[Samba] A record packet with illegal version was received.
Shem Pasamba
shemgp at aiias.edu
Tue Mar 18 02:19:24 MDT 2014
Hello,
I'm having a problem with using TLS in samba 4.1.4. When I try to
connect to LDAP of samba 4 there is an error in the logs, which is:
[2014/03/18 15:34:12.631262, 1]
../source4/lib/tls/tls_tstream.c:1338(tstream_tls_retry_handshake)
TLS ../source4/lib/tls/tls_tstream.c:1338 - A record packet with
illegal version was received.
Here's the php script that tries to connect to the samba 4:
<?php
$ldap="samba.domain.com";
$usr="test at domain.com";
$pwd="s3cr3t";
$ds=ldap_connect($ldap);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$ldapbind=false;
if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))
if(ldap_start_tls($ds))
$ldapbind = ldap_bind($ds, $usr, $pwd);
if(!$ldapbind)
{
echo "ERROR: ";
echo ldap_error($ds);
echo " (".ldap_errno($ds).")";
}
else
echo "OK";
ldap_close($ds);
And the error from that script is:
ERROR: Connect error (-11)
Here's my smb.conf:
# Global parameters
[global]
workgroup = DOMAIN
realm = domain.com
netbios name = SAMBA
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
idmap_ldb:use rfc2307 = yes
# Debug logging information
log level = 1
log file = /var/log/samba4/samba.log
max log size = 50
debug timestamp = yes
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[netlogon]
path = /usr/local/AD/samba/var/locks/sysvol/domain.com/scripts
read only = No
[sysvol]
path = /usr/local/AD/samba/var/locks/sysvol
read only = No
[v01]
read only=No
path=vol1
When I run: openssl verify /usr/local/AD/samba/private/tls/cert.pem the
output is:
/usr/local/AD/samba/private/tls/cert.pem: O = Samba Administration, OU =
Samba - temporary autogenerated certificate, CN = SAMBA.domain.com
error 18 at 0 depth lookup:self signed certificate
OK
When I run: openssl s_client -showcerts -connect localhost:636 the
output is:
CONNECTED(00000003)
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated
certificate, CN = SAMBA.domain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated
certificate, CN = SAMBA.domain.com
verify return:1
---
Certificate chain
0 s:/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=SAMBA.domain.com
i:/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=SAMBA.domain.com
-----BEGIN CERTIFICATE-----
fdsfsdfds
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=SAMBA.domain.com
issuer=/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=SAMBA.domain.com
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=SAMBA.domain.com
---
SSL handshake has read 1399 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
711C801E823B0F0D57841D52E4634B16914F52378126885FEFD06345164B1679
Session-ID-ctx:
Master-Key:
8FC1B924DEDC1402E2F58B7CA445F9F322593089719263FE544C85D3D28EDC9E7A21A6C5768A3AB8E5A95391B2B0E6FD
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1395130353
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
In this forum:
http://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php
it says that I should set TLS_REQCERT to never but that is for openLDAP.
How do I do this in samba 4?
Thanks for your help.
Shem Pasamba
More information about the samba
mailing list