[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
Nicolas Martinussen
nicolas.martinussen at joskin.com
Thu Oct 23 14:15:13 UTC 2025
> Hello,
>
> I have an issue with the way FortiEMS authenticate (which Fortinet
> won't revert back). Before, it was using 'sasl' authentication at the
> bind request but now, it's using 'NTLMSSP_NEGOTIATE' and it seems my
> Samba AD doesn't like it and return an 'LDAP_PROTOCOL_ERROR'.
>
> Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?
Yes it should, it is the first stage in the protocol negotiation.
>
> Here are the error logs (in debug) :
> [2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
> messaging_dgm_ref: messaging_dgm_get_unique returned Success
> [2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
> messaging_dgm_ref: unique = 7718602353702169936 [2025/10/23
> 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../libcli/security/security_token.c:113(security_token_debug)
> Security token SIDs (1): SID[ 0]: S-1-5-7 Privileges (0x
> 0): Rights (0x 0): [2025/10/23 13:12:05.356147, 3,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
> Initialising global parameters [2025/10/23 13:12:05.356174, 2,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:331(max_open_files) rlimit_max:
> increasing rlimit_max (1024) to minimum Windows limit (16384)
> [2025/10/23 13:12:05.356259, 3, pid=190027, effective(0, 0), real(0,
> 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb [2025/10/23 13:12:05.356407, 10,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/dsdb/common/util.c:5785(dsdb_search) dsdb_search: SUB
> flags=0x00000200 cn=Primary Domains
> (&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1
This appears to be searching in 'secrets.ldb' and failing, any idea
what the search command is ?
From what I see in the packet capture I have done, it doesn't look like it's searching anything at that moment. Here is the packet decoded by Wireshark :
Lightweight Directory Access Protocol
LDAPMessage bindRequest(1) "<ROOT>" ntlmsspNegotiate
messageID: 1
protocolOp: bindRequest (0)
bindRequest
version: 3
name: <MISSING>
authentication: ntlmsspNegotiate (10)
NTLM Secure Service Provider
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
Negotiate Flags: 0xa0880001, Negotiate 56, Negotiate 128, Negotiate Target Info, Negotiate Extended Session Security, Negotiate UNICODE
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..0. .... .... .... .... .... .... = Negotiate Version: Not set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
.... .... .0.. .... .... .... .... .... = Request Non-NT Session Key: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
.... .... .... 1... .... .... .... .... = Negotiate Extended Session Security: Set
.... .... .... .0.. .... .... .... .... = Negotiate 0x00040000: Not set
.... .... .... ..0. .... .... .... .... = Target Type Server: Not set
.... .... .... ...0 .... .... .... .... = Target Type Domain: Not set
.... .... .... .... 0... .... .... .... = Negotiate Always Sign: Not set
.... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
.... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
.... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
.... .... .... .... .... ..0. .... .... = Negotiate NTLM key: Not set
.... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
.... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
.... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
.... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .0.. = Request Target: Not set
.... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
Calling workstation domain: NULL
Calling workstation name: NULL
>[2025/10/23
> 13:12:05.359625, 3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> stream_terminate_connection: Terminating connection -
> 'LDAP_PROTOCOL_ERROR' [2025/10/23 13:12:05.359745, 10, pid=190027,
> effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=0x56413ff8f860 [2025/10/23
> 13:12:07.278532, 3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
> sigterm_signal_handler: Exiting pid 190027 on SIGTERM [2025/10/23
> 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=(nil)
>
> Here is my config :
> [global]
> netbios name = DC-01
> realm = AD.MYDOMAIN.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate ad dc functional level =
> 2016 workgroup = MYDOMAIN
> idmap_ldb:use rfc2307 = yes
> bind interfaces only = yes
> interfaces = lo 192.168.102.66/22
>
> # WINS
> wins support = yes
> dns proxy = yes
> # WINS
Why 'WINS' ? Your clients should be using DNS, not NetBIOS.
It's due to an old machine that really needs WINS (an old Windows NT Embedded). I would really like to disable that, but I sadly can't
>
> # TLS
> tls enabled = yes
> tls keyfile = tls/dc-01.2023.key
> tls certfile = tls/dc-01.2023.crt
> tls cafile = tls/CA/MYDOMAIN.2023.crt
> # TLS
>
> ntlm auth = ntlmv1-permitted
> lanman auth = yes
> client lanman auth = yes
> server min protocol = NT1
> client min protocol = NT1
Why are you using SMBv1 ?
It's also some configuration that I need to disable, but a production machine is still using SMBv1. As soon as this machine is migrated to another SMB server (for old machines), I'll remove those 5 config lines
>
> Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX
>
> Thank you in advance,
> Nicolas Martinussen
Thanks,
Nicolas
More information about the samba
mailing list