[Samba] LDAP TLS error with 4.13
Andrew Bartlett
abartlet at samba.org
Mon Dec 14 18:06:06 UTC 2020
I don't suggest changing the OS as a first measure, what I was trying
to hint at is that you should look into how GnuTLS default priorities
work and the system-wide files that are being used, eg from FIPS mode
and other global policies.
Double-check the smb.conf "tls priority", we have some control over
GnuTLS there too, but I think this is most probably due to the global
policy files.
What is your host OS and what is your GnuTLS version?
Andrew Bartlett
On Mon, 2020-12-14 at 16:53 +0100, Johannes Engel via samba wrote:
> Dear both,
>
> thanks a lot for your swift replies!
> Unfortunately changing the OS of my two DCs at short notice is not an
> easy
> option for me. I will see if that changes things mid-term.
> LDAP with Kerberos instead of TLS/SSL works, unfortunately some of my
> endpoints do not support this (yet). :(
> Is there a way to debug this, e.g. by analyzing the crypt string
> triggering
> the error on GNUTLS side?
>
> Best regards
> Johannes
>
> Am Mo., 14. Dez. 2020 um 10:59 Uhr schrieb Rowland penny via samba <
> samba at lists.samba.org>:
>
> > On 14/12/2020 09:18, Johannes Engel via samba wrote:
> > > Hi list,
> > >
> > > since this week my clients keep getting rejected when performing
> > > an LDAP
> > > query via LDAPS (port 636) using one of my two DCs running samba
> > > 4.13.2.
> > >
> > > This is the log on server side (log level 5) of such a failed
> > > attempt:
> > > ldb_wrap open of secrets.ldb
> > > _tstream_tls_accept_send: TLS
> > > ../../source4/lib/tls/tls_tstream.c:1300 -
> > > The request is invalid.. Failed to set default priorities
> > > stream_terminate_connection: Terminating connection -
> > > 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid
> > argument'
> > > Client says this:
> > > me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
> > > ldap_url_parse_ext(ldaps://dc1.fq.dn)
> > > ldap_create
> > > ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base)
> > > ldap_pvt_sasl_getmech
> > > ldap_search
> > > put_filter: "(objectclass=*)"
> > > put_filter: simple
> > > put_simple_filter: "objectclass=*"
> > > ldap_send_initial_request
> > > ldap_new_connection 1 1 0
> > > ldap_int_open_connection
> > > ldap_connect_to_host: TCP dc1.fq.dn:636
> > > ldap_new_socket: 3
> > > ldap_prepare_socket: 3
> > > ldap_connect_to_host: Trying <ip.dc1>:636
> > > ldap_pvt_connect: fd: 3 tm: -1 async: 0
> > > attempting to connect:
> > > connect success
> > > TLS trace: SSL_connect:before SSL initialization
> > > tls_write: want=293, written=293
> > > <dump of hello packet>
> > > TLS trace: SSL_connect:SSLv3/TLS write client hello
> > > tls_read: want=5, got=0
> > >
> > > TLS trace: SSL_connect:error in SSLv3/TLS write client hello
> > > TLS: can't connect: .
> > > ldap_msgfree
> > > ldap_err2string
> > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> > >
> > > The relevant portion of my DCs' smb.conf looks as follows:
> > > [global]
> > > netbios name = DC1
> > > realm = FQ.DN
> > > server role = active directory domain controller
> > > server services = -dns
> > > workgroup = ICINTERN
> > > dns forwarder = my.provider.dns
> > > smb ports = 445
> > >
> > > ntlm auth = mschapv2-and-ntlmv2-only
> > >
> > > tls enabled = yes
> > > tls keyfile = tls/dc1.key
> > > tls certfile = tls/dc2020.pem
> > > tls cafile = tls/myca.pem
> > >
> > > Any ideas what might be behind this?
> > > Thanks a lot in advance.
> > >
> > > Best regards
> > > Johannes
> >
> > Try the search without the 's' i.e. ldapsearch -H ldap://dc1.fq.dn
> > -d3
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list