[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
Rowland Penny
rpenny at samba.org
Thu Oct 23 14:05:18 UTC 2025
On Thu, 23 Oct 2025 12:37:22 +0000
Nicolas Martinussen via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I have an issue with the way FortiEMS authenticate (which Fortinet
> won't revert back). Before, it was using 'sasl' authentication at the
> bind request but now, it's using 'NTLMSSP_NEGOTIATE' and it seems my
> Samba AD doesn't like it and return an 'LDAP_PROTOCOL_ERROR'.
>
> Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?
Yes it should, it is the first stage in the protocol negotiation.
>
> Here are the error logs (in debug) :
> [2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
> messaging_dgm_ref: messaging_dgm_get_unique returned Success
> [2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
> messaging_dgm_ref: unique = 7718602353702169936 [2025/10/23
> 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../libcli/security/security_token.c:113(security_token_debug)
> Security token SIDs (1): SID[ 0]: S-1-5-7 Privileges (0x
> 0): Rights (0x 0): [2025/10/23 13:12:05.356147, 3,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
> Initialising global parameters [2025/10/23 13:12:05.356174, 2,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:331(max_open_files) rlimit_max:
> increasing rlimit_max (1024) to minimum Windows limit (16384)
> [2025/10/23 13:12:05.356259, 3, pid=190027, effective(0, 0), real(0,
> 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb [2025/10/23 13:12:05.356407, 10,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/dsdb/common/util.c:5785(dsdb_search) dsdb_search: SUB
> flags=0x00000200 cn=Primary Domains
> (&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1
This appears to be searching in 'secrets.ldb' and failing, any idea
what the search command is ?
>[2025/10/23
> 13:12:05.359625, 3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> stream_terminate_connection: Terminating connection -
> 'LDAP_PROTOCOL_ERROR' [2025/10/23 13:12:05.359745, 10, pid=190027,
> effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=0x56413ff8f860 [2025/10/23
> 13:12:07.278532, 3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
> sigterm_signal_handler: Exiting pid 190027 on SIGTERM [2025/10/23
> 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=(nil)
>
> Here is my config :
> [global]
> netbios name = DC-01
> realm = AD.MYDOMAIN.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate ad dc functional level =
> 2016 workgroup = MYDOMAIN
> idmap_ldb:use rfc2307 = yes
> bind interfaces only = yes
> interfaces = lo 192.168.102.66/22
>
> # WINS
> wins support = yes
> dns proxy = yes
> # WINS
Why 'WINS' ? Your clients should be using DNS, not NetBIOS.
>
> # TLS
> tls enabled = yes
> tls keyfile = tls/dc-01.2023.key
> tls certfile = tls/dc-01.2023.crt
> tls cafile = tls/CA/MYDOMAIN.2023.crt
> # TLS
>
> ntlm auth = ntlmv1-permitted
> lanman auth = yes
> client lanman auth = yes
> server min protocol = NT1
> client min protocol = NT1
Why are you using SMBv1 ?
>
> Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX
>
> Thank you in advance,
> Nicolas Martinussen
More information about the samba
mailing list