[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
Nicolas Martinussen
nicolas.martinussen at joskin.com
Fri Oct 24 12:42:29 UTC 2025
> > I've found a way to reproduce the issue I have with a small C# code
> > executed on Windows. It gets me almost the same packets when I do a
> > capture, I also get the 'LDAP_PROTOCOL_ERROR' in the Samba logs, and
> > when I try it against a Windows DC, it works.
> >
> > Here is the code:
> >
> > using System.DirectoryServices.Protocols;
> > using System.Net;
> >
> > class Program
> > {
> > static void Main()
> > {
> > string ldapServer = "dc-01.ad.mydomain.com";
> >
> > LdapConnection ldap = new LdapConnection(ldapServer);
> > ldap.AuthType = AuthType.Ntlm;
> > ldap.Credential = new NetworkCredential("ldap", "PASSWORD",
> > "MYDOMAIN");
> >
> > ldap.Bind();
> > }
> > }
> >
> > It seems like AuthType.Ntlm isn't supported by the Samba code. When I
> > try the same code with AuthType.Basic, in that case, it works (I get
> > the "Strong authentication is required for this operation.", but
> > that's normal as I use LDAP and not LDAPS).
> >
>
> I am also fairly certain it is supported, but I am also running out of
> ideas. My last idea is, you are using 'ldap at ad.mydomain.com' for the
> username, what if it expects the samaccountname ? try it with just
> 'ldap' (which I presume is an AD username).
>
> Rowland
Yes, 'ldap' is in fact the username I try. I've already tried 'CN=LDAP,CN=Users,CN=AD,CN=MYDOMAIN,CN=com', 'ldap at ad.mydomain.com', 'MYDOMAIN\ldap' and just 'ldap'.
When I check the packet trace, I don't even see the username in the packet that result in a TCP RESET from the DC. The username is sent later when I check the same traffic with a Windows DC. So, what I'm guessing is that for some reason, this specific bind packet isn't correctly recognized by Samba. I'm willing to try to do a code debugging to see exactly where there is an issue, but I didn't find any info about how to debug the Samba code in the wiki and I have never really used GDB, so I have no idea where to start.
Nicolas
More information about the samba
mailing list