[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
Nicolas Martinussen
nicolas.martinussen at joskin.com
Thu Oct 23 12:37:22 UTC 2025
Hello,
I have an issue with the way FortiEMS authenticate (which Fortinet won't revert back).
Before, it was using 'sasl' authentication at the bind request but now, it's using 'NTLMSSP_NEGOTIATE' and it seems my Samba AD doesn't like it and return an 'LDAP_PROTOCOL_ERROR'.
Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?
Here are the error logs (in debug) :
[2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0, 0)] ../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
messaging_dgm_ref: messaging_dgm_get_unique returned Success
[2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0, 0)] ../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
messaging_dgm_ref: unique = 7718602353702169936
[2025/10/23 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:113(security_token_debug)
Security token SIDs (1):
SID[ 0]: S-1-5-7
Privileges (0x 0):
Rights (0x 0):
[2025/10/23 13:12:05.356147, 3, pid=190027, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
Initialising global parameters
[2025/10/23 13:12:05.356174, 2, pid=190027, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:331(max_open_files)
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2025/10/23 13:12:05.356259, 3, pid=190027, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2025/10/23 13:12:05.356407, 10, pid=190027, effective(0, 0), real(0, 0)] ../../source4/dsdb/common/util.c:5785(dsdb_search)
dsdb_search: SUB flags=0x00000200 cn=Primary Domains (&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1
[2025/10/23 13:12:05.359625, 3, pid=190027, effective(0, 0), real(0, 0)] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'LDAP_PROTOCOL_ERROR'
[2025/10/23 13:12:05.359745, 10, pid=190027, effective(0, 0), real(0, 0)] ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
msg_dgm_ref_destructor: refs=0x56413ff8f860
[2025/10/23 13:12:07.278532, 3, pid=190027, effective(0, 0), real(0, 0)] ../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
sigterm_signal_handler: Exiting pid 190027 on SIGTERM
[2025/10/23 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)] ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
msg_dgm_ref_destructor: refs=(nil)
Here is my config :
[global]
netbios name = DC-01
realm = AD.MYDOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
ad dc functional level = 2016
workgroup = MYDOMAIN
idmap_ldb:use rfc2307 = yes
bind interfaces only = yes
interfaces = lo 192.168.102.66/22
# WINS
wins support = yes
dns proxy = yes
# WINS
# TLS
tls enabled = yes
tls keyfile = tls/dc-01.2023.key
tls certfile = tls/dc-01.2023.crt
tls cafile = tls/CA/MYDOMAIN.2023.crt
# TLS
ntlm auth = ntlmv1-permitted
lanman auth = yes
client lanman auth = yes
server min protocol = NT1
client min protocol = NT1
Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX
Thank you in advance,
Nicolas Martinussen
More information about the samba
mailing list