[cifs-protocol] [REG:120080321001822] LDAP connections have hard timelimit of one hour?

Stefan Metzmacher metze at samba.org
Fri Aug 14 08:23:40 UTC 2020


Hi Obaid,

the server is sending the error 52.

It happens when the kerberos session ticket expired.
In my tests I request a ticket lifetime of just 4 seconds.

There're two cases:

1. If the client tries to send a request after the ticket expired,
   but the tcp connection is still alive, the server will send

   LDAPMessage extendedResp(0) (The server has timed out this connection)
      messageID: 0
      protocolOp: extendedResp (24)
      extendedResp
        resultCode: unavailable (52)
        matchedDN:
        errorMessage: The server has timed out this connection
      responseName: 1.3.6.1.4.1.1466.20036

   See ldap-search-krb5-expired-connection-01.pcap.gz frame 301-304

   This is a Notice of Disconnection see https://tools.ietf.org/html/rfc4511#section-4.4.1

   Also note the encoding does not match the definition from
   https://tools.ietf.org/html/rfc4511#section-4.12

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
             COMPONENTS OF LDAPResult,
             responseName     [10] LDAPOID OPTIONAL,
             responseValue    [11] OCTET STRING OPTIONAL }

   dumpasn1 ~/devel/caps/ldap/ldap-krb5-extended-response-expired.dat
     0  80: SEQUENCE {
          :   Error: Length '84 00 00 00 50' has non-canonical encoding.
     6   1:   INTEGER 0
     9  47:   [APPLICATION 24] {
          :     Error: Length '84 00 00 00 2F' has non-canonical encoding.
    15   1:     ENUMERATED 52
    18   0:     OCTET STRING
          :       Error: Object has zero length.
    20  40:     OCTET STRING 'The server has timed out this connection'
          :     }
    62  22:   [10] '1.3.6.1.4.1.1466.20036'
         :   }

    Note that the responseName [10] is not part of the [APPLICATION 24] element
    (as it should).


2. If the ticket expires without any request from the client,
   the server seems to have a timer that runs every minute (in my examples always
   at second :36) and disconnects the tcp connection without a "Notice of Disconnection" LDAP pdu.

   See ldap-search-krb5-expired-connection-03.pcap.gz frames 269-271, 307:
   - all LDAP traffic happens in second :26 and the ticket is valid until second :30
     and the TCP disconnect happens at second :36

   See ldap-search-krb5-expired-connection-04.pcap.gz frames 303-305, 491:
   - all LDAP traffic happens in second :43 and the ticket is valid until second :47
     and the TCP disconnect happens (in the next minute) at second :36

   ldap-search-krb5-expired-connection-02-short-timeout.pcap.gz is a bit different
   see frames 273-275, 280:
   - all LDAP traffic happens in second :35 and the ticket is valid until second :39,
     but the TCP disconnect already happens at second :36, where the ticket is still
     valid for 3 seconds!


I've attached the captures and a keytab file, that allows decryption of the kerberos tickets
with wireshark.

Do you need more information?

Thanks!
metze

Am 13.08.20 um 21:54 schrieb Obaid Farooqi:
> Hi Metze:
> This information that you provided is not sufficient to figure out what is happening from the server side that is causing client to issue error. Can you please provide more details and possibly a network capture?
> 
> Regards,
> Obaid Farooqi
> Escalatiion Engineer | Microsoft
> 
> -----Original Message-----
> From: Obaid Farooqi 
> Sent: Friday, August 7, 2020 1:49 PM
> To: 'Stefan Metzmacher' <metze at samba.org>
> Cc: 'cifs-protocol at lists.samba.org' <cifs-protocol at lists.samba.org>; support <support at mail.support.microsoft.com>
> Subject: RE: [REG:120080321001822] LDAP connections have hard timelimit of one hour?
> 
> Hi Metze:
> In case of Windows-Windows, error 52 is generated by the client side (server does not generate this error). How and where you are getting this error?
> 
> Regards,
> Obaid Farooqi
> Escalatiion Engineer | Microsoft
> 
> -----Original Message-----
> From: Obaid Farooqi 
> Sent: Thursday, August 6, 2020 12:39 PM
> To: Stefan Metzmacher <metze at samba.org>
> Cc: cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>
> Subject: RE: [REG:120080321001822] LDAP connections have hard timelimit of one hour?
> 
> Hi Metze:
> I'll help you with this issue and will be in touch as soon as I have an answer.
> 
> Regards,
> Obaid Farooqi
> Escalatiion Engineer | Microsoft
> 
> -----Original Message-----
> From: Bryan Burgin <bburgin at microsoft.com> 
> Sent: Monday, August 3, 2020 12:39 PM
> To: Stefan Metzmacher <metze at samba.org>
> Cc: cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>
> Subject: [REG:120080321001822] LDAP connections have hard timelimit of one hour?
> 
> Hi Stefan,
> 
> Thank you for the question.  We created SR 120080321001822 To track this issue.  An engineer will contact you soon.
> 
> Bryan
> 
> -----Original Message-----
> From: Stefan Metzmacher <metze at samba.org> 
> Sent: Monday, August 3, 2020 7:54 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] LDAP connections have hard timelimit of one hour?
> 
> Hi DocHelp,
> 
> I just debugged a problem where a Windows AD DC send the following message after exactly 1 hour:
> 
>  LDAPMessage extendedResp(0) (The server has timed out this connection)
>      messageID: 0
>      protocolOp: extendedResp (24)
>      extendedResp
>      resultCode: unavailable (52)
>      matchedDN:
>      errorMessage: The server has timed out this connection
> 
> The connection was used at least every minute and the last success was returned 2 seconds before this.
> 
> These are Windows 2019 DCs, is this special to them, or does this happen with any Windows Version?
> 
> I can't find anything related in [MS-ADTS]
> 
> Can you clarify this?
> 
> Thanks!
> metze
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-search-krb5-expired-connection-01.pcap.gz
Type: application/gzip
Size: 15256 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200814/2dafb3c6/ldap-search-krb5-expired-connection-01.pcap.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-search-krb5-expired-connection-03.pcap.gz
Type: application/gzip
Size: 58570 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200814/2dafb3c6/ldap-search-krb5-expired-connection-03.pcap.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-search-krb5-expired-connection-04.pcap.gz
Type: application/gzip
Size: 74794 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200814/2dafb3c6/ldap-search-krb5-expired-connection-04.pcap.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-search-krb5-expired-connection-02-short-timeout.pcap.gz
Type: application/gzip
Size: 66109 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200814/2dafb3c6/ldap-search-krb5-expired-connection-02-short-timeout.pcap.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2008r2-133.keytab
Type: application/octet-stream
Size: 34235 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200814/2dafb3c6/w2008r2-133.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200814/2dafb3c6/signature.sig>


More information about the cifs-protocol mailing list