time out in samba4.ldap.dirsync.python(dc) test
Andrew Bartlett
abartlet at samba.org
Thu Jul 12 03:29:57 MDT 2012
On Wed, 2012-07-11 at 08:33 +1000, Andrew Bartlett wrote:
> On Tue, 2012-07-10 at 21:16 +0300, Alexander Bokovoy wrote:
> > Hi Andrew,
> >
> > On Tue, Jul 10, 2012 at 10:38 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > > On Thu, 2012-04-12 at 17:09 +0300, Alexander Bokovoy wrote:
> > >> Hi,
> > >>
> > >> I'm seeing a time out while running samba4.ldap.dirsync.python(dc)
> > >> test in master (even before our kerberos refactoring work landed). It
> > >> all seems started with
> > >> https://git.samba.org/?p=samba.git;a=commitdiff;h=438971e214e6f55f19148ed2afc03ec1c7066f65
> > >> which landed in master on March 25th. I'm not sure why autobuild
> > >> didn't catch the time out.
> > >>
> > >> All I see in the output is neverending
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >> ldap: no matching message id for 23
> > >>
> > >> attaching strace shows that indeed there is a loop:
> > >
> > > Did you ever get anywhere on this? This has re-appeared, and likewise I
> > > suspected changes in my tree, until I reproduced it with unmodified
> > > master.
> > No, I didn't.
> >
> > > The attached patch helps, but I suspect it just masks the problem.
> > >
> > > It might be an issue in our SSL wrapped sockets client library.
> > I'll look at it soon, I haven't thought about this vector...
>
> Thanks.
>
> One idea I'm currently investigating is to replace the very low level
> ldap client lib (below ldap_request_send) with the lower level parts of
> tldap. I have no idea if it will either help or be practical, but I
> just wanted to give you a heads-up. As the issues appear to be in the
> tls layer, this would replace tls_socket with tls_tstream.
In the short term, perhaps it is related to these changes that were made
for the tstream wrapper but not the socket wrapper:
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 14 15:24:22 2010 +0100
s4:tls_tstream: also use a dynamic buffer for the pull side
Maybe that fixes the remaining issues with some gnutls versions.
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Tue Jan 18 17:26:08 CET 2011 on sn-devel-104
commit 361b4ed016a06717682e4071aa499a52b6c29dda
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 14 15:00:15 2010 +0100
s4:tls_tstream: fix partial reads, so that the gnutls layer doesn't
read the same data twice
metze
commit 69ad3f7f90273cb62f67331982a40aa99ea05d90
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 29 12:27:11 2010 +0100
tls_tstream: use a dynamic buffer for the push case
Some versions of gnutls doesn't handle EAGAIN correctly,
so we better allow sending buffers without a low size limitation,
the limit is now UINT16_MAX (0xFFFF) and we allocate the buffer
with talloc each time.
metze
commit a42ccab929766702029f624f5cc18bc034889c29
Author: Matthieu Patou <mat at matws.net>
Date: Thu Nov 18 10:35:06 2010 +0300
tls_tstream: increase the buffer size
The problem is that with certain version of gnutls are not working
properly if the server is sending in different packet things like
(at
least)
* Certificate
* Server Key exchange
* Client certificate
Somehow it really expect this to be done in one packet as some
structures used _gnutls_send_handshake are reinitialized at every
packet exchange and intermediate steps didn't expect it
Signed-off-by: Stefan Metzmacher <metze at samba.org>
:
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list