Samba4 high cpu load

Günter Kukkukk linux at kukkukk.com
Tue May 8 20:02:14 MDT 2012 

On Monday 07 May 2012 19:23:05 steve wrote:
> On Friday 04 May 2012 08:53:25 steve wrote:
>  > On 04/05/12 03:23, Günter Kukkukk wrote:
>  > > On Monday 30 April 2012 16:04:37 steve wrote:
>  > >> On 05/04/12 00:55, Günter Kukkukk wrote:
>  > >>> On Wednesday 04 April 2012 15:33:46 steve wrote:
>  > >>>> OpenSUSE 12.1
>  > >>>> Version 4.0.0alpha19-GIT-7290a62
>  > > 
>  > > I have started again to track that down.
>  > > Will write a test applet to catch that as simple as possible, to
> 
> discuss
> 
>  > > it with the gnutls devs.
>  > > 
>  > > As a workaround you can use
>  > > 
>  > >      tls enabled = no
>  > > 
>  > > in the [global] section of smb.conf
>  > > 
>  > > I'll keep you informed about my findings.
>  > > 
>  > > Cheers, Günter
>  > 
>  > Thanks Günter
>  > The workaround works fine. Please let me know if there is anything I can
>  > test. I've switched to Ubuntu for the moment but have left this S4
>  > install on openSUSE in case I can test anything.
>  > Cheers,
>  > Steve
> 
> did some further investigations - intermediate results:
> The "samba4 hang with high cpu usage" happens during
> "gnutls_dh_params_generate2"
> which calculates the Diffie-Hellman key.
> 
> One can check/simulate the same behaviour with:
>      certtool --generate-dh-params --bits 1024
> or to get a file
>      certtool --generate-dh-params --bits 1024 --outfile dh1024.pem
> 
> The time it takes to calculate this key depends at least on the used
> gnutls version! Using certtool -v
> opensuse 11.4   (GnuTLS) 2.8.6       fast
> opensuse 12.1   (GnuTLS) 3.0.3       slow
> ubuntu 12.04    (GnuTLS) 2.12.14     fast
> 
> I'll do further investigations the next days.
> To use TLS with samba4 with those slow versions, one can generate
> this DH key with certool, as noted above.
> One must then add that param file to smb.conf in the [global] section:
> 
>     tls dh params file = /path/to/dh1024.pem
> 
> I'm atm not quite sure whether this dh param file creation should
> be directed to cron to generate a new one - say every week ... (?)
> 
> Cheers, Günter
> 
> Some further readings:
> http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg00008.html
> http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg00012.html
> Also this bug is fixed in the 3.0.3 version:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475168
> The opensuse 12.1 version only reads 32 bytes (256 bit) from /dev/urandom
> One can check this with:
> strace -e trace=open,read -s12 certtool --generate-dh-params --bits 1024
> 
> Hi Günter,
> Thanks for this. Just thinking out loud. Would a bugzilla to openSUSE,
> quoting this thread, help us at all?
> 
> As far as I can see, the TLS certs are generated only once, the first
> time you start S4 after a new build and provision. I don't know when
> they expire.
> 
> With Kerberos, do we even need TLS?
> Cheers,
> Steve

i've contacted one of the gnutls developers (Nikos Mavrogiannopoulos).
He told me that when generating the Diffie-Hellman key, some (3.x.x) 
versions used a very slow algorithm. 
He recommends to use gnutls >= 3.0.9

Opensuse 12.1 uses gnutls 3.0.3 atm.

So i did a recent gnutls-3.0.19 build.

With gnutls 3.0.19  
   time certtool --generate-dh-params --bits 1024
is now down to 1 - 2 seconds, compared to 3 - 5 minutes (!!!) 
with former version 3.0.3 (from opensuse 12.1)

Will contact the opensuse maintainers.

Cheers, Günter

More information about the samba-technical mailing list