[Samba] LDAP TLS error with 4.13
Johannes Engel
jcnengel+samba at gmail.com
Mon Dec 14 15:53:22 UTC 2020
Dear both,
thanks a lot for your swift replies!
Unfortunately changing the OS of my two DCs at short notice is not an easy
option for me. I will see if that changes things mid-term.
LDAP with Kerberos instead of TLS/SSL works, unfortunately some of my
endpoints do not support this (yet). :(
Is there a way to debug this, e.g. by analyzing the crypt string triggering
the error on GNUTLS side?
Best regards
Johannes
Am Mo., 14. Dez. 2020 um 10:59 Uhr schrieb Rowland penny via samba <
samba at lists.samba.org>:
> On 14/12/2020 09:18, Johannes Engel via samba wrote:
> > Hi list,
> >
> > since this week my clients keep getting rejected when performing an LDAP
> > query via LDAPS (port 636) using one of my two DCs running samba 4.13.2.
> >
> > This is the log on server side (log level 5) of such a failed attempt:
> > ldb_wrap open of secrets.ldb
> > _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
> > The request is invalid.. Failed to set default priorities
> > stream_terminate_connection: Terminating connection -
> > 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid
> argument'
> >
> > Client says this:
> > me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
> > ldap_url_parse_ext(ldaps://dc1.fq.dn)
> > ldap_create
> > ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base)
> > ldap_pvt_sasl_getmech
> > ldap_search
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ldap_send_initial_request
> > ldap_new_connection 1 1 0
> > ldap_int_open_connection
> > ldap_connect_to_host: TCP dc1.fq.dn:636
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying <ip.dc1>:636
> > ldap_pvt_connect: fd: 3 tm: -1 async: 0
> > attempting to connect:
> > connect success
> > TLS trace: SSL_connect:before SSL initialization
> > tls_write: want=293, written=293
> > <dump of hello packet>
> > TLS trace: SSL_connect:SSLv3/TLS write client hello
> > tls_read: want=5, got=0
> >
> > TLS trace: SSL_connect:error in SSLv3/TLS write client hello
> > TLS: can't connect: .
> > ldap_msgfree
> > ldap_err2string
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> >
> > The relevant portion of my DCs' smb.conf looks as follows:
> > [global]
> > netbios name = DC1
> > realm = FQ.DN
> > server role = active directory domain controller
> > server services = -dns
> > workgroup = ICINTERN
> > dns forwarder = my.provider.dns
> > smb ports = 445
> >
> > ntlm auth = mschapv2-and-ntlmv2-only
> >
> > tls enabled = yes
> > tls keyfile = tls/dc1.key
> > tls certfile = tls/dc2020.pem
> > tls cafile = tls/myca.pem
> >
> > Any ideas what might be behind this?
> > Thanks a lot in advance.
> >
> > Best regards
> > Johannes
>
> Try the search without the 's' i.e. ldapsearch -H ldap://dc1.fq.dn -d3
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list