[Samba] LDAP TLS error with 4.13

Johannes Engel jcnengel at gmail.com
Mon Dec 14 09:18:06 UTC 2020

Hi list,

since this week my clients keep getting rejected when performing an LDAP
query via LDAPS (port 636) using one of my two DCs running samba 4.13.2.

This is the log on server side (log level 5) of such a failed attempt:
ldb_wrap open of secrets.ldb
_tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
The request is invalid.. Failed to set default priorities
stream_terminate_connection: Terminating connection -
'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid argument'

Client says this:
me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP dc1.fq.dn:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <ip.dc1>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=293, written=293
<dump of hello packet>
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=0

TLS trace: SSL_connect:error in SSLv3/TLS write client hello
TLS: can't connect: .
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

The relevant portion of my DCs' smb.conf looks as follows:
        netbios name = DC1
        realm = FQ.DN
        server role = active directory domain controller
        server services = -dns
        workgroup = ICINTERN
        dns forwarder = my.provider.dns
        smb ports = 445

        ntlm auth = mschapv2-and-ntlmv2-only

        tls enabled = yes
        tls keyfile = tls/dc1.key
        tls certfile = tls/dc2020.pem
        tls cafile = tls/myca.pem

Any ideas what might be behind this?
Thanks a lot in advance.

Best regards

More information about the samba mailing list