[cifs-protocol] [REG:120080321001822] LDAP connections have hard timelimit of one hour?
Stefan Metzmacher
metze at samba.org
Thu Aug 6 09:20:29 UTC 2020
Am 06.08.20 um 10:53 schrieb Stefan Metzmacher:
> Am 04.08.20 um 21:27 schrieb Stefan Metzmacher:
>> Am 04.08.20 um 12:37 schrieb Stefan Metzmacher via cifs-protocol:
>>> Hi Bryan,
>>>
>>>> Thank you for the question. We created SR 120080321001822 To track this issue. An engineer will contact you soon.
>>>
>>> Thanks! Note the lifetime of the krb5 service tickets seems to be 1
>>> hour, maybe that's related.
>>>
>>> For SMB2 connections there's also a relationship to the lifetime of the
>>> krb5 service ticket, before the server starts returning
>>> NT_STATUS_SESSION_EXPIRED.
>>>
>>> Maybe the LDAP server is doing something similar.
>>
>> I was able to reproduce this with a client asking for a ticket lifetime
>> of just 4 seconds.
>>
>> It would be good to get that documented and how a client should
>> handle that.
>
> We found that this is related to RFC4511 section
> 4.4.1 Notice of Disconnection.
>
> While testing we found that Windows Servers have a cleanup timer that
> runs once a minute and close any connection that's no
> longer valid (with just a TCP RST and without a Notice of Disconnection).
>
> If a client sends a request in the time window of 0-59 seconds between
> the connection expiration and the cleanup timer, the client will
> get the Notice of Disconnection. Once the client sends the TCP ACK for
> that Windows 2008R2 and 2012R2 seem to send an immediate TCP RST,ACK.
> Is it possible that Windows 2019 doesn't send that TCP RST?
We also noticed that the Notice of Disconnection messages from Windows
violate the RFC.
LDAPResult ::= SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
...
other (80),
... },
matchedDN LDAPDN,
diagnosticMessage LDAPString,
referral [3] Referral OPTIONAL }
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
responseValue [11] OCTET STRING OPTIONAL }
LDAPMessage ::= SEQUENCE {
messageID MessageID,
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
searchResDone SearchResultDone,
searchResRef SearchResultReference,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modDNRequest ModifyDNRequest,
modDNResponse ModifyDNResponse,
compareRequest CompareRequest,
compareResponse CompareResponse,
abandonRequest AbandonRequest,
extendedReq ExtendedRequest,
extendedResp ExtendedResponse,
...,
intermediateResponse IntermediateResponse },
controls [0] Controls OPTIONAL }
Two message I saw from Windows are:
dumpasn1 ~/devel/caps/ldap/ldap-krb5-extended-response-expired.dat
0 80: SEQUENCE {
: Error: Length '84 00 00 00 50' has non-canonical encoding.
6 1: INTEGER 0
9 47: [APPLICATION 24] {
: Error: Length '84 00 00 00 2F' has non-canonical encoding.
15 1: ENUMERATED 52
18 0: OCTET STRING
: Error: Object has zero length.
20 40: OCTET STRING 'The server has timed out this connection'
: }
62 22: [10] '1.3.6.1.4.1.1466.20036'
: }
dumpasn1 ~/devel/caps/ldap/ldap-krb5-extended-response-sign-des.dat
0 127: SEQUENCE {
: Error: Length '84 00 00 00 7F' has non-canonical encoding.
6 1: INTEGER 0
9 94: [APPLICATION 24] {
: Error: Length '84 00 00 00 5E' has non-canonical encoding.
15 1: ENUMERATED 52
18 0: OCTET STRING
: Error: Object has zero length.
20 87: OCTET STRING
: '00000003: LdapErr: DSID-0C06041F, comment: Error'
: ' decrypting ldap message, data 0, vece.'
: Error: IA5String contains illegal character(s).
: }
109 22: [10] '1.3.6.1.4.1.1466.20036'
: }
Notice that the [10] for "responseName [10] LDAPOID OPTIONAL" is not
within the [APPLICATION 24] block.
Can you please also document that?
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200806/45698fac/signature.sig>
More information about the cifs-protocol
mailing list