[Samba] TLS problems after 4.12 -> 4.14 update

vincent at cojot.name vincent at cojot.name
Mon Jun 7 15:08:40 UTC 2021 

On Mon, 7 Jun 2021, L.P.H. van Belle via samba wrote:

> Yes, there is something goingon on RH/Centos latest version.

Do you mean RHEL8 or RHEL7.x (7.9 being the last RHEL7 minor release)

> But im only into Debian and related. RH/Centos not really my cookie..

100% understood.

>> (similar to RHEL7). Perhaps there might be something related to the
>> version of gnutls + compat-gnutls in el7.9 which no longer
>> works on 4.13+.
> This yes..

I'll be trying on RHEL8.4 VMs, I guess..

> I can give you 1 solution, move to the Debian camp ;-)

As much as I have an immense respect for the Debian project, is inspired 
by your (Louis) committement to the community and like our interactions 
over source and patches, I have zero desire to switch to Debian: Any 
knowledge gained there wouldn't be as useful to me in my field of 
activity. (This is my -personal- situation, not a general message).

Kindest Regards,

Vincent
>
>> -----Oorspronkelijk bericht-----
>> Van: vincent at cojot.name [mailto:vincent at cojot.name]
>> Verzonden: maandag 7 juni 2021 14:24
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] TLS problems after 4.12 -> 4.14 update
>>
>>
>> Hi Louis,
>>
>> The SPNs were a different problem: I needed to add the
>> floating hostnames
>> for the VIPs between the cluster nodes (the clustered
>> fileservers) and I
>> now realize that I need to read up on ctdb.
>>
>> As for the TLS thing, nope, I didn't have 'tls priority' set
>> at all. Like
>> I said, I upgraded the two RHEL7.9 DCs (two small VMs, fully
>> updated) from
>> 4.12.15 to 4.14.5 with custom-built rpms of samba.
>>
>> I noticed last night that TranquilIT had been producing rpms
>> of samba 4.13
>> and 4.14 for Centos8 (similar to RHEL8) only and no longer
>> for Centos7
>> (similar to RHEL7). Perhaps there might be something related to the
>> version of gnutls + compat-gnutls in el7.9 which no longer
>> works on 4.13+.
>> Since they (TranqulIT) are supporting samba DC's in the field, they
>> probably have a lot more data than myself (I'm only doing this for a
>> household of 5).
>>
>> Thanks for the tip about using the FQDN, I hadn't thought of
>> that as I had
>> never needed to do that to obtain the cert.
>>
>> I'm going to be upgrading my build chains for 4.14.x to RHEL8
>> and I've
>> downgraded to 4.12.x while I research this issue.
>>
>> Thanks for reaching out,
>>
>> Vincent S. Cojot
>>
>>
>> On Mon, 7 Jun 2021, L.P.H. van Belle via samba wrote:
>>
>>>
>>> Since your useing/testing certficates, always use the FQDN
>> of the Server.
>>> Dont use : openssl s_client -showcerts -connect dc00:636
>>> Do use   : openssl s_client -showcerts -connect
>> dc00.ad.lasthome.solace.krynn:636
>>>
>>>
>>> I also wonder, on that W10 VM, why you needed at add these SPN'.s
>>> If the PC is domain joined, the SPN would in there already.
>>> And only HOST SPN added where i also see in the domain joined pc's
>>> RestrictedKrbHost/host.fqdn
>>> TERMSRV/host.fqdn
>>>
>>> The request is invalid.. Failed to set default priorities
>>> I suggest read this:
>>>
>> https://passingcuriosity.com/2021/diffie-hellman-short-primes-disable/
>>>
>>> Did you set in smb.conf the setting :  tls priority
>>> Where this is the smb.conf default: tls priority =
>> NORMAL:-VERS-SSL3.0
>>>
>>> There you have examples how these are set (see also man
>> smb.conf search : tls priority
>>> https://gnutls.org/manual/html_node/Priority-Strings.html
>>>
>>> And its up to you to validate where your using exacly.
>>> But most will be using or attempted to enforce TLSv1.2
>> since v1.1 and v1.0 are predicated.
>>>
>>> And one more extra question
>>> Is this OS upgraded? If yes, veryfiy the default configs of
>> the system
>>> That these not still in/using outdated settings.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Vincent S. Cojot via samba
>>>> Verzonden: zondag 6 juni 2021 23:08
>>>> Aan: sambalist
>>>> Onderwerp: [Samba] TLS problems after 4.12 -> 4.14 update
>>>>
>>>>
>>>> Hi everyone,
>>>>
>>>> I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5
>> and I just
>>>> noticed this:
>>>>
>>>> [2021/06/06 16:21:01.074696,  0]
>>>> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
>>>>    _tstream_tls_accept_send: TLS
>>>> ../../source4/lib/tls/tls_tstream.c:1300 -
>>>> The request is invalid.. Failed to set default priorities
>>>>
>>>> I'm now unable to do the following successfully from either
>>>> RHEL7, RHEL8
>>>> or Fedora33:
>>>>
>>>> ----------------------------------------------
>>>> # openssl s_client -showcerts -connect dc00:636
>>>> CONNECTED(00000003)
>>>> 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl
>>>> handshake failure:s23_lib.c:177:
>>>> ---
>>>> no peer certificate available
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 0 bytes and written 289 bytes
>>>> ---
>>>> ----------------------------------------------
>>>>
>>>> It seems similar to what some people have experienced on 4.13
>>>> (and this
>>>> makes sense because I mostly skipped 4.13xz and went from
>>>> 4.12 to 4.14)
>>>> https://lists.samba.org/archive/samba/2020-December/233594.html
>>>>
>>>> I've been using self-signed certs and a trusted intermediate
>>>> CA for my AD
>>>> DC's but I now wonder if I've run into an issue using RHEL7.9
>>>> for my DCs.
>>>>
>>>> My certs (on the DC itself) still verify fine:
>>>>
>>>> #  openssl verify -CAfile
>>>> /etc/pki/ca-trust/source/anchors/KrynnCA.pem \
>>>> -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \
>>>> /var/lib/samba/private/tls/cert.pem
>>>> /var/lib/samba/private/tls/cert.pem: OK
>>>>
>>>> But it is the connection which doesn't seem to work anymore..
>>>> Does anyone
>>>> have any idea about what's going on? Andrew Bartlett said he wasn't
>>>> experiencing the issue on RHEL7 on amazon and I wonder if I
>>>> could make it
>>>> work in place on plain RHEL here..
>>>>
>>>> Any ideas, tips, workarounds? I first noticed this when
>>>> OpenShift started
>>>> being unable to auth my AD users after the update to 4.14.5
>>>> (for the two DCs).
>>>>
>>>> Win10 endpoints don't seem to care too much and I hope it will keep
>>>> working but I'm a little worried.
>>>>
>>>> Vincent
>>>>
>>>> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,.
>>>> _.,-*~'`^`'~*-,
>>>> Vincent S. Cojot, Computer Engineering. STEP project.
>>>> _.,-*~'`^`'~*-,._.,-*~
>>>> Ecole Polytechnique de Montreal, Comite Micro-Informatique.
>>>> _.,-*~'`^`'~*-,.
>>>> Linux Xview/OpenLook resources page
>>>> _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
>>>> http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._
>>>> coyote at NOSPAM4cojot.name
>>>>
>>>> They cannot scare me with their empty spaces
>>>> Between stars - on stars where no human race is
>>>> I have it in me so much nearer home
>>>> To scare myself with my own desert places.       - Robert Frost
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list