[Samba] LDAP TLS error with 4.13

Johannes Engel jcnengel+samba at gmail.com
Tue Dec 15 10:44:06 UTC 2020


Hi Andrew,

sorry, I got you wrong then. :)
I am running openSUSE Leap 15.2 on both machines with GnuTLS 3.6.15. As you
recommended, I dug a little deeper and found out the following:
libgnutls can be configured using a file which for openSUSE is located in
/etc/crypto-policies/back-ends/gnutls.config; upstream default is
/etc/gnutls/config though.
In my installation, this file did not exist, hence I created it with some
default string:
[priorities]
SYSTEM = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3

With this named config, samba ldap access works again.
This lead me to the conclusion that "@SYSTEM" is mentioned as default
policy while no configuration file defining it is delivered with the
package causing named error. I could confirm this with the package change
log in OBS and will follow up with the maintainer of GnuTLS there.

Thanks a lot for your help. If this helps someone in the future, even
better. :)

Best regards
Johannes

Am Mo., 14. Dez. 2020 um 19:06 Uhr schrieb Andrew Bartlett <
abartlet at samba.org>:

> I don't suggest changing the OS as a first measure, what I was trying
> to hint at is that you should look into how GnuTLS default priorities
> work and the system-wide files that are being used, eg from FIPS mode
> and other global policies.
>
> Double-check the smb.conf "tls priority", we have some control over
> GnuTLS there too, but I think this is most probably due to the global
> policy files.
>
> What is your host OS and what is your GnuTLS version?
>
> Andrew Bartlett
>
> On Mon, 2020-12-14 at 16:53 +0100, Johannes Engel via samba wrote:
> > Dear both,
> >
> > thanks a lot for your swift replies!
> > Unfortunately changing the OS of my two DCs at short notice is not an
> > easy
> > option for me. I will see if that changes things mid-term.
> > LDAP with Kerberos instead of TLS/SSL works, unfortunately some of my
> > endpoints do not support this (yet). :(
> > Is there a way to debug this, e.g. by analyzing the crypt string
> > triggering
> > the error on GNUTLS side?
> >
> > Best regards
> > Johannes
> >
> > Am Mo., 14. Dez. 2020 um 10:59 Uhr schrieb Rowland penny via samba <
> > samba at lists.samba.org>:
> >
> > > On 14/12/2020 09:18, Johannes Engel via samba wrote:
> > > > Hi list,
> > > >
> > > > since this week my clients keep getting rejected when performing
> > > > an LDAP
> > > > query via LDAPS (port 636) using one of my two DCs running samba
> > > > 4.13.2.
> > > >
> > > > This is the log on server side (log level 5) of such a failed
> > > > attempt:
> > > > ldb_wrap open of secrets.ldb
> > > > _tstream_tls_accept_send: TLS
> > > > ../../source4/lib/tls/tls_tstream.c:1300 -
> > > > The request is invalid.. Failed to set default priorities
> > > > stream_terminate_connection: Terminating connection -
> > > > 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid
> > > argument'
> > > > Client says this:
> > > > me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
> > > > ldap_url_parse_ext(ldaps://dc1.fq.dn)
> > > > ldap_create
> > > > ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base)
> > > > ldap_pvt_sasl_getmech
> > > > ldap_search
> > > > put_filter: "(objectclass=*)"
> > > > put_filter: simple
> > > > put_simple_filter: "objectclass=*"
> > > > ldap_send_initial_request
> > > > ldap_new_connection 1 1 0
> > > > ldap_int_open_connection
> > > > ldap_connect_to_host: TCP dc1.fq.dn:636
> > > > ldap_new_socket: 3
> > > > ldap_prepare_socket: 3
> > > > ldap_connect_to_host: Trying <ip.dc1>:636
> > > > ldap_pvt_connect: fd: 3 tm: -1 async: 0
> > > > attempting to connect:
> > > > connect success
> > > > TLS trace: SSL_connect:before SSL initialization
> > > > tls_write: want=293, written=293
> > > > <dump of hello packet>
> > > > TLS trace: SSL_connect:SSLv3/TLS write client hello
> > > > tls_read: want=5, got=0
> > > >
> > > > TLS trace: SSL_connect:error in SSLv3/TLS write client hello
> > > > TLS: can't connect: .
> > > > ldap_msgfree
> > > > ldap_err2string
> > > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> > > >
> > > > The relevant portion of my DCs' smb.conf looks as follows:
> > > > [global]
> > > >          netbios name = DC1
> > > >          realm = FQ.DN
> > > >          server role = active directory domain controller
> > > >          server services = -dns
> > > >          workgroup = ICINTERN
> > > >          dns forwarder = my.provider.dns
> > > >          smb ports = 445
> > > >
> > > >          ntlm auth = mschapv2-and-ntlmv2-only
> > > >
> > > >          tls enabled = yes
> > > >          tls keyfile = tls/dc1.key
> > > >          tls certfile = tls/dc2020.pem
> > > >          tls cafile = tls/myca.pem
> > > >
> > > > Any ideas what might be behind this?
> > > > Thanks a lot in advance.
> > > >
> > > > Best regards
> > > > Johannes
> > >
> > > Try the search without the 's' i.e. ldapsearch -H ldap://dc1.fq.dn
> > > -d3
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
>
>
>


More information about the samba mailing list