[Samba] LDAP TLS error with 4.13
Johannes Engel
jcnengel at gmail.com
Mon Dec 14 09:18:06 UTC 2020
Hi list,
since this week my clients keep getting rejected when performing an LDAP
query via LDAPS (port 636) using one of my two DCs running samba 4.13.2.
This is the log on server side (log level 5) of such a failed attempt:
ldb_wrap open of secrets.ldb
_tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
The request is invalid.. Failed to set default priorities
stream_terminate_connection: Terminating connection -
'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid argument'
Client says this:
me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
ldap_url_parse_ext(ldaps://dc1.fq.dn)
ldap_create
ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc1.fq.dn:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <ip.dc1>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=293, written=293
<dump of hello packet>
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=0
TLS trace: SSL_connect:error in SSLv3/TLS write client hello
TLS: can't connect: .
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
The relevant portion of my DCs' smb.conf looks as follows:
[global]
netbios name = DC1
realm = FQ.DN
server role = active directory domain controller
server services = -dns
workgroup = ICINTERN
dns forwarder = my.provider.dns
smb ports = 445
ntlm auth = mschapv2-and-ntlmv2-only
tls enabled = yes
tls keyfile = tls/dc1.key
tls certfile = tls/dc2020.pem
tls cafile = tls/myca.pem
Any ideas what might be behind this?
Thanks a lot in advance.
Best regards
Johannes
More information about the samba
mailing list