So, I'm using Samba AD for user authentication by some web appliances, using LDAPS over port 636. I've been doing this for quite a while -- and my certificates and everything seem to check out. But this week (and with one appliance -- my firewall), I'm finding that maybe 3/20 times the bind will fail for perhaps 10 seconds. During this time, the logs read (for each failure): [2018/09/26 11:05:52.824630, 1] ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been received. I've repointed authentication to a single server (instead of using DNS round robin that apparently didn't work -- different issue), and manually spammed auth tests, which is how I was able to grab the above errors. And by manually, that's by clicking the "test authentication button", so no more than 3 times per 2 seconds (depends upon result speed). Does anybody have any suggestions for debugging this further? I don't have any "tls *" settings in my smb.conf, except the standard cafile/certfile/keyfile. Thanks, Kris Lou klou at themusiclink.net
On Wed, 2018-09-26 at 11:33 -0700, Kris Lou via samba wrote:> So, I'm using Samba AD for user authentication by some web appliances, > using LDAPS over port 636. I've been doing this for quite a while -- and > my certificates and everything seem to check out. > > But this week (and with one appliance -- my firewall), I'm finding that > maybe 3/20 times the bind will fail for perhaps 10 seconds. During this > time, the logs read (for each failure): > > [2018/09/26 11:05:52.824630, 1] > ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) > TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been > received. > > I've repointed authentication to a single server (instead of using DNS > round robin that apparently didn't work -- different issue), and manually > spammed auth tests, which is how I was able to grab the above errors. And > by manually, that's by clicking the "test authentication button", so no > more than 3 times per 2 seconds (depends upon result speed). > > Does anybody have any suggestions for debugging this further? > > I don't have any "tls *" settings in my smb.conf, except the standard > cafile/certfile/keyfile.G'Day Kris, Can you let me know what Samba version you are running, and if you are using Samba 4.8 or later, try starting Samba with -M prefork. Samba 4.7 has a mode that creates a new samba process for each LDAP connection, which is great for parallelism but bad for performance if you run out of memory or have a high connect/disconnect load (say from simple bind authentication). My guess is the TLS thing is a red herring, a symptom of an unresponsive LDAP server due to high load. What load do you see on the server? Is there anything else going on that could create a long-lived transaction on the DB, like a big user database, lots of writes and a second DC? I'm sorry I don't have an easy answer but this might give you some clues about where to start looking, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Hi Andrew, Thanks for the response. I'm running 4.7.6, there are 3 DC's, but in my tests, I'm directly pointed at only 1. And the actual CPU/ memory load is minimal - ~4%/6GB free.>From the client side, I'm pretty sure my tests are PHP callingldap_connect() <https://github.com/pfsense/pfsense/blob/157aff9e256aa235ba68ccc2168c61fc61e90072/src/etc/inc/auth.inc#L960> . It's not the end of the world, and so far, it's the only appliance or application that's affected. Other tests with other web appliances don't exhibit the same issue, so I'm going to start pointing fingers there. This one just happened to crop up this week (and this week only). Worst case scenario (if this doesn't work itself out ...), I change authentication from LDAPS to Radius. Thanks, -Kris Kris Lou klou at themusiclink.net On Wed, Sep 26, 2018 at 5:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:> On Wed, 2018-09-26 at 11:33 -0700, Kris Lou via samba wrote: > > So, I'm using Samba AD for user authentication by some web appliances, > > using LDAPS over port 636. I've been doing this for quite a while -- and > > my certificates and everything seem to check out. > > > > But this week (and with one appliance -- my firewall), I'm finding that > > maybe 3/20 times the bind will fail for perhaps 10 seconds. During this > > time, the logs read (for each failure): > > > > [2018/09/26 11:05:52.824630, 1] > > ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) > > TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been > > received. > > > > I've repointed authentication to a single server (instead of using DNS > > round robin that apparently didn't work -- different issue), and manually > > spammed auth tests, which is how I was able to grab the above errors. > And > > by manually, that's by clicking the "test authentication button", so no > > more than 3 times per 2 seconds (depends upon result speed). > > > > Does anybody have any suggestions for debugging this further? > > > > I don't have any "tls *" settings in my smb.conf, except the standard > > cafile/certfile/keyfile. > > G'Day Kris, > > Can you let me know what Samba version you are running, and if you are > using Samba 4.8 or later, try starting Samba with -M prefork. > > Samba 4.7 has a mode that creates a new samba process for each LDAP > connection, which is great for parallelism but bad for performance if > you run out of memory or have a high connect/disconnect load (say from > simple bind authentication). > > My guess is the TLS thing is a red herring, a symptom of an > unresponsive LDAP server due to high load. > > What load do you see on the server? Is there anything else going on > that could create a long-lived transaction on the DB, like a big user > database, lots of writes and a second DC? > > I'm sorry I don't have an easy answer but this might give you some > clues about where to start looking, > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >