[Samba] Login to LDAP from new version FortiClientEMS
Programnet
tomeks at programnet.eu
Tue Nov 5 15:18:39 UTC 2024
FortiClient not use SMB only LDAP.
pcap is on my google drive
https://drive.google.com/file/d/1GW-vSGratvQ2dOE-iGVPfj5w72ZBaUUR/view?usp=sharing
W dniu 5.11.2024 o 15:38, Rowland Penny via samba pisze:
> On Tue, 5 Nov 2024 14:40:01 +0100
> Programnet via samba <samba at lists.samba.org> wrote:
>
>> W dniu 2.11.2024 o 11:19, Rowland Penny via samba pisze:
>>> If your TLD is '.local', then I take it you missed that it is
>>> reserved for Bonjour and Avahi, so if Avahi is running on the DC,
>>> you should turn it off (and everywhere else in your domain).
>> I am aware of this. The domain was set up almost 20 years ago, at
>> that time some guides advised not to do anything on the public
>> domain, and now it is very difficult to change it.
> Fair enough, that would have been when Microsoft went through one of
> their 'stupid' periods and recommended '.local'.
>
>>
>> I don't really understand what DNS configuration has to do with the
>> problem where when I log into ldap
> Again a fair comment, but if the DNS was wrong (which it doesn't appear
> to be), the DC might have been found.
>
>> using: sasl it works but when I
>> use: ntlmsspNegotiate LDAP drops the connection and the logs contain
>> the entry: [2024/11/05 14:19:11.121983, 3]
>> lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
>> ldb_wrap open of secrets.ldb
>> [2024/11/05 14:19:11.122344, 3]
>> lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
>> ldb_wrap open of secrets.ldb
>> [2024/11/05 14:19:11.123630, 3]
>> source4/samba/service_stream.c:67(stream_terminate_connection)
>> stream_terminate_connection: Terminating connection -
>> 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
>> NT_STATUS_CONNECTION_RESET' [2024/11/05 14:19:11.124440, 3]
>> source4/samba/service_stream.c:6 7(stream_terminate_connection)
>> stream_terminate_connection: Terminating connection -
>> 'LDAP_PROTOCOL_ERROR'
> Could your forticlient program be using SMBv1 ???
>
> It would help if it was known just what ldap command was being used,
> any chance you could use wireshark to capture the conversation ?
>
>>
>>> I don't use forticlient, but it seems there are various ways to
>>> connect to it, which variant are you using ?
>> ForticlientEMS supports only LDAP or LDAPS
> There are numerous ways to connect to AD. ldap & ldaps are only two of
> them, but which one of the two have you tried.
>
> While searching for info about forticlient, I found this:
>
> https://community.fortinet.com/t5/Support-Forum/Forti-Client-EMS-LDAP-SAMBA/td-p/329996
>
> It sounds like either Samba is not doing something that forticlient
> expects or Samba is doing something that forticlient isn't asking for.
>
> Either way, it looks like we are going to need that wireshark capture.
>
> Rowland
>
>
More information about the samba
mailing list