Hi list,
since this week my clients keep getting rejected when performing an LDAP
query via LDAPS (port 636) using one of my two DCs running samba 4.13.2.
This is the log on server side (log level 5) of such a failed attempt:
ldb_wrap open of secrets.ldb
_tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
The request is invalid.. Failed to set default priorities
stream_terminate_connection: Terminating connection -
'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid
argument'
Client says this:
me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3
ldap_url_parse_ext(ldaps://dc1.fq.dn)
ldap_create
ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc1.fq.dn:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <ip.dc1>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=293, written=293
<dump of hello packet>
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=0
TLS trace: SSL_connect:error in SSLv3/TLS write client hello
TLS: can't connect: .
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
The relevant portion of my DCs' smb.conf looks as follows:
[global]
netbios name = DC1
realm = FQ.DN
server role = active directory domain controller
server services = -dns
workgroup = ICINTERN
dns forwarder = my.provider.dns
smb ports = 445
ntlm auth = mschapv2-and-ntlmv2-only
tls enabled = yes
tls keyfile = tls/dc1.key
tls certfile = tls/dc2020.pem
tls cafile = tls/myca.pem
Any ideas what might be behind this?
Thanks a lot in advance.
Best regards
Johannes
On Mon, 2020-12-14 at 10:18 +0100, Johannes Engel via samba wrote:> > Any ideas what might be behind this? > > Thanks a lot in advance. > > > > Best regardsI got "Failed to set default priorities" on RHEL 7 when testing updated backported GnuTLS packages. I never got to the bottom of it, but didn't get it on Amazon Linux 2 so suspect it is due to the system-wide gnutls configuration on your host OS. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
On 14/12/2020 09:18, Johannes Engel via samba wrote:> Hi list, > > since this week my clients keep getting rejected when performing an LDAP > query via LDAPS (port 636) using one of my two DCs running samba 4.13.2. > > This is the log on server side (log level 5) of such a failed attempt: > ldb_wrap open of secrets.ldb > _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 - > The request is invalid.. Failed to set default priorities > stream_terminate_connection: Terminating connection - > 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid argument' > > Client says this: > me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3 > ldap_url_parse_ext(ldaps://dc1.fq.dn) > ldap_create > ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base) > ldap_pvt_sasl_getmech > ldap_search > put_filter: "(objectclass=*)" > put_filter: simple > put_simple_filter: "objectclass=*" > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP dc1.fq.dn:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying <ip.dc1>:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > attempting to connect: > connect success > TLS trace: SSL_connect:before SSL initialization > tls_write: want=293, written=293 > <dump of hello packet> > TLS trace: SSL_connect:SSLv3/TLS write client hello > tls_read: want=5, got=0 > > TLS trace: SSL_connect:error in SSLv3/TLS write client hello > TLS: can't connect: . > ldap_msgfree > ldap_err2string > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > The relevant portion of my DCs' smb.conf looks as follows: > [global] > netbios name = DC1 > realm = FQ.DN > server role = active directory domain controller > server services = -dns > workgroup = ICINTERN > dns forwarder = my.provider.dns > smb ports = 445 > > ntlm auth = mschapv2-and-ntlmv2-only > > tls enabled = yes > tls keyfile = tls/dc1.key > tls certfile = tls/dc2020.pem > tls cafile = tls/myca.pem > > Any ideas what might be behind this? > Thanks a lot in advance. > > Best regards > JohannesTry the search without the 's' i.e. ldapsearch -H ldap://dc1.fq.dn -d3 Rowland