# smbd 100% CPU after a specific client accesses a share

## mslinn

Samba 3.0.28 is installed on a Gentoo server ("Egg", at 192.168.0.106) which is kept up to date with emerge world every week.  

eix reports:

```
Installed versions:  3.0.28(08:25:10 02/04/08)(acl cups fam kernel_linux pam python readline swat winbind -ads -async -automount -caps -doc -examples -ipv6 -ldap -linguas_ja -linguas_pl -quotas -selinux -syslog)
```

Three Windows XP machines are in a workgroup called Workgroup.  When Samba starts, there is a single smbd process owned by root. Using Windows Explorer on any XP workstation to browse the shares presents no problems.

When I start DreamWeaver 8 on one of the XP machines ("birdie", at 192.168.0.199, XP Media Edition SP2) and access a DreamWeaver site on a share (\\egg\blah), no problem.

When I start DreamWeaver CS3 on another of the XP machines ("bear", at 192.168.0.190, XP Home) and access the same DreamWeaver project in the same manner, no problem.  However, if I access a different DreamWeaver share, after about 20 seconds the smbd process pegs at nearly 100% CPU, then after about two minutes it forks another smbd process owned by user mslinn; together both these process take nearly 100% CPU, and remain there for a very long time, usually forever.  If I restart as follows the problem goes away and I can work on DreamWeaver using the problem machine ("bear").  Disabling the WebClient service on "bear" has no effect. Disabling the DreamWeaver caches has no effect.

When accessed from the third XP machine ("wonderful", at 192.168.0.222, XP Pro) and access various shares, no problem except when I attempt to access the problem share; the server CPU pegs at 100%.

```
sudo pkill -11 smbd;sudo /etc/init.d/samba restart
```

Here is /etc/samba/smb.conf:

```
[global]

    #log level = 2

    debug timestamp = yes

    #  Browsing election options

    os level = 34

    domain master = yes

    preferred master = yes

    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

    admin users = root, mslinn, jamesw

    write list = nobody,root,mslinn,ellen

    force group = users

    time server = Yes

    passwd program = /usr/bin/passwd %u

    dns proxy = No

    netbios name = EGG

    delete readonly = yes

    writeable = yes

    printing = cups

    local master = No

    workgroup = WORKGROUP

    security = user

    dont descend = /proc,/dev

    max log size = 0

    directory mode = 0775

    log file = /var/log/samba/%m.log

    load printers = yes

    username level = 20

    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY

    guest ok = Yes

    null passwords = Yes

    interfaces = eth*

    username map = /etc/samba/smbusers

    encrypt passwords = Yes

    case sensitive = yes

    wins support = yes

    name resolve order = wins lmhosts hosts bcast

    server string = Egg

    path = /var/samba/printer

    unix password sync = Yes

    force user = mslinn

    use sendfile = no

    hide special files = yes

    hide dot files = yes

    valid users = nobody,mslinn,root,ellen

    create mode = 0664

    smb ports = 139

    auto services = mslinn

    invalid users = apache tomcat bin daemon adm sync shutdown halt mail news uucp operator gopher

    dead time = 15

    getwd cache = yes

    # From http://www.oreilly.com/catalog/samba/chapter/book/ch08_01.html

    time service = yes

    dos filetimes = yes

    fake directory create times = yes

    dos filetime resolution = yes

    delete readonly = yes

[printers]

    printable = Yes

    browseable = Yes

    public = yes

    path = /var/spool/samba

    printing = CUPS

[template]

    writeable = yes

    browseable = Yes

    create mask = 0664

    directory mask = 0775

[goodShare]

    path = /var/www/good

    copy = template

[problemShare]

    path = /var/www/problem

    copy = template

[... more shares follow, similar to the one immediately above...]

```

I increased the log level to 3, then monitored the log files as I started DreamWeaver on the problem machine.  My comments in the following log trace are prefaced by >>>>:

```
sudo tail -f /var/log/samba/*

==> /var/log/samba/log.nmbd <==

[2008/02/04 08:57:58, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247)

  add_name_to_subnet: Added netbios name EGG<00> with first IP 192.168.0.106 ttl=0 nb_flags=60 to su                                      bnet 192.168.0.106

[2008/02/04 08:57:58, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247)

  add_name_to_subnet: Added netbios name WORKGROUP<00> with first IP 192.168.0.106 ttl=0 nb_flags=e0                                       to subnet 192.168.0.106

[2008/02/04 08:57:58, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247)

  add_name_to_subnet: Added netbios name WORKGROUP<1e> with first IP 192.168.0.106 ttl=0 nb_flags=e0                                       to subnet 192.168.0.106

[2008/02/04 08:57:58, 2] nmbd/nmbd_become_dmb.c:become_domain_master_stage1(181)

  become_domain_master_stage1: Becoming domain master browser for workgroup WORKGROUP on subnet 192.                                      168.0.106

[2008/02/04 08:57:58, 3] nmbd/nmbd_become_dmb.c:become_domain_master_stage1(190)

  become_domain_master_stage1: go to first stage: register <1b> name

==> /var/log/samba/log.smbd <==

[2008/02/04 08:57:54, 3] printing/pcap.c:pcap_cache_reload(223)

  reload status: ok

[2008/02/04 08:57:54, 3] param/loadparm.c:lp_add_printer(2746)

  adding printer service R300M_Color_SERVER

[2008/02/04 08:57:54, 3] param/loadparm.c:lp_add_printer(2746)

  adding printer service R300M_Color

[2008/02/04 08:57:54, 3] param/loadparm.c:lp_add_printer(2746)

  adding printer service R300M_BW_SERVER

[2008/02/04 08:57:54, 3] param/loadparm.c:lp_add_printer(2746)

  adding printer service R300M_BW

==> /var/log/samba/smbd.log <==

[2008/02/04 08:57:54, 3] smbd/uid.c:push_conn_ctx(358)

  push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2008/02/04 08:57:54, 3] smbd/sec_ctx.c:set_sec_ctx(241)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2008/02/04 08:57:54, 3] smbd/sec_ctx.c:pop_sec_ctx(356)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2008/02/04 08:57:54, 3] printing/printing.c:start_background_queue(1388)

  start_background_queue: Starting background LPQ thread

[2008/02/04 08:57:54, 2] smbd/server.c:open_sockets_smbd(458)

  waiting for a connection

==> /var/log/samba/log.nmbd <==

[2008/02/04 08:58:00, 3] nmbd/nmbd_serverlistdb.c:write_browse_list(419)

  write_browse_list: Wrote browse list into file /var/cache/samba/browse.dat

[2008/02/04 08:58:02, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247)

  add_name_to_subnet: Added netbios name WORKGROUP<1b> with first IP 192.168.0.106 ttl=0 nb_flags=60                                       to subnet 192.168.0.106

[2008/02/04 08:58:02, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113)

  *****

  Samba server EGG is now a domain master browser for workgroup WORKGROUP on subnet 192.168.0.106

  *****

>>>> CPU is under 0.5%, started DreamWeaver CS3 here

[2008/02/04 08:58:22, 3] nmbd/nmbd_serverlistdb.c:write_browse_list(419)

  write_browse_list: Wrote browse list into file /var/cache/samba/browse.dat

[2008/02/04 08:58:40, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.222 on subnet 192.168.0.106 for name BIRDIE<1c>

[2008/02/04 08:58:40, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.222 on subnet 192.168.0.106 for name BIRDIE<1c>

[2008/02/04 08:58:41, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.222 on subnet 192.168.0.106 for name BIRDIE<1c>

>>>> CPU is now nearly 100% and stays there

[2008/02/04 08:59:11, 3] nmbd/nmbd_sendannounce.c:send_host_announcement(208)

  send_host_announcement: type 889a23 for host EGG on subnet 192.168.0.106 for workgroup WORKGROUP

==> /var/log/samba/smbd.log <==

[2008/02/04 09:00:47, 3] smbd/process.c:check_reload(1309)

  Printcap cache time expired.

[2008/02/04 09:00:47, 3] printing/pcap.c:pcap_cache_reload(117)

  reloading printcap cache

[2008/02/04 09:00:47, 3] printing/pcap.c:pcap_cache_reload(223)

  reload status: ok

==> /var/log/samba/log.nmbd <==

[2008/02/04 09:01:11, 3] nmbd/nmbd_sendannounce.c:send_host_announcement(208)

  send_host_announcement: type 889a23 for host EGG on subnet 192.168.0.106 for workgroup WORKGROUP

[2008/02/04 09:03:05, 3] nmbd/nmbd_elections.c:check_for_master_browser_success(76)

  check_for_master_browser_success: Local master browser for workgroup WORKGROUP exists at IP 192.168.0.199 (just checking).

[2008/02/04 09:04:17, 3] nmbd/nmbd_sendannounce.c:send_host_announcement(208)

  send_host_announcement: type 889a23 for host EGG on subnet 192.168.0.106 for workgroup WORKGROUP

[2008/02/04 09:07:16, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.190 on subnet 192.168.0.106 for name BIRDIE<20>

[2008/02/04 09:07:16, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.190 on subnet 192.168.0.106 for name EGG<20>

[2008/02/04 09:07:16, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(569)

  OK

[2008/02/04 09:07:39, 3] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(274)

  process_local_master_announce: from BIRDIE<45> IP 192.168.0.199 to WORKGROUP<1e> for server BIRDIE.

[2008/02/04 09:07:39, 3] nmbd/nmbd_serverlistdb.c:create_server_on_workgroup(157)

  create_server_on_workgroup: Created server entry BIRDIE of type 42051203 (Ellen's super incredible computing machine) on workgroup WORKGROUP.

[2008/02/04 09:07:39, 3] nmbd/nmbd_serverlistdb.c:write_browse_list(419)

  write_browse_list: Wrote browse list into file /var/cache/samba/browse.dat

[2008/02/04 09:08:09, 3] nmbd/nmbd_sendannounce.c:send_host_announcement(208)

  send_host_announcement: type 889a23 for host EGG on subnet 192.168.0.106 for workgroup WORKGROUP

[2008/02/04 09:08:09, 3] nmbd/nmbd_elections.c:check_for_master_browser_success(76)

  check_for_master_browser_success: Local master browser for workgroup WORKGROUP exists at IP 192.168.0.199 (just checking).

```

I find it odd that when "bear" references the SMB share, smbd reports "birdie" does a name query however 129.168.0.222 actually refers to the third XP machine ("wonderful"), which isn't doing anything, and then everything goes to hell.

I restarted smbd and then refreshed DreamWeaver from "bear":

```
[2008/02/04 09:18:33, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.190 on subnet 192.168.0.106 for name EGG<20>

[2008/02/04 09:18:33, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(569)

>>>> Instantly went to 100% CPU again

  OK

[2008/02/04 09:19:13, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.222 on subnet 192.168.0.106 for name BIRDIE<1c>

[2008/02/04 09:19:13, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.222 on subnet 192.168.0.106 for name BIRDIE<1c>

[2008/02/04 09:19:13, 3] nmbd/nmbd_elections.c:check_for_master_browser_success(76)

  check_for_master_browser_success: Local master browser for workgroup WORKGROUP exists at IP 192.168.0.199 (just checking).

[2008/02/04 09:19:14, 3] nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  process_name_query_request: Name query from 192.168.0.222 on subnet 192.168.0.106 for name BIRDIE<1c>

[2008/02/04 09:19:42, 3] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(274)

  process_local_master_announce: from BIRDIE<45> IP 192.168.0.199 to WORKGROUP<1e> for server BIRDIE.

[2008/02/04 09:19:42, 3] nmbd/nmbd_serverlistdb.c:create_server_on_workgroup(157)

  create_server_on_workgroup: Created server entry BIRDIE of type 42051203 (Ellen's super incredible computing machine) on workgroup WORKGROUP.

[2008/02/04 09:19:42, 3] nmbd/nmbd_serverlistdb.c:write_browse_list(419)

  write_browse_list: Wrote browse list into file /var/cache/samba/browse.dat

```

What's going on?

----------

## jpl888

Hi,

Firstly I can see a few things which are obviously wrong with you Samba config:-

1. You should disable opportunistic locking, in my experience it causes problems since if there is any network unreliability file changes will be lost, politicians will philander, etc, etc.

2. You have "local master=no", now looking at the man page for smb.conf I can't even find a reference to that option but I assume it stops the Samba server becoming local browse master. This is bad I can see from your logs that one of the XP machines thinks it should be the local master browser and is forcing elections, general malaise, etc, etc. in you SMB browsing.

3. Your smb.conf seems needlessly complicated, you should start by removing any options that aren't in there for a specific reason so that Samba's defaults can do their magic. 

Please see an example smb.conf below:-

```
[global]

workgroup = SKOS

netbios name = SKELLYOSULLIVAN

security = SHARE

wins support = yes

os level = 35

preferred master = yes

domain master = yes

interfaces = eth0 lo

bind interfaces only = yes

printcap name = /etc/printcap

oplocks = no

time server = yes

[Data]

comment = Data

path = /Data

force user = root

force group = root

read only = No

guest ok = Yes

[Apexdata]

comment = Apexdata

path = /Apexdata

force user = root

force group = root

read only = No

guest ok = Yes

```

The above is an anonymous setup I have (hell if you only have 3 PCs why do you need any authentication?).

I would also like to add that I have had bad experiences when XP machines go mad and try to become browsers this can cause the high smbd usage you are experiencing and also high nmbd usage too. You should also make sure your machines IP settings are correct by using a DHCP server with the correct options enabled, in particular I am talking about the WINS server setting and the NETBIOS node type the latter of which should be set to 0x8 (hybrid - which means the PCs will first query the WINS server for a machine/workgroup/domain name and then broadcast if that doesn't work).

You may also enable auditing in you config to wee what is actually happening with files being open and closed, may shed more light.

```
vfs objects = audit
```

Hope this starts getting you through the treacle.

----------

## mslinn

Thanks for your detailed response.

1. I read that opportunistic locking is enabled by default.  Elsewhere I read that it is disabled by default.  Not sure what to believe.  I note that neither of our config files mentions oplocks.  Since only one Windows XP machine causes Samba to go crazy, I tried adding the following registry entry to that machine:

```
HKEY_LOCAL_MACHINE\System\

      CurrentControlSet\Services\MRXSmb\Parameters\

      OplocksDisabled REG_DWORD 1
```

Unfortunately, no effect.  I see the following log entry:

```
[2008/02/16 12:02:36, 3] smbd/oplock.c:init_oplocks(863)

  init_oplocks: initializing messages.

[2008/02/16 12:02:36, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(276)

  Linux kernel oplocks enabled
```

Maybe I need to do something more?

2. I commented out "local master=no", and restarted Samba, but no change. 

3. All the smb.conf options were there for a reason, but I commented out many of them in the global section, so that it now reads as follows:

```
    os level = 35

    domain master = yes

    preferred master = yes

    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

    admin users = root, mslinn, jamesw

    write list = nobody,root,mslinn,ellen

    force group = users

    time server = Yes

    passwd program = /usr/bin/passwd %u

    netbios name = EGG

    delete readonly = yes

    writeable = yes

    workgroup = WORKGROUP

    security = user

    dont descend = /proc,/dev

    directory mode = 0775

    log file = /var/log/samba/%m.log

    username level = 20

    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY

    guest ok = Yes

    null passwords = Yes

    interfaces = eth*

    username map = /etc/samba/smbusers

    encrypt passwords = Yes

    case sensitive = yes

    wins support = yes

    name resolve order = wins lmhosts hosts bcast

    server string = Egg

    path = /var/samba/printer

    unix password sync = Yes

    force user = mslinn

    hide special files = yes

    hide dot files = yes

    valid users = nobody,mslinn,root,ellen

    create mode = 0664

    smb ports = 139

```

 Again, no effect after restarting Samba.

4. Authentication is important since I frequently connect to other networks.  I note that your smb.conf file forces the user to operate as root, which I avoid for numerous reasons.  My setup has everyone log in as a normally privileged user and that seems to be working well.

5.  My home network doesn't use DHCP, it employs fixed IP addresses.  I had played with some IP settings on the problem Windows XP Home machine (bear), so I investigated.  It has IP address 192.168.0.190, mask 255.255.255.0, gateway 192.168.0.1, dns 192.168.0.1; NETBIOS setting is "Enable NetBIOS over TCP/IP".

6. I added the following to the [GLOBAL] section:

```
vfs objects = audit
```

Then I cleaned out the logs and restarted samba:

```
sudo pkill -11 smbd;sudo rm /var/log/samba/*;sudo /etc/init.d/samba restart
```

This is the only message I see in /var/log/samba/bear.log, before samba goes nuts:

```
[2008/02/16 11:56:57, 1] smbd/service.c:make_connection_snum(1033)

  bear (192.168.0.190) connect to service www.micronauticsresearch.com initially as user mslinn (uid=1000, gid=100) (pid 2557)
```

Re-enabling debug level 3 shows reams of the following type of message:

```
[2008/02/16 11:59:49, 3] smbd/error.c:error_packet_set(106)

  error packet at smbd/trans2.c(6555) cmd=50 (SMBtrans2) NT_STATUS_NETWORK_ACCESS_DENIED

[2008/02/16 11:59:49, 3] smbd/process.c:process_smb(1068)

  Transaction 1025 of length 80

[2008/02/16 11:59:49, 3] smbd/process.c:switch_message(926)

  switch message SMBtrans2 (pid 2771) conn 0x804ba2e0

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:push_sec_ctx(208)

  push_sec_ctx(1000, 100) : sec_ctx_stack_ndx = 1

[2008/02/16 11:59:49, 3] smbd/uid.c:push_conn_ctx(358)

  push_conn_ctx(105) : conn_ctx_stack_ndx = 0

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:set_sec_ctx(241)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:pop_sec_ctx(356)

  pop_sec_ctx (1000, 100) - sec_ctx_stack_ndx = 0

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:set_sec_ctx(241)

  setting sec ctx (1000, 100) - sec_ctx_stack_ndx = 0

[2008/02/16 11:59:49, 3] smbd/error.c:error_packet_set(106)

  error packet at smbd/trans2.c(6555) cmd=50 (SMBtrans2) NT_STATUS_NETWORK_ACCESS_DENIED

[2008/02/16 11:59:49, 3] smbd/process.c:process_smb(1068)

  Transaction 1026 of length 80

[2008/02/16 11:59:49, 3] smbd/process.c:switch_message(926)

  switch message SMBtrans2 (pid 2771) conn 0x804ba2e0

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:push_sec_ctx(208)

  push_sec_ctx(1000, 100) : sec_ctx_stack_ndx = 1

[2008/02/16 11:59:49, 3] smbd/uid.c:push_conn_ctx(358)

  push_conn_ctx(105) : conn_ctx_stack_ndx = 0

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:set_sec_ctx(241)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:pop_sec_ctx(356)

  pop_sec_ctx (1000, 100) - sec_ctx_stack_ndx = 0

[2008/02/16 11:59:49, 3] smbd/sec_ctx.c:set_sec_ctx(241)

  setting sec ctx (1000, 100) - sec_ctx_stack_ndx = 0

[2008/02/16 11:59:49, 3] smbd/error.c:error_packet_set(106)

  error packet at smbd/trans2.c(6555) cmd=50 (SMBtrans2) NT_STATUS_NETWORK_ACCESS_DENIED

[2008/02/16 11:59:49, 3] smbd/process.c:process_smb(1068)

  Transaction 1027 of length 140

```

  I see error packets, not sure what to make of that.

----------

## jpl888

Maybe you should try another network card in the PC causing trouble, or else otherwise isolate the problem by trying another OS on the problem PC.

Viruses can cause high smbd/nmbd usage too.

I know running as root is soooooo naughty but I am a naughty man.

----------

## mslinn

I was using an add-in 100mpbs PCI Ethernet card (don't ask why.)  I disabled it and connected one of the onboard gigabit Ethernet adapters.  Same problem.  Only the Ethernet adapter that is connected is enabled; the others are disabled.

All my Windows machines run ZoneAlarm, and they are up to date.  Hopefully viruses won't be a problem.

Reinstalling the O/S is not something I would willingly do unless I was tortured to the point of death by evil demons.

----------

## jpl888

Well how about using a live CD to connect to the share? That will isolate the problem more to whether it is definitely hardware or software. Although it sounds like a software problem to me.

I had a brand new Windows XP laptop yesterday that wouldn't log in to the Samba server until I removed file and print sharing (some kind of network stack corruption I suspect), these things happen.

----------

