[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
Rowland Penny
rpenny at samba.org
Fri Oct 24 12:50:18 UTC 2025
On Fri, 24 Oct 2025 12:42:29 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> > > I've found a way to reproduce the issue I have with a small C#
> > > code executed on Windows. It gets me almost the same packets when
> > > I do a capture, I also get the 'LDAP_PROTOCOL_ERROR' in the Samba
> > > logs, and when I try it against a Windows DC, it works.
> > >
> > > Here is the code:
> > >
> > > using System.DirectoryServices.Protocols;
> > > using System.Net;
> > >
> > > class Program
> > > {
> > > static void Main()
> > > {
> > > string ldapServer = "dc-01.ad.mydomain.com";
> > >
> > > LdapConnection ldap = new LdapConnection(ldapServer);
> > > ldap.AuthType = AuthType.Ntlm;
> > > ldap.Credential = new NetworkCredential("ldap",
> > >"PASSWORD",
> > > "MYDOMAIN");
> > >
> > > ldap.Bind();
> > > }
> > > }
> > >
> > > It seems like AuthType.Ntlm isn't supported by the Samba code.
> > > When I try the same code with AuthType.Basic, in that case, it
> > > works (I get the "Strong authentication is required for this
> > > operation.", but that's normal as I use LDAP and not LDAPS).
> > >
> >
> > I am also fairly certain it is supported, but I am also running out
> > of ideas. My last idea is, you are using 'ldap at ad.mydomain.com' for
> > the username, what if it expects the samaccountname ? try it with
> > just 'ldap' (which I presume is an AD username).
> >
> > Rowland
>
> Yes, 'ldap' is in fact the username I try. I've already tried
> 'CN=LDAP,CN=Users,CN=AD,CN=MYDOMAIN,CN=com', 'ldap at ad.mydomain.com',
> 'MYDOMAIN\ldap' and just 'ldap'.
>
> When I check the packet trace, I don't even see the username in the
> packet that result in a TCP RESET from the DC. The username is sent
> later when I check the same traffic with a Windows DC. So, what I'm
> guessing is that for some reason, this specific bind packet isn't
> correctly recognized by Samba. I'm willing to try to do a code
> debugging to see exactly where there is an issue, but I didn't find
> any info about how to debug the Samba code in the wiki and I have
> never really used GDB, so I have no idea where to start.
>
> Nicolas
Debugging isn't really something I am into, but perhaps this will point
you in the right direction:
https://wiki.samba.org/index.php/Writing_a_Samba_VFS_Module#Source_Debugging
Rowland
More information about the samba
mailing list