[Samba] TLS problems after 4.12 -> 4.14 update

vincent at cojot.name vincent at cojot.name
Sun Jun 6 21:07:53 UTC 2021 

Hi everyone,

I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 and I just 
noticed this:

[2021/06/06 16:21:01.074696,  0] 
../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
   _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 - 
The request is invalid.. Failed to set default priorities

I'm now unable to do the following successfully from either RHEL7, RHEL8 
or Fedora33:

----------------------------------------------
# openssl s_client -showcerts -connect dc00:636
CONNECTED(00000003)
139945429780368:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
----------------------------------------------

It seems similar to what some people have experienced on 4.13 (and this 
makes sense because I mostly skipped 4.13xz and went from 4.12 to 4.14)
https://lists.samba.org/archive/samba/2020-December/233594.html

I've been using self-signed certs and a trusted intermediate CA for my AD 
DC's but I now wonder if I've run into an issue using RHEL7.9 for my DCs.

My certs (on the DC itself) still verify fine:

#  openssl verify -CAfile /etc/pki/ca-trust/source/anchors/KrynnCA.pem \
-untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \
/var/lib/samba/private/tls/cert.pem
/var/lib/samba/private/tls/cert.pem: OK

But it is the connection which doesn't seem to work anymore.. Does anyone 
have any idea about what's going on? Andrew Bartlett said he wasn't 
experiencing the issue on RHEL7 on amazon and I wonder if I could make it 
work in place on plain RHEL here..

Any ideas, tips, workarounds? I first noticed this when OpenShift started 
being unable to auth my AD users after the update to 4.14.5 (for the two DCs).

Win10 endpoints don't seem to care too much and I hope it will keep 
working but I'm a little worried.

Vincent

,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name

They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places.       - Robert Frost

More information about the samba mailing list