Why is nmblookup the kiss of death for OSX?

I’ve written before about how my machine dies from time to time – it becomes unresponsive, can’t open new Terminal windows, can’t quit some applications, can’t login as anything. Basically, it’s the big kahuna, the Dementor’s Kiss for any work I have underway.

After a number of episodes of this (which comes around every week or so at present) I’ve found what is at least a symptom: the process nmblookup appears in the process list. Once that’s there, abandon all hope ye who would like to press Enter here. You’ll never recover the machine: all lookups fail, and many processes such as Microsoft Word, iCal and Mail won’t exit gracefully – they seem to be doing some sort of lookup before they quit which, of course, can’t be resolved, so they just hang forever.

Sometimes, I do catch lookupd (which is the daemon that does name server lookups, eg for google.com) when it’s given up. You can kill it and it will restart automatically; no problem. But as I say, if the machine is hanging (typical problem: browser unresponsive in Activity Monitor) and you find that nmblookup is running, you’re toast, and so is any unsaved work.

In the latest episode, I’d not done anything. In fact I’d been away from my machine, which was still happily connected to the office (Appleshare) network.

Can anyone explain why, and what the hell nmblookup is meant to do, and why it would be appearing in this situation, while I reboot my machine?

Update: from around the web: this Macfixit thread suggests it might be

related to some sort of race condition between lookupd and crashreporter.

.

..And then some more reading of the same thread suggests it’s due to a bug in crashreporterd.

..And there’s this Stepwise piece which says “We’re reported the bug to Apple, and they plan to release a bug fix before the next release of the OS.” Hope you weren’t holding your breath – that was May 1999.

31 Comments

  1. “The nmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.” This is something to do with samba. Mac OS X used to hang when mounted drives were disconnected before unmounting, and I wonder if this is a similar problem.

  2. PS the comments link opens a window in Safari which doesn’t seem to be resizable. Is this a bug or a feature (in the page or the browser)?

  3. Charles

    Tuesday 31 July 2007 at 1:57 pm

    1- OK, if it’s Samba, or whatever it is, why doesn’t it time out? (Thinks: hmm, I have a program from Maxtor called the Maxback Engine which links – via Samba, I think – to a NAS disk. Could that be it?) Why does it kill everything around it?
    Or is calling nmblookup the machine’s last despairing act before it goes falco?

    2- it’s resizable in Camino. And in Safari too. Bottom right corner. Bug in ya browser?

    (Got to love the connections the database made. None correct. Poor Jemima, linked by MySQL’s madness to a crashed machine.)

  4. Simple solution: get jack to blog this on the GU site and the fanboys will deny the problem exists ;-}. Hope you get it sorted.
    PS Not re-sizeable in Windows – FF IE7 or Safari

  5. Have you tried asking on the samba forums? And, if you can get a command prompt from anywhere, might “nmbd -restart” help?

  6. I had similar problems. It disappeared when I updated Skype.

  7. Turn off “Windows Sharing” in the “Sharing” panel in your Mac’s System Preferences.

    “The nmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.”

    Windows networking is screwing up your Mac.

  8. Also, its important to remember that if some program other than OS X is running the process “nmblookup” and the option “Windows Sharing” is not selected or the port is not open in your Firewall (Windows Sharing does that automatically), then the process will just keep bouncing off of your Mac’s firewall.

    Either way OS X does not run the process by default, as far as I know.

  9. I cover over a dozen macs in three locations and I don’t think I have never seen what you describe. These are all OSX 10.4.10 and mostly G4s and G5s. This mostly graphics and we seldom run Office; But we use Mail and iCal a lot.

    On rare occasion these is a forever hangup but it does not result in lost files even when the Finder is choking on the Beachball.

  10. I bet its a third party program that’s causing the problem!

  11. Charles

    Tuesday 31 July 2007 at 10:42 pm

    @6 – I don’t run Skype.
    @7 – Windows Sharing isn’t on. Your next comment (@8) seems to be saying that I should turn it on. I do have a program (Maxtor MaxBack) that tries to connect to, I think, an NTFS NAS disk. You’re saying I should open that port?
    And I know that it doesn’t run by default – the fact that it’s there, stuck, indicates a bombed situation. But I don’t know if nmblookup is the cause, effect or just a symptom.
    @9 – rogre, I’ve got 10.4.10, all updates, and few twiddles.

  12. Just press opt+cmd+esc => the force quite command and cancel – that will bring your mac out of its stupor- i have had it happen when checking email on yahoo or similar javascript heavy stuff- but i dont know the exact cause – but then i just press the force quit command and cancel without quitting anything and things are fine.

  13. Weird that the Stepwise piece was from May 1999. That was pre-OS X, no?

    I don’t suppose you’re able to try killall nmblookup?

  14. Charles Says: “@7 – Windows Sharing isnít on. Your next comment (@8) seems to be saying that I should turn it on. I do have a program (Maxtor MaxBack) that tries to connect to, I think, an NTFS NAS disk. Youíre saying I should open that port?”

    No, I wasn’t saying that you should turn “Windows Sharing” on. Yes, I’m saying that “nmblookup” could be blocked by your firewall, which can be resolved by turning “Windows Sharing” on (because it automatically opens the port for SMB/Netbios) or manually open the SMB/Netbios ports yourself (SMB TCP 445 / UDP 137, 138). It could also be that whatever program is invoking “nmblookup” may need “Windows Sharing” activated in order to perform its function properly.

    Windows Sharing: “Click Start to let selected Windows users access shared folders on this computer using SMB/CIFS. This will also let Windows users print to shared printers.” – Apple

    Either way this is not an OS X bug, rather its a configuration problem.

    Is “Maxtor MaxBack” a Macintosh or Windows program? It doesn’t sound like a Mac program. If its a Windows program then you must be running it in a virtual environment on Windows and that’s a whole different problem.

  15. I have been using a daemon “unlookupd” for a few years. I still have an occasional system slowdown (hello SAFARI) but lookupd is now behaving.

    http://www.dshadow.com/software/unlockupd/

  16. Yep, “Max Back” (Max Backup) it’s a Windows program.

    So if your getting these errors in OS X it probably means that its coming from Windows or your Virtualization software that sharing your network connection. Again, either way it doesn’t sound like an OS X problem, rather a configuration problem or application problem; Windows or your virtualization software.

    “Format: Software | Size: 10,382KB | Date: Jul 2005 | Version: 1.0 | System Requirements: Windows NT/2000/XP/2003 Server, .Net Framework | License: Free to try | Price: $20.00 | Limitations: 30-use trial | Downloads: 16” – Softpedia.com

    You need to insure that the proper ports are open in OS X, if your Virtualization program is “sharing” your network connection. Or you should set up your Virtualization program to get its own IP address. Plus, either way you need to have your Windows firewall configured correctly.

    Don’t be so quick to blame OS X .

  17. while it is entirely possible that this evil sambasque daemon may be part of the problem, it is not the only cause.

    osx’s synchronous ‘funnel’ kernel thread model (network + everrything else) seems to invite problems for all corners, not just NMBlookup: i can get network-based apps to stall without any AFS or any NETBIOS, only TCP/IP (ie pure internet).

    apple QA is vastly over-rated (just like its eye-candy).

    osx can grind to a hault at the drop of a hat … yet apple doesnt provide any good telemetry for this (alas, the logs files — which are NOT structured as XML!! — do not systematically record the hangs, unlike the Activity Monitor!).

    apple & world class engineering.

    sadly, not in the same sentence.

  18. Zahadum @ “while it is entirely possible that this evil sambasque daemon may be part of the problem, it is not the only cause.”

    I’m saying SMB could be the cause. But the more I think about it, its impossible to diagnose a problem when you don’t even know what version of the operating system he’s running. Charles what version of OS X are you running? This goes for Windows too because apparently he’s running a virtualized copy with a PC application that’s requesting network access on a connection that’s shared with the Mac. What version of Windows is he running and what virtualization program is he using? Charles?

    For all I know Windows is spawning the process via his virtualization program in OS X and its bouncing off his Firewall into a loop of death. Who knows! But in this situation considering that he’s running Windows, I’d be very hard pressed to jump the gun and blame it on an OS X bug, since it seems to stem from the use of a Windows program called “Max Backup”.

    Zahadum @ “apple QA is vastly over-rated (just like its eye-candy).”

    Speaking of QA, Microsoft’s QA is notoriously worse; Windows, Xbox 360, and Zune have plenty of problems right out of the box. In fact, Microsoft just wrote off 1 billion dollars to cover every Xbox 360 made, since they are all assumed to be defective. Software is one thing but hardware is another, because software can be easily updated, unlike hardware that has to be recalled.

    Apple consistently gets better grades from Consumer Reports for service and reliability, but since slightest error gets trumpeted like the coming of the plague, it appears to be quite the opposite because of all the attention they get. On the other hand if someone finds a bug in a Microsoft or Dell product, no one cares, because its business as usual until its exploited and infects your computer.

    Charles, Apple just issued two updates, one for Airport and the other a security update. Best of luck.

  19. Charles

    Wednesday 1 August 2007 at 10:15 am

    @James – Maxback is the Mac implementation of Maxtor’s controller for NAS disks. No Windows here. No virtualisation. I’d have mentioned it. See http://www.seagate.com/www/en-us/support/downloads/shared_storage/ . This is purely OSX software.

    @sandifop – I’ve used unlockupd. Removed it, because it didn’t solve this problem. (Search this blog.) Where lookupd does die, one can restart it by killing it in Activity Monitor. It then restarts automatically.

    @pauldwaite – nope, can’t get at a Terminal window. One of the signs of this problem is that anything that might require authentication cannot happen. The password won’t work.

    @someone else – Cmd-opt-esc doesn’t even get close to this problem. I have Activity Monitor running all the time. Processes won’t quit: did you read the bit where I said that Word and iCal (for example) won’t die *even on force-quit*? This is a really deep problem. I am not an OSX newbie. And I’m not using frigging Windows either.

  20. This is not a common problem, so you obviously have a borked OS installation, or some third party software is interacting with the OS in a way that is causing things to get borked.

    Given the info you’ve revealed, the Maxtor MaxBack is obviously the first thing to try to isolate. Completely uninstall it, and see if the problem disappears. If it does, then you know where the problem lies.

  21. Isn’t anyone going to tell the man to run a real computer – ie, a PC? That’s what Mac users always do wnhenver PC people have a problem.

    wg

  22. @21 “Isnít anyone going to tell the man to run a real computer – ie, a PC?”

    No, they’re not.

    Cheers,

    – Mike

  23. Oh yes they are. Get a real computer, Charles!

  24. Did you get this resolved? Yeah, sounds like a 3rd Party app. If you have Little Snitch installed, you should check on what ports it’s blocking. Also checkout if you opened/closed anything in your firewall — but — deleted the app. I had MAMP running as MySQL server and put it on a different machine — but — forgot to delete port maps and some other dependencies, etc. My firewall is a sorta complex on my LAN (don’t ask), so I think you should start there. It solved my issue. Other than that, all I can think of is that there’s an app in a loop that’s doing something it shouldn’t ;) Reinstall X.

  25. may as well add my rant:

    The new version of little snitch is showing nmblookup in the LS Network Monitor widget and it’s red (why? I still don’t understand this new upgraded version). However nmblookup does not appear anywhere in activity monitor — nowhere — nothing about that is in the activity monitor.

    the LS Network Monitor widget where nmblookup shows in red also shows a connection history to My ISP’s-dashed-#s.dhcp.my-internet-provider.com — so wtf is it for?

    for sure there is one of my forums that os x/safari/camino/firefox is not letting me access — i keep getting the perpetual stupid incompetent safari crap error: (NSURLErrorDomain:-1011) or just a blank page. pinging from within network utitlity shows 100% packet loss. Pinging from an online ping util shows OK.

    wtf? so i don’t know what this means either except apple knows how to do some half-@ss lazy incompetent coding and safari is basically a piece of dog crap — it’s just faster dog crap on my particular piece of crap imac than the other sh*t browsers — and it’s still slower on this imac g5 than my old windoze piece of crap. I hate em both. go to hell apple

  26. I turned off all my sharing options and i notieced that the process was terminated specificly when i turned off internet sharing. Now all activity is stopped unless i surf the internet. This may help in solving what process is causing the problem.
    Cheers.!

  27. Howdy,
    I’ve noticed these netbios broadcasts for awhile. Always occurred with an upgrade on a powerpc G5 from osX 10.4.x to osX 10.5.x. Thought that running admitMac
    might have been the cause, but after contacting their support, they indicated it is a bug in OS X 10.5. Only way I’ve found to block it to actually reenable the
    firewall that is turned into a sieve on 10.5. Easy to block on 10.4. Little Snitch, Waterroof will block the outgoing netbios broadcasts, but this does not really
    fix the problem since the broadcasts are still occurring. This problem is 100% reproducible, but Apple is very, very quiet about it.
    Most people will only notice the other computer names appearing in “Shared” on their sidebar. However, they will not realize that some of this is due to broadcasts
    being done by their own computer. If anyone can pry Apple out of the hole they are hiding in, to look into being able to turn netbios broadcasts off, we would all
    appreciate.

  28. I should add to my previous comment. This problem is well over a year old. It was not a problem on os 10.4, just 10.5.
    To block netbios broadcasts using os 10.5’s firewall enter these commands from a terminal session.
    sudo ipfw add 1 deny tcp from any to any 137 out
    sudo ipfw add 2 deny udp from any to any 137 out
    This will hide the problem from the rest of your network, but it will not fix the real problem,
    which will still be sending out those broadcasts.
    One would think that mDNS would be enough.
    In any event, I should add that these will broadcasts only occur if you are logged on to your mac.
    They stop when you are logged off, indicating that it is a function of showing you what is shared in
    your drive window. Doesn’t have anything to do with you sharing anything from your mac.

  29. Why the heck would you need to or want to block them? No one has even mentioned what they are, what is being broadcast, or what the intended function of doing so is.

    I just got one today for the 1st time so before telling Little Snitch to allow or deny it I searched – and found this page. Totally useless page this is!

  30. nmblookup (or equivalent) is probably being used by Finder when you are logged in to “find” any CIFS/SMB shares that are available on your network. We use “nmblookup -M — -” from the command line to get a list of known CIFS/SMB servers. This sends “something” out on UDP port 137 to get that list of info. We then parse that info and use the smbclient command to get what shares are available.

    Problem is, nmblookup doesn’t always return the same thing Finder sees. Is Finder using nmblookup in OSX 10.5.x to get info, or some undocumented nmblookup equivalent?

  31. This problem originates in the shared microsoft network clients based on samba suite (built in) as there are many open terminals that “do” share as there are that “don’t”
    it is a malicious attack from a local / ftp ‘pc’ to search parse and upload your info and all based on very old protocols that go way back to exactly when microsoft deemed ports 137 138 & 139 plus 445 set as future port ftp so its going to be worse as these ports can also retrieve and send your regkey or admin apple and make a copy of you on your own comp then agree with all the incoming requests. there is no resolve for this COMPLETE BREACH OF SECURITY and your phone co will simply deny you another ip address so the only way to stop is to create a 73 item list of rules in little snitch, denying every request you see in LS then turn your fire wall ON not the top button as this leaves you open for attacks/requests. add your apps to the custom area and make sure when prompted you deny ports&’s, just click the single choices that admin your tasks not the top or bottom buttons.

    Then if you have TM, back up again and then add file vault in that order, it will recreate your home folder and delete all encrypted folders.

    Now your back on the “Net”

Comments are closed.