[Samba] Debugging TLS Retry Handshake errors

[Kris Lou]

Hi Andrew,

Thanks for the response.  I'm running 4.7.6, there are 3 DC's, but in my
tests, I'm directly pointed at only 1.  And the actual CPU/ memory load is
minimal - ~4%/6GB free.

>From the client side, I'm pretty sure my tests are PHP calling
ldap_connect()
<https://github.com/pfsense/pfsense/blob/157aff9e256aa235ba68ccc2168c61fc61e90072/src/etc/inc/auth.inc#L960>
.

It's not the end of the world, and so far, it's the only appliance or
application that's affected.  Other tests with other web appliances don't
exhibit the same issue, so I'm going to start pointing fingers there.  This
one just happened to crop up this week (and this week only).

Worst case scenario (if this doesn't work itself out ...), I change
authentication from LDAPS to Radius.

Thanks,
-Kris








Kris Lou
klou at themusiclink.net

On Wed, Sep 26, 2018 at 5:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2018-09-26 at 11:33 -0700, Kris Lou via samba wrote:
> > So, I'm using Samba AD for user authentication by some web appliances,
> > using LDAPS over port 636.  I've been doing this for quite a while -- and
> > my certificates and everything seem to check out.
> >
> > But this week (and with one appliance -- my firewall), I'm finding that
> > maybe 3/20 times the bind will fail for perhaps 10 seconds.  During this
> > time, the logs read (for each failure):
> >
> > [2018/09/26 11:05:52.824630,  1]
> > ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake)
> >   TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been
> > received.
> >
> > I've repointed authentication to a single server (instead of using DNS
> > round robin that apparently didn't work -- different issue), and manually
> > spammed auth tests, which is how I was able to grab the above errors.
> And
> > by manually, that's by clicking the "test authentication button", so no
> > more than 3 times per 2 seconds (depends upon result speed).
> >
> > Does anybody have any suggestions for debugging this further?
> >
> > I don't have any "tls *" settings in my smb.conf, except the standard
> > cafile/certfile/keyfile.
>
> G'Day Kris,
>
> Can you let me know what Samba version you are running, and if you are
> using Samba 4.8 or later, try starting Samba with -M prefork.
>
> Samba 4.7 has a mode that creates a new samba process for each LDAP
> connection, which is great for parallelism but bad for performance if
> you run out of memory or have a high connect/disconnect load (say from
> simple bind authentication).
>
> My guess is the TLS thing is a red herring, a symptom of an
> unresponsive LDAP server due to high load.
>
> What load do you see on the server?  Is there anything else going on
> that could create a long-lived transaction on the DB, like a big user
> database, lots of writes and a second DC?
>
> I'm sorry I don't have an easy answer but this might give you some
> clues about where to start looking,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>