Samba4 high cpu load

steve steve at steve-ss.com
Mon May 7 11:23:05 MDT 2012


On Friday 04 May 2012 08:53:25 steve wrote:
 > On 04/05/12 03:23, Günter Kukkukk wrote:
 > > On Monday 30 April 2012 16:04:37 steve wrote:
 > >> On 05/04/12 00:55, Günter Kukkukk wrote:
 > >>> On Wednesday 04 April 2012 15:33:46 steve wrote:
 > >>>> OpenSUSE 12.1
 > >>>> Version 4.0.0alpha19-GIT-7290a62
 > >
 > > I have started again to track that down.
 > > Will write a test applet to catch that as simple as possible, to 
discuss
 > > it with the gnutls devs.
 > >
 > > As a workaround you can use
 > >
 > >      tls enabled = no
 > >
 > > in the [global] section of smb.conf
 > >
 > > I'll keep you informed about my findings.
 > >
 > > Cheers, Günter
 >
 > Thanks Günter
 > The workaround works fine. Please let me know if there is anything I can
 > test. I've switched to Ubuntu for the moment but have left this S4
 > install on openSUSE in case I can test anything.
 > Cheers,
 > Steve

did some further investigations - intermediate results:
The "samba4 hang with high cpu usage" happens during 
"gnutls_dh_params_generate2"
which calculates the Diffie-Hellman key.

One can check/simulate the same behaviour with:
     certtool --generate-dh-params --bits 1024
or to get a file
     certtool --generate-dh-params --bits 1024 --outfile dh1024.pem

The time it takes to calculate this key depends at least on the used
gnutls version! Using certtool -v
opensuse 11.4   (GnuTLS) 2.8.6       fast
opensuse 12.1   (GnuTLS) 3.0.3       slow
ubuntu 12.04    (GnuTLS) 2.12.14     fast

I'll do further investigations the next days.
To use TLS with samba4 with those slow versions, one can generate
this DH key with certool, as noted above.
One must then add that param file to smb.conf in the [global] section:

    tls dh params file = /path/to/dh1024.pem

I'm atm not quite sure whether this dh param file creation should
be directed to cron to generate a new one - say every week ... (?)

Cheers, Günter

Some further readings:
http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg00008.html
http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg00012.html
Also this bug is fixed in the 3.0.3 version:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475168
The opensuse 12.1 version only reads 32 bytes (256 bit) from /dev/urandom
One can check this with:
strace -e trace=open,read -s12 certtool --generate-dh-params --bits 1024

Hi Günter,
Thanks for this. Just thinking out loud. Would a bugzilla to openSUSE, 
quoting this thread, help us at all?

As far as I can see, the TLS certs are generated only once, the first 
time you start S4 after a new build and provision. I don't know when 
they expire.

With Kerberos, do we even need TLS?
Cheers,
Steve



More information about the samba-technical mailing list