Unusal behavior: samba: task [cldapd]

UCSatHT · June 26, 2019, 8:11pm

Hello everybody,

I’m using a UCS AD DC for a midrange network of about 30 Windows PCs. On the server, AD DC and Active Directory Connector are running to a Windows server (which will shut down soon). The system has been running since March '19. About two weeks ago, the process “samba: task [cldapd]” began to consume a whole core of the system. The process is part of the “samba-ad-dc-service”.

What does this process do? I do not know what information is needed to solve the problem. I can provide all details.

Thank you for your time and your help.

Moritz_Bunkus · June 27, 2019, 7:17am

Have you tried restarting the samba-ad-dc service with systemctl restart samba-ad-dc.service as a temporary workaround?

There have been reports by other users recently reporting sudden excessive memory usage for Samba, but not excessive CPU usage.

I’m not sure what exactly the cldapd component does, but it sounds to be part of the LDAP server. Maybe there are clients which run excessive, constant LDAP searches? You might want to check with tcpdump or some other method which IPs connect to the Samba AD LDAP server ports (389 and 636), and if there’s something odd about the number of searches certain IP addresses execute.

UCSatHT · June 28, 2019, 12:56pm

Hello Moritz,

thank you for your reply.

I have tested the workaround with no success. I can’t see any high RAM load for samba tasks.

I found some interesting IP activities and I am not shure if I should do something, e,g,:

14:51:10.number IP our.server > destination.port: UDP, bad length 1975 > 1472

I started this command: tcpdump -i eth0 port 389

There are thousands of Messages in a second. Could that be a malefunction of the service?

Thank you for your time and your help.

Edit: I did an update for some packages. Here are the samba4 loglines. For me it dosen’t look good:

univention-samba4 (8.0.0-25A~4.4.0.201906241403) wird eingerichtet ...
File: /var/lib/samba/private/krb5.conf
File: /etc/logrotate.d/univention-samba4
File: /etc/init.d/samba
File: /etc/pam.d/samba
File: /etc/cron.d/univention-samba4-backup
File: /etc/logrotate.d/winbind
File: /etc/logrotate.d/samba
File: /etc/samba/base.conf
Multifile: /etc/samba/smb.conf
dpkg-statoverride: Fehler: Ein Override für »/var/log/samba« existiert bereits, Abbruch
Not updating samba/share/home
Not updating samba/share/groups
Not updating samba/adminusers
Not updating samba/encrypt_passwords
Not updating samba/use_spnego
Not updating samba/oplocks
Not updating samba/kernel_oplocks
Not updating samba/large_readwrite
Not updating samba/deadtime
Not updating samba/read_raw
Not updating samba/write_raw
Not updating samba/max_xmit
Not updating samba/max_open_files
Not updating samba/getwd_cache
Not updating samba/store_dos_attributes
Not updating samba/preserve_case
Not updating samba/short_preserve_case
Not updating samba/guest_account
Not updating samba/map_to_guest
Not updating samba/enable-msdfs
Not updating samba/acl/allow/execute/always
Setting samba/register/exclude/interfaces
Multifile: /etc/samba/smb.conf
Not updating samba/profileserver
Not updating samba/profilepath
Not updating samba/homedirserver
Not updating samba/homedirpath
Not updating samba/homedirletter
Not updating samba/debug/level
Not updating samba4/sysvol/sync/jitter
Not updating samba4/service/smb
Not updating samba4/service/nmb
Not updating samba4/ntacl/backend
Not updating samba4/sysvol/sync/setfacl/AU
Not updating samba4/backup/cron
Setting security/packetfilter/package/univention-samba4/tcp/389/all
Setting security/packetfilter/package/univention-samba4/tcp/389/all/en
Setting security/packetfilter/package/univention-samba4/udp/389/all
Setting security/packetfilter/package/univention-samba4/udp/389/all/en
Setting security/packetfilter/package/univention-samba4/tcp/636/all
Setting security/packetfilter/package/univention-samba4/tcp/636/all/en
Setting security/packetfilter/package/univention-samba4/tcp/53/all
Setting security/packetfilter/package/univention-samba4/tcp/53/all/en
Setting security/packetfilter/package/univention-samba4/udp/53/all
Setting security/packetfilter/package/univention-samba4/udp/53/all/en
Setting security/packetfilter/package/univention-samba4/udp/123/all
Setting security/packetfilter/package/univention-samba4/udp/123/all/en
Setting security/packetfilter/package/univention-samba4/tcp/135/all
Setting security/packetfilter/package/univention-samba4/tcp/135/all/en
Setting security/packetfilter/package/univention-samba4/tcp/137:139/all
Setting security/packetfilter/package/univention-samba4/tcp/137:139/all/en
Setting security/packetfilter/package/univention-samba4/udp/137:139/all
Setting security/packetfilter/package/univention-samba4/udp/137:139/all/en
Setting security/packetfilter/package/univention-samba4/tcp/445/all
Setting security/packetfilter/package/univention-samba4/tcp/445/all/en
Setting security/packetfilter/package/univention-samba4/udp/445/all
Setting security/packetfilter/package/univention-samba4/udp/445/all/en
Setting security/packetfilter/package/univention-samba4/tcp/1024/all
Setting security/packetfilter/package/univention-samba4/tcp/1024/all/en
Setting security/packetfilter/package/univention-samba4/tcp/3268/all
Setting security/packetfilter/package/univention-samba4/tcp/3268/all/en
Setting security/packetfilter/package/univention-samba4/tcp/3269/all
Setting security/packetfilter/package/univention-samba4/tcp/3269/all/en
Setting security/packetfilter/package/univention-samba4/tcp/49152:65535/all
Setting security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en
Setting security/packetfilter/package/univention-samba4/tcp/88/all
Setting security/packetfilter/package/univention-samba4/tcp/88/all/en
Setting security/packetfilter/package/univention-samba4/udp/88/all
Setting security/packetfilter/package/univention-samba4/udp/88/all/en
Setting security/packetfilter/package/univention-samba4/tcp/464/all
Setting security/packetfilter/package/univention-samba4/tcp/464/all/en
Setting security/packetfilter/package/univention-samba4/udp/464/all
Setting security/packetfilter/package/univention-samba4/udp/464/all/en
Setting security/packetfilter/package/univention-samba4/tcp/749/all
Setting security/packetfilter/package/univention-samba4/tcp/749/all/en
File: /etc/security/packetfilter.d/10_univention-firewall_start.sh
File: /etc/security/packetfilter.d/80_univention-firewall_policy.sh
Starting nmbd (via systemctl): nmbd.service.
Starting smbd (via systemctl): smbd.service.
Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
Restarting univention-directory-listener (via systemctl): univention-directory-listener.service
Calling joinscript 96univention-samba4.inst ...
2019-06-28 16:44:37.069974142+02:00 (in joinscript_init)
Joinscript 96univention-samba4.inst finished with exitcode 1
Calling joinscript 98univention-samba4-saml-kerberos.inst ...
2019-06-28 16:44:37.509000055+02:00 (in joinscript_init)
Joinscript 98univention-samba4-saml-kerberos.inst finished with exitcode 1

UCSatHT · July 17, 2019, 10:14am

Hello everybody,

wie found the Problem and a solution.

The Problem is a DDoS Attack via CLDAP

It would be perfect if there would be a patch for CLDAP - as far as I know it is not used any more. Can it be removed out of the samba-ad-service? Now we just kill the process and/or block all the ports from outside the network.

Hope for a reply from the Univention Staff.