[Samba] Login to LDAP from new version FortiClientEMS

Rowland Penny rpenny at samba.org
Tue Nov 5 14:38:56 UTC 2024 

On Tue, 5 Nov 2024 14:40:01 +0100
Programnet via samba <samba at lists.samba.org> wrote:

> 
> W dniu 2.11.2024 o 11:19, Rowland Penny via samba pisze:
> >
> > If your TLD is '.local', then I take it you missed that it is
> > reserved for Bonjour and Avahi, so if Avahi is running on the DC,
> > you should turn it off (and everywhere else in your domain).
> 
> I am aware of this. The domain was set up almost 20 years ago, at
> that time some guides advised not to do anything on the public
> domain, and now it is very difficult to change it.

Fair enough, that would have been when Microsoft went through one of
their 'stupid' periods and recommended '.local'.
 
> 
> 

> 
> I don't really understand what DNS configuration has to do with the 
> problem where when I log into ldap 

Again a fair comment, but if the DNS was wrong (which it doesn't appear
to be), the DC might have been found.

> using: sasl it works but when I
> use: ntlmsspNegotiate LDAP drops the connection and the logs contain
> the entry: [2024/11/05 14:19:11.121983, 3] 
> lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2024/11/05 14:19:11.122344, 3] 
> lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2024/11/05 14:19:11.123630, 3] 
> source4/samba/service_stream.c:67(stream_terminate_connection) 
> stream_terminate_connection: Terminating connection - 
> 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - 
> NT_STATUS_CONNECTION_RESET' [2024/11/05 14:19:11.124440, 3] 
> source4/samba/service_stream.c:6 7(stream_terminate_connection) 
> stream_terminate_connection: Terminating connection -
> 'LDAP_PROTOCOL_ERROR'

Could your forticlient program be using SMBv1 ???

It would help if it was known just what ldap command was being used,
any chance you could use wireshark to capture the conversation ?
 
> 
> 
> > I don't use forticlient, but it seems there are various ways to
> > connect to it, which variant are you using ?
> 
> ForticlientEMS supports only LDAP or LDAPS

There are numerous ways to connect to AD. ldap & ldaps are only two of
them, but which one of the two have you tried.

While searching for info about forticlient, I found this:

https://community.fortinet.com/t5/Support-Forum/Forti-Client-EMS-LDAP-SAMBA/td-p/329996

It sounds like either Samba is not doing something that forticlient
expects or Samba is doing something that forticlient isn't asking for.

Either way, it looks like we are going to need that wireshark capture.

Rowland

More information about the samba mailing list