[Samba] LDAP ssl issue on port 636

samba at 3eb.pl samba at 3eb.pl
Sat Jun 17 10:03:17 UTC 2017 

Hello All,

We have interesting issue.


When application connect to PDC by port 389 (without ssl) everything 
works fine.
When we try to use SSL by port 636 we have issue.

ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b 
"DC=dc,DC=local"  -w pass
output: ldap_result: Can't contact LDAP server (-1)

ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b 
"DC=dc,DC=local"  -w pass -Z
output: ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b 
"DC=dc,DC=local"  -w pass -ZZ
output: ldap_start_tls: Can't contact LDAP server (-1)


openssl s_client -connect PDC:636

CONNECTED(00000003)
---
Certificate chain
  0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST 
certificate/CN=PDC.dc.local
    i:/O=Samba Administration/OU=Samba - temporary autogenerated CA 
certificate/CN=PDC.dc.local
---
Server certificate
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
subject=/O=Samba Administration/OU=Samba - temporary autogenerated HOST 
certificate/CN=PDC.dc.local
issuer=/O=Samba Administration/OU=Samba - temporary autogenerated CA 
certificate/CN=PDC.dc.local
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated CA 
certificate/CN=PDC.dc.local
---
SSL handshake has read 2454 bytes and written 523 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID: 2XXX9
     Session-ID-ctx:
     Master-Key: FXXX4
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1497693590
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
...



[global]
         ...
         ldap ssl = start tls
         ldap ssl ads = No
         tls cafile = tls/ca.pem
         tls certfile = tls/cert.pem
         tls crlfile =
         tls dh params file =
         tls enabled = Yes
         tls keyfile = tls/key.pem
         tls priority = NORMAL:-VERS-SSL3.0
         tls verify peer = ca_and_name

Version: samba 4.6.5


Best regards,
Supporter 3eb

More information about the samba mailing list