[Samba] TLS problems after 4.12 -> 4.14 update

L.P.H. van Belle belle at bazuin.nl
Mon Jun 7 14:43:28 UTC 2021 

Yes, there is something goingon on RH/Centos latest version.
But im only into Debian and related. RH/Centos not really my cookie..

> (similar to RHEL7). Perhaps there might be something related to the 
> version of gnutls + compat-gnutls in el7.9 which no longer 
> works on 4.13+. 
This yes.. 

I can give you 1 solution, move to the Debian camp ;-) 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: vincent at cojot.name [mailto:vincent at cojot.name] 
> Verzonden: maandag 7 juni 2021 14:24
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] TLS problems after 4.12 -> 4.14 update
> 
> 
> Hi Louis,
> 
> The SPNs were a different problem: I needed to add the 
> floating hostnames 
> for the VIPs between the cluster nodes (the clustered 
> fileservers) and I 
> now realize that I need to read up on ctdb.
> 
> As for the TLS thing, nope, I didn't have 'tls priority' set 
> at all. Like 
> I said, I upgraded the two RHEL7.9 DCs (two small VMs, fully 
> updated) from 
> 4.12.15 to 4.14.5 with custom-built rpms of samba.
> 
> I noticed last night that TranquilIT had been producing rpms 
> of samba 4.13 
> and 4.14 for Centos8 (similar to RHEL8) only and no longer 
> for Centos7 
> (similar to RHEL7). Perhaps there might be something related to the 
> version of gnutls + compat-gnutls in el7.9 which no longer 
> works on 4.13+.
> Since they (TranqulIT) are supporting samba DC's in the field, they 
> probably have a lot more data than myself (I'm only doing this for a 
> household of 5).
> 
> Thanks for the tip about using the FQDN, I hadn't thought of 
> that as I had 
> never needed to do that to obtain the cert.
> 
> I'm going to be upgrading my build chains for 4.14.x to RHEL8 
> and I've 
> downgraded to 4.12.x while I research this issue.
> 
> Thanks for reaching out,
> 
> Vincent S. Cojot
> 
> 
> On Mon, 7 Jun 2021, L.P.H. van Belle via samba wrote:
> 
> >
> > Since your useing/testing certficates, always use the FQDN 
> of the Server.
> > Dont use : openssl s_client -showcerts -connect dc00:636
> > Do use   : openssl s_client -showcerts -connect 
> dc00.ad.lasthome.solace.krynn:636
> >
> >
> > I also wonder, on that W10 VM, why you needed at add these SPN'.s
> > If the PC is domain joined, the SPN would in there already.
> > And only HOST SPN added where i also see in the domain joined pc's
> > RestrictedKrbHost/host.fqdn
> > TERMSRV/host.fqdn
> >
> > The request is invalid.. Failed to set default priorities
> > I suggest read this:
> > 
> https://passingcuriosity.com/2021/diffie-hellman-short-primes-disable/
> >
> > Did you set in smb.conf the setting :  tls priority
> > Where this is the smb.conf default: tls priority = 
> NORMAL:-VERS-SSL3.0
> >
> > There you have examples how these are set (see also man 
> smb.conf search : tls priority
> > https://gnutls.org/manual/html_node/Priority-Strings.html
> >
> > And its up to you to validate where your using exacly.
> > But most will be using or attempted to enforce TLSv1.2 
> since v1.1 and v1.0 are predicated.
> >
> > And one more extra question
> > Is this OS upgraded? If yes, veryfiy the default configs of 
> the system
> > That these not still in/using outdated settings.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Vincent S. Cojot via samba
> >> Verzonden: zondag 6 juni 2021 23:08
> >> Aan: sambalist
> >> Onderwerp: [Samba] TLS problems after 4.12 -> 4.14 update
> >>
> >>
> >> Hi everyone,
> >>
> >> I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 
> and I just
> >> noticed this:
> >>
> >> [2021/06/06 16:21:01.074696,  0]
> >> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
> >>    _tstream_tls_accept_send: TLS
> >> ../../source4/lib/tls/tls_tstream.c:1300 -
> >> The request is invalid.. Failed to set default priorities
> >>
> >> I'm now unable to do the following successfully from either
> >> RHEL7, RHEL8
> >> or Fedora33:
> >>
> >> ----------------------------------------------
> >> # openssl s_client -showcerts -connect dc00:636
> >> CONNECTED(00000003)
> >> 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl
> >> handshake failure:s23_lib.c:177:
> >> ---
> >> no peer certificate available
> >> ---
> >> No client certificate CA names sent
> >> ---
> >> SSL handshake has read 0 bytes and written 289 bytes
> >> ---
> >> ----------------------------------------------
> >>
> >> It seems similar to what some people have experienced on 4.13
> >> (and this
> >> makes sense because I mostly skipped 4.13xz and went from
> >> 4.12 to 4.14)
> >> https://lists.samba.org/archive/samba/2020-December/233594.html
> >>
> >> I've been using self-signed certs and a trusted intermediate
> >> CA for my AD
> >> DC's but I now wonder if I've run into an issue using RHEL7.9
> >> for my DCs.
> >>
> >> My certs (on the DC itself) still verify fine:
> >>
> >> #  openssl verify -CAfile
> >> /etc/pki/ca-trust/source/anchors/KrynnCA.pem \
> >> -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \
> >> /var/lib/samba/private/tls/cert.pem
> >> /var/lib/samba/private/tls/cert.pem: OK
> >>
> >> But it is the connection which doesn't seem to work anymore..
> >> Does anyone
> >> have any idea about what's going on? Andrew Bartlett said he wasn't
> >> experiencing the issue on RHEL7 on amazon and I wonder if I
> >> could make it
> >> work in place on plain RHEL here..
> >>
> >> Any ideas, tips, workarounds? I first noticed this when
> >> OpenShift started
> >> being unable to auth my AD users after the update to 4.14.5
> >> (for the two DCs).
> >>
> >> Win10 endpoints don't seem to care too much and I hope it will keep
> >> working but I'm a little worried.
> >>
> >> Vincent
> >>
> >> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,.
> >> _.,-*~'`^`'~*-,
> >> Vincent S. Cojot, Computer Engineering. STEP project.
> >> _.,-*~'`^`'~*-,._.,-*~
> >> Ecole Polytechnique de Montreal, Comite Micro-Informatique.
> >> _.,-*~'`^`'~*-,.
> >> Linux Xview/OpenLook resources page
> >> _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
> >> http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._
> >> coyote at NOSPAM4cojot.name
> >>
> >> They cannot scare me with their empty spaces
> >> Between stars - on stars where no human race is
> >> I have it in me so much nearer home
> >> To scare myself with my own desert places.       - Robert Frost
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> >
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
>

More information about the samba mailing list