[Samba] Debugging TLS Retry Handshake errors
abartlet at samba.org
Thu Sep 27 00:29:38 UTC 2018
On Wed, 2018-09-26 at 11:33 -0700, Kris Lou via samba wrote:
> So, I'm using Samba AD for user authentication by some web appliances,
> using LDAPS over port 636. I've been doing this for quite a while -- and
> my certificates and everything seem to check out.
> But this week (and with one appliance -- my firewall), I'm finding that
> maybe 3/20 times the bind will fail for perhaps 10 seconds. During this
> time, the logs read (for each failure):
> [2018/09/26 11:05:52.824630, 1]
> TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been
> I've repointed authentication to a single server (instead of using DNS
> round robin that apparently didn't work -- different issue), and manually
> spammed auth tests, which is how I was able to grab the above errors. And
> by manually, that's by clicking the "test authentication button", so no
> more than 3 times per 2 seconds (depends upon result speed).
> Does anybody have any suggestions for debugging this further?
> I don't have any "tls *" settings in my smb.conf, except the standard
Can you let me know what Samba version you are running, and if you are
using Samba 4.8 or later, try starting Samba with -M prefork.
Samba 4.7 has a mode that creates a new samba process for each LDAP
connection, which is great for parallelism but bad for performance if
you run out of memory or have a high connect/disconnect load (say from
simple bind authentication).
My guess is the TLS thing is a red herring, a symptom of an
unresponsive LDAP server due to high load.
What load do you see on the server? Is there anything else going on
that could create a long-lived transaction on the DB, like a big user
database, lots of writes and a second DC?
I'm sorry I don't have an easy answer but this might give you some
clues about where to start looking,
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba