[Samba] Samba4 high cpu load
linux at kukkukk.com
Sun May 6 19:35:18 MDT 2012
On Friday 04 May 2012 08:53:25 steve wrote:
> On 04/05/12 03:23, Günter Kukkukk wrote:
> > On Monday 30 April 2012 16:04:37 steve wrote:
> >> On 05/04/12 00:55, Günter Kukkukk wrote:
> >>> On Wednesday 04 April 2012 15:33:46 steve wrote:
> >>>> OpenSUSE 12.1
> >>>> Version 4.0.0alpha19-GIT-7290a62
> > I have started again to track that down.
> > Will write a test applet to catch that as simple as possible, to discuss
> > it with the gnutls devs.
> > As a workaround you can use
> > tls enabled = no
> > in the [global] section of smb.conf
> > I'll keep you informed about my findings.
> > Cheers, Günter
> Thanks Günter
> The workaround works fine. Please let me know if there is anything I can
> test. I've switched to Ubuntu for the moment but have left this S4
> install on openSUSE in case I can test anything.
did some further investigations - intermediate results:
The "samba4 hang with high cpu usage" happens during "gnutls_dh_params_generate2"
which calculates the Diffie-Hellman key.
One can check/simulate the same behaviour with:
certtool --generate-dh-params --bits 1024
or to get a file
certtool --generate-dh-params --bits 1024 --outfile dh1024.pem
The time it takes to calculate this key depends at least on the used
gnutls version! Using certtool -v
opensuse 11.4 (GnuTLS) 2.8.6 fast
opensuse 12.1 (GnuTLS) 3.0.3 slow
ubuntu 12.04 (GnuTLS) 2.12.14 fast
I'll do further investigations the next days.
To use TLS with samba4 with those slow versions, one can generate
this DH key with certool, as noted above.
One must then add that param file to smb.conf in the [global] section:
tls dh params file = /path/to/dh1024.pem
I'm atm not quite sure whether this dh param file creation should
be directed to cron to generate a new one - say every week ... (?)
Some further readings:
Also this bug is fixed in the 3.0.3 version:
The opensuse 12.1 version only reads 32 bytes (256 bit) from /dev/urandom
One can check this with:
strace -e trace=open,read -s12 certtool --generate-dh-params --bits 1024
More information about the samba