[cifs-protocol] [EXTERNAL] Re: [REG:120081821001388] LDAP connections have hard timelimit of one hour?

Obaid Farooqi obaidf at microsoft.com
Fri Sep 11 21:11:03 UTC 2020


Hi Metze:
I have filed two bugs to document the behaviors: first one for the details of the timer when Kerberos ticket is expired and second one for incorrectly encoding the ExtendedResponse in LDAP error message.

Please let me know if it does not answer your question.

Regards,
Obaid Farooqi
Escalatiion Engineer | Microsoft

-----Original Message-----
From: Obaid Farooqi 
Sent: Thursday, September 3, 2020 11:36 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>
Subject: RE: [EXTERNAL] Re: [REG:120080321001822] LDAP connections have hard timelimit of one hour?


Hi Metze:
Please send me requested traces.

Regards,
Obaid Farooqi
Escalatiion Engineer | Microsoft

-----Original Message-----
From: Obaid Farooqi 
Sent: Thursday, August 27, 2020 1:36 PM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>
Subject: RE: [EXTERNAL] Re: [REG:120080321001822] LDAP connections have hard timelimit of one hour?

Hi Metze:
Please send me ttt traces of lsass process of  these behaviors. I have uploaded PartnerTTDRecorder_x86_x64.zip to the following link. Please extract the contents of amd64\TTD folder to your DC in directory c:\ttt. 

https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiMGU2MDMzNTktYzhhOS00NDRlLWEzYjMtMWJmMGZiOTZkNDY1Iiwic3IiOiIxMjAwODE4MjEwMDEzNjUiLCJhcHBpZCI6ImU2ZWU0M2ViLTBmYmMtNDU0Ni1iYzUyLTRjMTYxZmNkZjRjNCIsInN2IjoidjEiLCJycyI6IkV4dGVybmFsIiwid3RpZCI6ImYxNTYwNTA0LWNhMjEtNDk4OS1iOTBlLTJhZGQxOWJkOGVhZSIsImlzcyI6Imh0dHBzOi8vYXBpLmR0bW5lYnVsYS5taWNyb3NvZnQuY29tIiwiYXVkIjoiaHR0cDovL3NtYyIsImV4cCI6MTYwNjMyNzU1OCwibmJmIjoxNTk4NTUxNTU4fQ.MlHqfwquXqNRTnQW9uSEW25TiguN_HHQ9d1J2UcBSGsGmzND7vpH9_JpL_q5HHYeTCXJjE0EggKtYxd9xOLyVmRWRaUDmL6gKT_9ttQTFdczXKgql1Pxc_GTDT6ddnBuB9xIXuyDpXv1Kc5lpv-3jijTWollwikcd5ylZUBNKZow_uFGB7VoZ8HEAn-8_D7ioKMfBtAd11ZLeTlrlHMm5KLAj6x0LUdYitIDTfgTFV7Gmrte5QZrPEoUt27I4Gj6ZPXrPcKvFJKS99mpWkB4RIg4FAf6bAM1BGZYfjc_wLR_305O6j-kjpnAWqjn6906mxMBL_sSxzGnxNl3hRPu5A&wid=0e603359-c8a9-444e-a3b3-1bf0fb96d465

Username: 120081821001365_noemail at dtmxfer.onmicrosoft.com
Password: h5l_Qtt1
 
Please follow the steps below to capture trace and send them to me.
1. Open a alleviated cmd windows
2. cd to c:\ttt 
3. Execute the following command to know the PID of lsass process
	C:\ttt>tasklist | findster /i "lsass"
4. Execute the following command to start tracing lsass
	C:\ttt>tttracer -attach PID
    Where PID is number from step 3
5. Wait for little window to pop up titled "lsass01.run"
6. Start network capture
7. Reproduce the problem
8. after the repro, uncheck the box next to "Tracing..." in the Window "lsass01.run"
9. A file will be generated name lsass01.run. 
10. Stop and save the network capture
11. Zip lsass01.run and network capture and upload them to the link above and let me know.


Regards,
Obaid Farooqi
Escalatiion Engineer | Microsoft

-----Original Message-----
From: Obaid Farooqi 
Sent: Monday, August 17, 2020 11:31 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>
Subject: RE: [EXTERNAL] Re: [REG:120080321001822] LDAP connections have hard timelimit of one hour?

Hi Metze:
Thanks for the info. I'll look into this and will get back to you when I have an answer.

Regards,
Obaid Farooqi
Escalatiion Engineer | Microsoft

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org>
Sent: Friday, August 14, 2020 3:24 AM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>
Subject: [EXTERNAL] Re: [REG:120080321001822] LDAP connections have hard timelimit of one hour?

Hi Obaid,

the server is sending the error 52.

It happens when the kerberos session ticket expired.
In my tests I request a ticket lifetime of just 4 seconds.

There're two cases:

1. If the client tries to send a request after the ticket expired,
   but the tcp connection is still alive, the server will send

   LDAPMessage extendedResp(0) (The server has timed out this connection)
      messageID: 0
      protocolOp: extendedResp (24)
      extendedResp
        resultCode: unavailable (52)
        matchedDN:
        errorMessage: The server has timed out this connection
      responseName: 1.3.6.1.4.1.1466.20036

   See ldap-search-krb5-expired-connection-01.pcap.gz frame 301-304

   This is a Notice of Disconnection see https://tools.ietf.org/html/rfc4511#section-4.4.1

   Also note the encoding does not match the definition from
   https://tools.ietf.org/html/rfc4511#section-4.12

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
             COMPONENTS OF LDAPResult,
             responseName     [10] LDAPOID OPTIONAL,
             responseValue    [11] OCTET STRING OPTIONAL }

   dumpasn1 ~/devel/caps/ldap/ldap-krb5-extended-response-expired.dat
     0  80: SEQUENCE {
          :   Error: Length '84 00 00 00 50' has non-canonical encoding.
     6   1:   INTEGER 0
     9  47:   [APPLICATION 24] {
          :     Error: Length '84 00 00 00 2F' has non-canonical encoding.
    15   1:     ENUMERATED 52
    18   0:     OCTET STRING
          :       Error: Object has zero length.
    20  40:     OCTET STRING 'The server has timed out this connection'
          :     }
    62  22:   [10] '1.3.6.1.4.1.1466.20036'
         :   }

    Note that the responseName [10] is not part of the [APPLICATION 24] element
    (as it should).


2. If the ticket expires without any request from the client,
   the server seems to have a timer that runs every minute (in my examples always
   at second :36) and disconnects the tcp connection without a "Notice of Disconnection" LDAP pdu.

   See ldap-search-krb5-expired-connection-03.pcap.gz frames 269-271, 307:
   - all LDAP traffic happens in second :26 and the ticket is valid until second :30
     and the TCP disconnect happens at second :36

   See ldap-search-krb5-expired-connection-04.pcap.gz frames 303-305, 491:
   - all LDAP traffic happens in second :43 and the ticket is valid until second :47
     and the TCP disconnect happens (in the next minute) at second :36

   ldap-search-krb5-expired-connection-02-short-timeout.pcap.gz is a bit different
   see frames 273-275, 280:
   - all LDAP traffic happens in second :35 and the ticket is valid until second :39,
     but the TCP disconnect already happens at second :36, where the ticket is still
     valid for 3 seconds!


I've attached the captures and a keytab file, that allows decryption of the kerberos tickets with wireshark.

Do you need more information?

Thanks!
metze

Am 13.08.20 um 21:54 schrieb Obaid Farooqi:
> Hi Metze:
> This information that you provided is not sufficient to figure out what is happening from the server side that is causing client to issue error. Can you please provide more details and possibly a network capture?
> 
> Regards,
> Obaid Farooqi
> Escalatiion Engineer | Microsoft
> 
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Friday, August 7, 2020 1:49 PM
> To: 'Stefan Metzmacher' <metze at samba.org>
> Cc: 'cifs-protocol at lists.samba.org' <cifs-protocol at lists.samba.org>; 
> support <support at mail.support.microsoft.com>
> Subject: RE: [REG:120080321001822] LDAP connections have hard timelimit of one hour?
> 
> Hi Metze:
> In case of Windows-Windows, error 52 is generated by the client side (server does not generate this error). How and where you are getting this error?
> 
> Regards,
> Obaid Farooqi
> Escalatiion Engineer | Microsoft
> 
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Thursday, August 6, 2020 12:39 PM
> To: Stefan Metzmacher <metze at samba.org>
> Cc: cifs-protocol at lists.samba.org; support 
> <support at mail.support.microsoft.com>
> Subject: RE: [REG:120080321001822] LDAP connections have hard timelimit of one hour?
> 
> Hi Metze:
> I'll help you with this issue and will be in touch as soon as I have an answer.
> 
> Regards,
> Obaid Farooqi
> Escalatiion Engineer | Microsoft
> 
> -----Original Message-----
> From: Bryan Burgin <bburgin at microsoft.com>
> Sent: Monday, August 3, 2020 12:39 PM
> To: Stefan Metzmacher <metze at samba.org>
> Cc: cifs-protocol at lists.samba.org; support 
> <support at mail.support.microsoft.com>
> Subject: [REG:120080321001822] LDAP connections have hard timelimit of one hour?
> 
> Hi Stefan,
> 
> Thank you for the question.  We created SR 120080321001822 To track this issue.  An engineer will contact you soon.
> 
> Bryan
> 
> -----Original Message-----
> From: Stefan Metzmacher <metze at samba.org>
> Sent: Monday, August 3, 2020 7:54 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] LDAP connections have hard timelimit of one hour?
> 
> Hi DocHelp,
> 
> I just debugged a problem where a Windows AD DC send the following message after exactly 1 hour:
> 
>  LDAPMessage extendedResp(0) (The server has timed out this connection)
>      messageID: 0
>      protocolOp: extendedResp (24)
>      extendedResp
>      resultCode: unavailable (52)
>      matchedDN:
>      errorMessage: The server has timed out this connection
> 
> The connection was used at least every minute and the last success was returned 2 seconds before this.
> 
> These are Windows 2019 DCs, is this special to them, or does this happen with any Windows Version?
> 
> I can't find anything related in [MS-ADTS]
> 
> Can you clarify this?
> 
> Thanks!
> metze
> 



More information about the cifs-protocol mailing list