108.177.14.138
google.com. 82 IN A 108.177.14.139
google.com. 82 IN A 108.177.14.101
google.com. 82 IN A 108.177.14.102

;; Query time: 3161 msec
;; SERVER: 192.168.0.15#53(192.168.0.15) (UDP)
;; WHEN: Fri Nov 01 15:14:24 UTC 2024
;; MSG SIZE rcvd: 124

#dig @192.168.0.1 google.com
;; communications error to 192.168.0.1#53: timed out
;; communications error to 192.168.0.1#53: timed out

; <<>> DiG 9.18.24-0ubuntu0.23.10.1-Ubuntu <<>> @192.168.0.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6578
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 159 IN A 173.194.221.102
google.com. 159 IN A 173.194.221.138
google.com. 159 IN A 173.194.221.139
google.com. 159 IN A 173.194.221.113
google.com. 159 IN A 173.194.221.100
google.com. 159 IN A 173.194.221.101

;; Query time: 129 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Fri Nov 01 15:11:34 UTC 2024
;; MSG SIZE rcvd: 135

ansh · November 1, 2024, 3:52pm

Found it on the NS8 host

ansh · November 1, 2024, 4:02pm

github.com/Fmstrat/samba-domain

DNS sockets exhausting system

opened 10:33AM - 12 May 22 UTC

Merlin83b

Using either this image or @burnbabyburn's image (as mentioned in #36), as soon …as the container receives a DNS query, it opens enough listening sockets to overwhelm the system, resulting in any more giving the error message below: ``` $ dig @192.168.1.250 google.com a dig: isc_socket_bind: address in use ``` They all look like this: ``` $ sudo netstat -nvuap|wc -l 28241 $ sudo netstat -nvuap|head -n 10 Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 172.17.0.1:38860 172.17.0.2:53 ESTABLISHED 90721/docker-proxy udp 0 0 172.17.0.1:47052 172.17.0.2:53 ESTABLISHED 90721/docker-proxy udp 0 0 172.17.0.1:55244 172.17.0.2:53 ESTABLISHED 90721/docker-proxy udp 0 0 172.17.0.1:38861 172.17.0.2:53 ESTABLISHED 90721/docker-proxy udp 0 0 172.17.0.1:47053 172.17.0.2:53 ESTABLISHED 90721/docker-proxy udp 0 0 172.17.0.1:55245 172.17.0.2:53 ESTABLISHED 90721/docker-proxy udp 0 0 172.17.0.1:55246 172.17.0.2:53 ESTABLISHED 90721/docker-proxy udp 0 0 172.17.0.1:38862 172.17.0.2:53 ESTABLISHED 90721/docker-proxy ``` In the above, 172.17.0.1 is the bridge address (docker0 on the host), 172.17.0.2 is the address of the container. The server is set up using the command taken from the documentation: ``` docker volume create samba-data docker volume create samba-config docker run -t -i \ -e "DOMAIN=OFFICE.COMPANY.COM" \ -e "DOMAINPASS=Password1" \ -e "DNSFORWARDER=192.168.1.1" \ -e "HOSTIP=192.168.1.250" \ -p 192.168.1.250:53:53 \ -p 192.168.1.250:53:53/udp \ -p 192.168.1.250:88:88 \ -p 192.168.1.250:88:88/udp \ -p 192.168.1.250:135:135 \ -p 192.168.1.250:137-138:137-138/udp \ -p 192.168.1.250:139:139 \ -p 192.168.1.250:389:389 \ -p 192.168.1.250:389:389/udp \ -p 192.168.1.250:445:445 \ -p 192.168.1.250:464:464 \ -p 192.168.1.250:464:464/udp \ -p 192.168.1.250:636:636 \ -p 192.168.1.250:1024-1044:1024-1044 \ -p 192.168.1.250:3268-3269:3268-3269 \ -v /etc/localtime:/etc/localtime:ro \ -v samba-data:/var/lib/samba \ -v samba-config:/etc/samba/external \ --dns-search office.company.com \ --dns 192.168.1.250 \ --dns 192.168.1.1 \ --add-host localdc.office.company.com:192.168.1.250 \ -h localdc \ --name samba-bbb \ --privileged \ --restart unless-stopped \ samba-domain ``` Has anyone seen this, or have any idea how to resolve it?

Resolved
192.168.0.1 - gateway
Removed on docker host nameserver 127.0.0.1

#cat /etc/resolv.conf
search domain.local
nameserver 192.168.0.1

ansh · March 4, 2025, 5:09pm

Not resolved
The NS8 server reboot field shows the line

nameserver 127.0.0.1

in /etc/resolv.conf
On server

#cat /etc/resolv.conf
search domain.local
nameserver 127.0.0.1
nameserver 192.168.0.1

After removing the line nameserver 127.0.0.1 and rebooting samba5
#runagent -m samba5 systemctl --user restart samba-dc
the processor load is normalized.

ansh · March 11, 2025, 7:28am

Updated Core apps, but the problem is still not solved. After rebooting NS8 Samba loads CPU at 100%.

mrmarkuz · March 11, 2025, 8:03am

Are there relevant entries in the logs? You can find them on the logs page, see also System logs — NS8 documentation

Does a service restart help?

runagent -m samba5 systemctl --user restart samba-dc

Is there still the entry nameserver 127.0.0.1 in /etc/resolv.conf?

Let’s check the config:

runagent -m samba5 podman exec samba-dc testparm -s

To check DNS from a client device: Setting up Samba as a Domain Member - SambaWiki

ansh · March 11, 2025, 9:22am

mrmarkuz:

Are there relevant entries in the logs? You can find them on the logs page, see also System logs — NS8 documentation

2025-03-11T11:24:22+03:00 [1:samba5:systemd] Queued start job for default target Main User Target.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Created slice User Application Slice.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Started Mark boot as successful after the user session has run 2 minutes.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Started Daily Cleanup of User's Temporary Directories.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Reached target Paths.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Reached target Timers.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Starting D-Bus User Message Bus Socket...
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Starting Create User's Volatile Files and Directories...
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Finished Create User's Volatile Files and Directories.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Listening on D-Bus User Message Bus Socket.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Reached target Sockets.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Reached target Basic System.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Started Rootless module/samba5 agent.
2025-03-11T11:24:22+03:00 [1:samba5:systemd] Starting Samba AD Domain Controller...
2025-03-11T11:24:37+03:00 [1:samba5:systemd] Starting D-Bus User Message Bus...
2025-03-11T11:24:37+03:00 [1:samba5:dbus-broker-launch] Policy to allow eavesdropping in /usr/share/dbus-1/session.conf +31: Eavesdropping is deprecated and ignored
2025-03-11T11:24:37+03:00 [1:samba5:dbus-broker-launch] Policy to allow eavesdropping in /usr/share/dbus-1/session.conf +33: Eavesdropping is deprecated and ignored
2025-03-11T11:24:37+03:00 [1:samba5:systemd] Started D-Bus User Message Bus.
2025-03-11T11:24:37+03:00 [1:samba5:] Ready
2025-03-11T11:24:37+03:00 [1:samba5:systemd] Created slice Slice /user.
2025-03-11T11:24:37+03:00 [1:samba5:systemd] libpod-60edb229c57a9563d57f6f386dc3db662a09e4abc140e2f9f67021df5138c023.scope: unit configures an IP firewall, but not running as root.
2025-03-11T11:24:37+03:00 [1:samba5:systemd] (This warning is only shown for the first unit using IP firewalling.)
2025-03-11T11:24:37+03:00 [1:samba5:systemd] Started libcrun container.
2025-03-11T11:24:37+03:00 [1:samba5:podman] 60edb229c57a9563d57f6f386dc3db662a09e4abc140e2f9f67021df5138c023
2025-03-11T11:24:38+03:00 [1:samba5:samba-dc] 2025-03-11T08:24:38Z chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2025-03-11T11:24:38+03:00 [1:samba5:systemd] Started podman-pause-b0a63c96.scope.
2025-03-11T11:24:38+03:00 [1:samba5:samba-dc] 2025-03-11T08:24:38Z Disabled control of system clock
2025-03-11T11:24:38+03:00 [1:samba5:samba-dc] 2025-03-11T08:24:38Z Loaded 0 symmetric keys
2025-03-11T11:24:38+03:00 [1:samba5:samba-dc] 2025-03-11T08:24:38Z MS-SNTP authentication enabled
2025-03-11T11:24:38+03:00 [1:samba5:bash] /usr/bin/bash: connect: Connection refused
2025-03-11T11:24:38+03:00 [1:samba5:bash] /usr/bin/bash: line 1: /dev/tcp/192.168.0.15/53: Connection refused
2025-03-11T11:24:38+03:00 [1:samba5:samba-dc] samba version 4.19.5-Ubuntu started.
2025-03-11T11:24:38+03:00 [1:samba5:samba-dc] Copyright Andrew Tridgell and the Samba Team 1992-2023
2025-03-11T11:24:38+03:00 [1:samba5:samba-dc] daemon 'samba' : Starting process...
2025-03-11T11:24:39+03:00 [1:samba5:samba-dc] /usr/sbin/smbd: smbd version 4.19.5-Ubuntu started.
2025-03-11T11:24:39+03:00 [1:samba5:samba-dc] /usr/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2023
2025-03-11T11:24:39+03:00 [1:samba5:samba-dc] /usr/sbin/smbd: INFO: Profiling turned OFF from pid 19
2025-03-11T11:24:39+03:00 [1:samba5:samba-dc] /usr/sbin/winbindd: winbindd version 4.19.5-Ubuntu started.
2025-03-11T11:24:39+03:00 [1:samba5:samba-dc] /usr/sbin/winbindd: Copyright Andrew Tridgell and the Samba Team 1992-2023
08:24:42.662149 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation 
2025-03-11T11:24:43+03:00 [1:samba5:systemd] Started Samba AD Domain Controller.
2025-03-11T11:24:43+03:00 [1:samba5:systemd] Reached target Main User Target.
2025-03-11T11:24:43+03:00 [1:samba5:systemd] Startup finished in 20.977s.

Restarting doesn’t help.

#cat /etc/resolv.conf
search domain.local
nameserver 127.0.0.1
nameserver 192.168.0.1

#runagent -m samba5 podman exec samba-dc testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
        bind interfaces only = Yes
        dns forwarder = 192.168.0.1
        interfaces = 127.0.0.1 192.168.0.15
        netbios aliases = NETDISK
        obey pam restrictions = Yes
        passdb backend = samba_dsdb
        realm = AD.DOMAIN.LOCAL
        registry shares = Yes
        server role = active directory domain controller
        template homedir = /srv/homes/%U
        workgroup = DOMAIN
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        acl_xattr:ignore system acls = yes
        acl_xattr:security_acl_name = user.NTACL
        idmap config * : backend = tdb
        include = /etc/samba/include.conf
        inherit owner = windows and unix
        map archive = No
        vfs objects = dfs_samba4 acl_xattr


[sysvol]
        inherit owner = no
        path = /var/lib/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = no


[netlogon]
        path = /var/lib/samba/sysvol/ad.domain.local/scripts
        read only = No


[homes]
        browseable = No
        comment = %u home directory
        read only = No

[test]
        comment = test
        path = /srv/shares/test
        read only = No
[root@ns8 etc]#

Query time: 3051 msec

# dig @192.168.0.15 google.com

; <<>> DiG 9.16.23-RH <<>> @192.168.0.15 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58893
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             64      IN      A       173.194.219.100
google.com.             64      IN      A       173.194.219.101
google.com.             64      IN      A       173.194.219.139
google.com.             64      IN      A       173.194.219.102
google.com.             64      IN      A       173.194.219.138
google.com.             64      IN      A       173.194.219.113

;; Query time: **3051** msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Tue Mar 11 12:19:37 MSK 2025
;; MSG SIZE  rcvd: 135

mrmarkuz · March 11, 2025, 9:40am

Please remove the nameserver 127.0.0.1 line and restart the samba-dc service.

Did you setup a static IP for the NS8?

ansh · March 11, 2025, 9:47am

After removing the line nameserver 127.0.0.1 and rebooting samba5
#runagent -m samba5 systemctl --user restart samba-dc
the processor load is normalized.

mrmarkuz · March 11, 2025, 9:49am

Please also remove 127.0.0.1 in nmtui, else it will reappear at next network restart.