[cifs-protocol] [REG:120080321001822] LDAP connections have hard timelimit of one hour?

Stefan Metzmacher metze at samba.org
Thu Aug 6 08:53:21 UTC 2020


Am 04.08.20 um 21:27 schrieb Stefan Metzmacher:
> Am 04.08.20 um 12:37 schrieb Stefan Metzmacher via cifs-protocol:
>> Hi Bryan,
>>
>>> Thank you for the question.  We created SR 120080321001822 To track this issue.  An engineer will contact you soon.
>>
>> Thanks! Note the lifetime of the krb5 service tickets seems to be 1
>> hour, maybe that's related.
>>
>> For SMB2 connections there's also a relationship to the lifetime of the
>> krb5 service ticket, before the server starts returning
>> NT_STATUS_SESSION_EXPIRED.
>>
>> Maybe the LDAP server is doing something similar.
> 
> I was able to reproduce this with a client asking for a ticket lifetime
> of just 4 seconds.
> 
> It would be good to get that documented and how a client should
> handle that.

We found that this is related to RFC4511 section
4.4.1 Notice of Disconnection.

While testing we found that Windows Servers have a cleanup timer that
runs once a minute and close any connection that's no
longer valid (with just a TCP RST and without a Notice of Disconnection).

If a client sends a request in the time window of 0-59 seconds between
the connection expiration and the cleanup timer, the client will
get the Notice of Disconnection. Once the client sends the TCP ACK for
that Windows 2008R2 and 2012R2 seem to send an immediate TCP RST,ACK.
Is it possible that Windows 2019 doesn't send that TCP RST?

Thanks!
metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200806/664231c0/signature.sig>


More information about the cifs-protocol mailing list