[Samba] LDAP TLS error with 4.13

Johannes Engel jcnengel+samba at gmail.com
Mon Dec 14 15:53:22 UTC 2020


Dear both,

thanks a lot for your swift replies!
Unfortunately changing the OS of my two DCs at short notice is not an easy
option for me. I will see if that changes things mid-term.
LDAP with Kerberos instead of TLS/SSL works, unfortunately some of my
endpoints do not support this (yet). :(
Is there a way to debug this, e.g. by analyzing the crypt string triggering
the error on GNUTLS side?

Best regards
Johannes

Am Mo., 14. Dez. 2020 um 10:59 Uhr schrieb Rowland penny via samba <
samba at lists.samba.org>:

> On 14/12/2020 09:18, Johannes Engel via samba wrote:
> > Hi list,
> >
> > since this week my clients keep getting rejected when performing an LDAP
> > query via LDAPS (port 636) using one of my two DCs running samba 4.13.2.
> >
> > This is the log on server side (log level 5) of such a failed attempt:
> > ldb_wrap open of secrets.ldb
> > _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
> > The request is invalid.. Failed to set default priorities
> > stream_terminate_connection: Terminating connection -
> > 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid
> argument'
> >
> > Client says this:
> > me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
> > ldap_url_parse_ext(ldaps://dc1.fq.dn)
> > ldap_create
> > ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base)
> > ldap_pvt_sasl_getmech
> > ldap_search
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ldap_send_initial_request
> > ldap_new_connection 1 1 0
> > ldap_int_open_connection
> > ldap_connect_to_host: TCP dc1.fq.dn:636
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying <ip.dc1>:636
> > ldap_pvt_connect: fd: 3 tm: -1 async: 0
> > attempting to connect:
> > connect success
> > TLS trace: SSL_connect:before SSL initialization
> > tls_write: want=293, written=293
> > <dump of hello packet>
> > TLS trace: SSL_connect:SSLv3/TLS write client hello
> > tls_read: want=5, got=0
> >
> > TLS trace: SSL_connect:error in SSLv3/TLS write client hello
> > TLS: can't connect: .
> > ldap_msgfree
> > ldap_err2string
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> >
> > The relevant portion of my DCs' smb.conf looks as follows:
> > [global]
> >          netbios name = DC1
> >          realm = FQ.DN
> >          server role = active directory domain controller
> >          server services = -dns
> >          workgroup = ICINTERN
> >          dns forwarder = my.provider.dns
> >          smb ports = 445
> >
> >          ntlm auth = mschapv2-and-ntlmv2-only
> >
> >          tls enabled = yes
> >          tls keyfile = tls/dc1.key
> >          tls certfile = tls/dc2020.pem
> >          tls cafile = tls/myca.pem
> >
> > Any ideas what might be behind this?
> > Thanks a lot in advance.
> >
> > Best regards
> > Johannes
>
> Try the search without the 's' i.e. ldapsearch -H ldap://dc1.fq.dn -d3
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list