[Samba] Debugging TLS Retry Handshake errors

Kris Lou klou at themusiclink.net
Wed Sep 26 18:33:49 UTC 2018


So, I'm using Samba AD for user authentication by some web appliances,
using LDAPS over port 636.  I've been doing this for quite a while -- and
my certificates and everything seem to check out.

But this week (and with one appliance -- my firewall), I'm finding that
maybe 3/20 times the bind will fail for perhaps 10 seconds.  During this
time, the logs read (for each failure):

[2018/09/26 11:05:52.824630,  1]
../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake)
  TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been
received.

I've repointed authentication to a single server (instead of using DNS
round robin that apparently didn't work -- different issue), and manually
spammed auth tests, which is how I was able to grab the above errors.  And
by manually, that's by clicking the "test authentication button", so no
more than 3 times per 2 seconds (depends upon result speed).

Does anybody have any suggestions for debugging this further?

I don't have any "tls *" settings in my smb.conf, except the standard
cafile/certfile/keyfile.

Thanks,


Kris Lou
klou at themusiclink.net


More information about the samba mailing list