Samba4 high cpu load

steve steve at steve-ss.com
Wed May 9 02:21:12 MDT 2012 

On 09/05/12 04:02, Günter Kukkukk wrote:
> On Monday 07 May 2012 19:23:05 steve wrote:
>> On Friday 04 May 2012 08:53:25 steve wrote:
>>   >  On 04/05/12 03:23, Günter Kukkukk wrote:
>>   >  >  On Monday 30 April 2012 16:04:37 steve wrote:
>>   >  >>  On 05/04/12 00:55, Günter Kukkukk wrote:
>>   >  >>>  On Wednesday 04 April 2012 15:33:46 steve wrote:
>>   >  >>>>  OpenSUSE 12.1
>>   >  >>>>  Version 4.0.0alpha19-GIT-7290a62
>>   >  >
>>   >  >  I have started again to track that down.
>>   >  >  Will write a test applet to catch that as simple as possible, to
>>
>> discuss
>>
>>   >  >  it with the gnutls devs.
>>   >  >
>>   >  >  As a workaround you can use
>>   >  >
>>   >  >       tls enabled = no
>>   >  >
>>   >  >  in the [global] section of smb.conf
>>   >  >
>>   >  >  I'll keep you informed about my findings.
>>   >  >
>>   >  >  Cheers, Günter
>>   >
>>   >  Thanks Günter
>>   >  The workaround works fine. Please let me know if there is anything I can
>>   >  test. I've switched to Ubuntu for the moment but have left this S4
>>   >  install on openSUSE in case I can test anything.
>>   >  Cheers,
>>   >  Steve
>>
>> did some further investigations - intermediate results:
>> The "samba4 hang with high cpu usage" happens during
>> "gnutls_dh_params_generate2"
>> which calculates the Diffie-Hellman key.
>>
>> One can check/simulate the same behaviour with:
>>       certtool --generate-dh-params --bits 1024
>> or to get a file
>>       certtool --generate-dh-params --bits 1024 --outfile dh1024.pem
>>
>> The time it takes to calculate this key depends at least on the used
>> gnutls version! Using certtool -v
>> opensuse 11.4   (GnuTLS) 2.8.6       fast
>> opensuse 12.1   (GnuTLS) 3.0.3       slow
>> ubuntu 12.04    (GnuTLS) 2.12.14     fast
>>
>> I'll do further investigations the next days.
>> To use TLS with samba4 with those slow versions, one can generate
>> this DH key with certool, as noted above.
>> One must then add that param file to smb.conf in the [global] section:
>>
>>      tls dh params file = /path/to/dh1024.pem
>>
>> I'm atm not quite sure whether this dh param file creation should
>> be directed to cron to generate a new one - say every week ... (?)
>>
>> Cheers, Günter
>>
>> Some further readings:
>> http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg00008.html
>> http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg00012.html
>> Also this bug is fixed in the 3.0.3 version:
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475168
>> The opensuse 12.1 version only reads 32 bytes (256 bit) from /dev/urandom
>> One can check this with:
>> strace -e trace=open,read -s12 certtool --generate-dh-params --bits 1024
>>
>> Hi Günter,
>> Thanks for this. Just thinking out loud. Would a bugzilla to openSUSE,
>> quoting this thread, help us at all?
>>
>> As far as I can see, the TLS certs are generated only once, the first
>> time you start S4 after a new build and provision. I don't know when
>> they expire.
>>
>> With Kerberos, do we even need TLS?
>> Cheers,
>> Steve
>
> i've contacted one of the gnutls developers (Nikos Mavrogiannopoulos).
> He told me that when generating the Diffie-Hellman key, some (3.x.x)
> versions used a very slow algorithm.
> He recommends to use gnutls>= 3.0.9
>
> Opensuse 12.1 uses gnutls 3.0.3 atm.
>
> So i did a recent gnutls-3.0.19 build.
>
> With gnutls 3.0.19
>     time certtool --generate-dh-params --bits 1024
> is now down to 1 - 2 seconds, compared to 3 - 5 minutes (!!!)
> with former version 3.0.3 (from opensuse 12.1)
>
> Will contact the opensuse maintainers.
>
> Cheers, Günter

Hi Günter

Thanks again.

Just compiled 3.0.19 on 12.1. Went OK after I installed libnettle;-) I 
have now removed the workaround from smb.conf:
#	tls enabled = No
Can confirm the quick startup. 1 second as opposed to 5 minutes!

I'm a little confused as when I went to uninstall 3.0.3 using Yast, I 
saw only libgnutls28-3.0.3 and libgnutls-devel-3.0.3 were installed. 
libgnutls28 had over 100 dependants so I left that installed and removed 
only the devel package. gnutls-3.0.3 was not installed. Is that OK?

BTW, just gone through a new S4 build with this configuration. All OK.

Cheers,
Steve

More information about the samba-technical mailing list