Web lists-archives.com

Re: [Samba] Debugging TLS Retry Handshake errors




On Wed, 2018-09-26 at 11:33 -0700, Kris Lou via samba wrote:
> So, I'm using Samba AD for user authentication by some web appliances,
> using LDAPS over port 636.  I've been doing this for quite a while -- and
> my certificates and everything seem to check out.
> 
> But this week (and with one appliance -- my firewall), I'm finding that
> maybe 3/20 times the bind will fail for perhaps 10 seconds.  During this
> time, the logs read (for each failure):
> 
> [2018/09/26 11:05:52.824630,  1]
> ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake)
>   TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been
> received.
> 
> I've repointed authentication to a single server (instead of using DNS
> round robin that apparently didn't work -- different issue), and manually
> spammed auth tests, which is how I was able to grab the above errors.  And
> by manually, that's by clicking the "test authentication button", so no
> more than 3 times per 2 seconds (depends upon result speed).
> 
> Does anybody have any suggestions for debugging this further?
> 
> I don't have any "tls *" settings in my smb.conf, except the standard
> cafile/certfile/keyfile.

G'Day Kris,

Can you let me know what Samba version you are running, and if you are
using Samba 4.8 or later, try starting Samba with -M prefork.

Samba 4.7 has a mode that creates a new samba process for each LDAP
connection, which is great for parallelism but bad for performance if
you run out of memory or have a high connect/disconnect load (say from
simple bind authentication). 

My guess is the TLS thing is a red herring, a symptom of an
unresponsive LDAP server due to high load.

What load do you see on the server?  Is there anything else going on
that could create a long-lived transaction on the DB, like a big user
database, lots of writes and a second DC?

I'm sorry I don't have an easy answer but this might give you some
clues about where to start looking,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba