[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

Mon Dec 11 12:48:26 UTC 2017

Hi Team,

I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf

#TLS_REQCERT     HARD
TLS_REQCERT     ALLOW
TLS_CACERT      /etc/ssl/certs/msadmaster.pem

After above changes net ads is succesfull with ssl/tls 
I have verified at Windows AD DC end that TLS is being used for communication with the help of wireshark.
Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD if certificates is being used.

Now i have configured ubuntu as AD DC and try to join another ubuntu
machine as member server but i am getting below error.

[LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required

ubuntu AD DC smb.conf 

[global]
        workgroup = TECHMINT
        realm = TECHMINT.LAN
        netbios name = ADC1
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash

[netlogon]
        path = /var/lib/samba/sysvol/techmint.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

smb.conf for ads member server

[global]
       security = ADS
       workgroup = TECHMINT
       realm = TECHMINT.LAN

       log file = /var/opt/samba/%m.log
       log level = 1

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
       username map = /etc/opt/samba/user.map
#       ldap ssl = start tls
#       ldap ssl ads = yes
       ldap debug level = 1
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  With the recent samba upgrade to 2:4.3.8+dfsg-0ubuntu0.14.04.2, we
  were seeing regression with authentication:

  /var/log/syslog
  Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.415470,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error
  Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.898408,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error

  We had to rollback to: 2:4.1.6+dfsg-1ubuntu2.14.04.13 and everything worked again.

  Here's a basic samba config that reproduces the issue:

  Perfectly reproducible with this:
    realm = AD.DOMAIN.COM
    security = ads
    ldap ssl = start_tls
    ldap ssl ads = yes

  [LDAP] TLS: hostname (172.12.12.12) does not match common name in certificate (hostname).
  [LDAP] ldap_err2string
  Failed to issue the StartTLS instruction: Connect error

  Samba seems to construct the LDAP URL with the IP of the AD controller
  in it instead of the hostname and then because our ldap.conf requires
  it, the server cert validation fails

  Please let me know if there are any other logs I can provide

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions