[Samba] Forcibly disabling connection attempts to port 389?

Peter Eriksson pen at lysator.liu.se
Mon Jan 10 09:24:44 UTC 2022

We recently discovered an annoying problem where it seems that Samba often first attempts to connect to LDAP port 389 before switching to port 636 (SSL-LDAP) when talking to AD servers. This is normally not a big issue since the AD server has the port blocked/disabled. However we currently have an issue with a FortiGate firewall that for some unknown reason decided to start running a “SYN-proxy” on that port for one of the AD servers…

This has the effect of causing clients that try to connect to port 389/tcp on that AD server to “see” an accepted TCP session until it times out a number of seconds/minutes later instead of a quick reject. This causes Samba to regularly take a long time to accept user authentications if it happens to choose to bind to that server.

For the moment I've “fixed” that by adding machine-local firewall rules that block outgoing TCP connection attempts to that specific AD server, but I was wondering if there perhaps could be some better way to solve this - like having some option in Samba to forcibly stop attempting to connect to port 389 and just use 636 (ssl-ldap)? Or switch it so it first attempts 636 and then if that fails falls back to 636?

- Peter

More information about the samba mailing list