[Samba] LDAP TLS error with 4.13

Rowland penny rpenny at samba.org
Mon Dec 14 09:58:34 UTC 2020 

On 14/12/2020 09:18, Johannes Engel via samba wrote:
> Hi list,
>
> since this week my clients keep getting rejected when performing an LDAP
> query via LDAPS (port 636) using one of my two DCs running samba 4.13.2.
>
> This is the log on server side (log level 5) of such a failed attempt:
> ldb_wrap open of secrets.ldb
> _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
> The request is invalid.. Failed to set default priorities
> stream_terminate_connection: Terminating connection -
> 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid argument'
>
> Client says this:
> me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
> ldap_url_parse_ext(ldaps://dc1.fq.dn)
> ldap_create
> ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base)
> ldap_pvt_sasl_getmech
> ldap_search
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP dc1.fq.dn:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying <ip.dc1>:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect success
> TLS trace: SSL_connect:before SSL initialization
> tls_write: want=293, written=293
> <dump of hello packet>
> TLS trace: SSL_connect:SSLv3/TLS write client hello
> tls_read: want=5, got=0
>
> TLS trace: SSL_connect:error in SSLv3/TLS write client hello
> TLS: can't connect: .
> ldap_msgfree
> ldap_err2string
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> The relevant portion of my DCs' smb.conf looks as follows:
> [global]
>          netbios name = DC1
>          realm = FQ.DN
>          server role = active directory domain controller
>          server services = -dns
>          workgroup = ICINTERN
>          dns forwarder = my.provider.dns
>          smb ports = 445
>
>          ntlm auth = mschapv2-and-ntlmv2-only
>
>          tls enabled = yes
>          tls keyfile = tls/dc1.key
>          tls certfile = tls/dc2020.pem
>          tls cafile = tls/myca.pem
>
> Any ideas what might be behind this?
> Thanks a lot in advance.
>
> Best regards
> Johannes

Try the search without the 's' i.e. ldapsearch -H ldap://dc1.fq.dn -d3

Rowland

More information about the samba mailing list