[cifs-protocol] [REG:120080321001822] LDAP connections have hard timelimit of one hour?

Stefan Metzmacher metze at samba.org
Thu Aug 6 09:20:29 UTC 2020 

Am 06.08.20 um 10:53 schrieb Stefan Metzmacher:
> Am 04.08.20 um 21:27 schrieb Stefan Metzmacher:
>> Am 04.08.20 um 12:37 schrieb Stefan Metzmacher via cifs-protocol:
>>> Hi Bryan,
>>>
>>>> Thank you for the question.  We created SR 120080321001822 To track this issue.  An engineer will contact you soon.
>>>
>>> Thanks! Note the lifetime of the krb5 service tickets seems to be 1
>>> hour, maybe that's related.
>>>
>>> For SMB2 connections there's also a relationship to the lifetime of the
>>> krb5 service ticket, before the server starts returning
>>> NT_STATUS_SESSION_EXPIRED.
>>>
>>> Maybe the LDAP server is doing something similar.
>>
>> I was able to reproduce this with a client asking for a ticket lifetime
>> of just 4 seconds.
>>
>> It would be good to get that documented and how a client should
>> handle that.
> 
> We found that this is related to RFC4511 section
> 4.4.1 Notice of Disconnection.
> 
> While testing we found that Windows Servers have a cleanup timer that
> runs once a minute and close any connection that's no
> longer valid (with just a TCP RST and without a Notice of Disconnection).
> 
> If a client sends a request in the time window of 0-59 seconds between
> the connection expiration and the cleanup timer, the client will
> get the Notice of Disconnection. Once the client sends the TCP ACK for
> that Windows 2008R2 and 2012R2 seem to send an immediate TCP RST,ACK.
> Is it possible that Windows 2019 doesn't send that TCP RST?

We also noticed that the Notice of Disconnection messages from Windows
violate the RFC.

        LDAPResult ::= SEQUENCE {
             resultCode         ENUMERATED {
                  success                      (0),
                  operationsError              (1),
                  protocolError                (2),
                  ...
                  other                        (80),
                  ...  },
             matchedDN          LDAPDN,
             diagnosticMessage  LDAPString,
             referral           [3] Referral OPTIONAL }

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
             COMPONENTS OF LDAPResult,
             responseName     [10] LDAPOID OPTIONAL,
             responseValue    [11] OCTET STRING OPTIONAL }


        LDAPMessage ::= SEQUENCE {
             messageID       MessageID,
             protocolOp      CHOICE {
                  bindRequest           BindRequest,
                  bindResponse          BindResponse,
                  unbindRequest         UnbindRequest,
                  searchRequest         SearchRequest,
                  searchResEntry        SearchResultEntry,
                  searchResDone         SearchResultDone,
                  searchResRef          SearchResultReference,
                  modifyRequest         ModifyRequest,
                  modifyResponse        ModifyResponse,
                  addRequest            AddRequest,
                  addResponse           AddResponse,
                  delRequest            DelRequest,
                  delResponse           DelResponse,
                  modDNRequest          ModifyDNRequest,
                  modDNResponse         ModifyDNResponse,
                  compareRequest        CompareRequest,
                  compareResponse       CompareResponse,
                  abandonRequest        AbandonRequest,
                  extendedReq           ExtendedRequest,
                  extendedResp          ExtendedResponse,
                  ...,
                  intermediateResponse  IntermediateResponse },
             controls       [0] Controls OPTIONAL }


Two message I saw from Windows are:

dumpasn1 ~/devel/caps/ldap/ldap-krb5-extended-response-expired.dat
  0  80: SEQUENCE {
       :   Error: Length '84 00 00 00 50' has non-canonical encoding.
  6   1:   INTEGER 0
  9  47:   [APPLICATION 24] {
       :     Error: Length '84 00 00 00 2F' has non-canonical encoding.
 15   1:     ENUMERATED 52
 18   0:     OCTET STRING
       :       Error: Object has zero length.
 20  40:     OCTET STRING 'The server has timed out this connection'
       :     }
 62  22:   [10] '1.3.6.1.4.1.1466.20036'
       :   }


dumpasn1 ~/devel/caps/ldap/ldap-krb5-extended-response-sign-des.dat
  0 127: SEQUENCE {
       :   Error: Length '84 00 00 00 7F' has non-canonical encoding.
  6   1:   INTEGER 0
  9  94:   [APPLICATION 24] {
       :     Error: Length '84 00 00 00 5E' has non-canonical encoding.
 15   1:     ENUMERATED 52
 18   0:     OCTET STRING
       :       Error: Object has zero length.
 20  87:     OCTET STRING
       :       '00000003: LdapErr: DSID-0C06041F, comment: Error'
       :       ' decrypting ldap message, data 0, vece.'
       :       Error: IA5String contains illegal character(s).
       :     }
109  22:   [10] '1.3.6.1.4.1.1466.20036'
       :   }

Notice that the [10] for "responseName     [10] LDAPOID OPTIONAL" is not
within the [APPLICATION 24] block.

Can you please also document that?

Thanks!
metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200806/45698fac/signature.sig>

More information about the cifs-protocol mailing list