samba - Oct 2025 - 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request

On Thu, 23 Oct 2025 12:37:22 +0000
Nicolas Martinussen via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I have an issue with the way FortiEMS authenticate (which Fortinet
> won't revert back). Before, it was using 'sasl' authentication
at the
> bind request but now, it's using 'NTLMSSP_NEGOTIATE' and it
seems my
> Samba AD doesn't like it and return an 'LDAP_PROTOCOL_ERROR'.
> 
> Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?
Yes it should, it is the first stage in the protocol negotiation.
> 
> Here are the error logs (in debug) :
> [2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
> messaging_dgm_ref: messaging_dgm_get_unique returned Success
> [2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
> messaging_dgm_ref: unique = 7718602353702169936 [2025/10/23
> 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../libcli/security/security_token.c:113(security_token_debug)
> Security token SIDs (1): SID[  0]: S-1-5-7 Privileges (0x
>   0): Rights (0x               0): [2025/10/23 13:12:05.356147,  3,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
> Initialising global parameters [2025/10/23 13:12:05.356174,  2,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:331(max_open_files) rlimit_max:
> increasing rlimit_max (1024) to minimum Windows limit (16384)
> [2025/10/23 13:12:05.356259,  3, pid=190027, effective(0, 0), real(0,
> 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb [2025/10/23 13:12:05.356407, 10,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/dsdb/common/util.c:5785(dsdb_search) dsdb_search: SUB
> flags=0x00000200 cn=Primary Domains
> (&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1 
This appears to be searching in 'secrets.ldb' and failing, any idea
what the search command is ?

>[2025/10/23
> 13:12:05.359625,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> stream_terminate_connection: Terminating connection -
> 'LDAP_PROTOCOL_ERROR' [2025/10/23 13:12:05.359745, 10, pid=190027,
> effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=0x56413ff8f860 [2025/10/23
> 13:12:07.278532,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
> sigterm_signal_handler: Exiting pid 190027 on SIGTERM [2025/10/23
> 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=(nil)
> 
> Here is my config :
> [global]
>         netbios name = DC-01
>         realm = AD.MYDOMAIN.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate ad dc functional level > 2016
workgroup = MYDOMAIN
>         idmap_ldb:use rfc2307 = yes
>         bind interfaces only = yes
>         interfaces = lo 192.168.102.66/22
> 
>         # WINS
>         wins support = yes
>         dns proxy = yes
>         # WINS
Why 'WINS' ? Your clients should be using DNS, not NetBIOS.
> 
>         # TLS
>         tls enabled  = yes
>         tls keyfile  = tls/dc-01.2023.key
>         tls certfile = tls/dc-01.2023.crt
>         tls cafile   = tls/CA/MYDOMAIN.2023.crt
>         # TLS
> 
>         ntlm auth = ntlmv1-permitted
>         lanman auth = yes
>         client lanman auth = yes
>         server min protocol = NT1
>         client min protocol = NT1
Why are you using SMBv1 ?
> 
> Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX
> 
> Thank you in advance,
> Nicolas Martinussen

> Hello,
>
> I have an issue with the way FortiEMS authenticate (which Fortinet
> won't revert back). Before, it was using 'sasl' authentication
at the
> bind request but now, it's using 'NTLMSSP_NEGOTIATE' and it
seems my
> Samba AD doesn't like it and return an 'LDAP_PROTOCOL_ERROR'.
>
> Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?
Yes it should, it is the first stage in the protocol negotiation.

>
> Here are the error logs (in debug) :
> [2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
> messaging_dgm_ref: messaging_dgm_get_unique returned Success
> [2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
> messaging_dgm_ref: unique = 7718602353702169936 [2025/10/23
> 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../libcli/security/security_token.c:113(security_token_debug)
> Security token SIDs (1): SID[  0]: S-1-5-7 Privileges (0x
>   0): Rights (0x               0): [2025/10/23 13:12:05.356147,  3,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
> Initialising global parameters [2025/10/23 13:12:05.356174,  2,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:331(max_open_files) rlimit_max:
> increasing rlimit_max (1024) to minimum Windows limit (16384)
> [2025/10/23 13:12:05.356259,  3, pid=190027, effective(0, 0), real(0,
> 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb [2025/10/23 13:12:05.356407, 10,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/dsdb/common/util.c:5785(dsdb_search) dsdb_search: SUB
> flags=0x00000200 cn=Primary Domains
> (&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1
This appears to be searching in 'secrets.ldb' and failing, any idea
what the search command is ?
From what I see in the packet capture I have done, it doesn't look like
it's searching anything at that moment. Here is the packet decoded by
Wireshark :

Lightweight Directory Access Protocol
    LDAPMessage bindRequest(1) "<ROOT>" ntlmsspNegotiate
        messageID: 1
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: <MISSING>
                authentication: ntlmsspNegotiate (10)
                    NTLM Secure Service Provider
                        NTLMSSP identifier: NTLMSSP
                        NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
                        Negotiate Flags: 0xa0880001, Negotiate 56, Negotiate
128, Negotiate Target Info, Negotiate Extended Session Security, Negotiate
UNICODE
                            1... .... .... .... .... .... .... .... = Negotiate
56: Set
                            .0.. .... .... .... .... .... .... .... = Negotiate
Key Exchange: Not set
                            ..1. .... .... .... .... .... .... .... = Negotiate
128: Set
                            ...0 .... .... .... .... .... .... .... = Negotiate
0x10000000: Not set
                            .... 0... .... .... .... .... .... .... = Negotiate
0x08000000: Not set
                            .... .0.. .... .... .... .... .... .... = Negotiate
0x04000000: Not set
                            .... ..0. .... .... .... .... .... .... = Negotiate
Version: Not set
                            .... ...0 .... .... .... .... .... .... = Negotiate
0x01000000: Not set
                            .... .... 1... .... .... .... .... .... = Negotiate
Target Info: Set
                            .... .... .0.. .... .... .... .... .... = Request
Non-NT Session Key: Not set
                            .... .... ..0. .... .... .... .... .... = Negotiate
0x00200000: Not set
                            .... .... ...0 .... .... .... .... .... = Negotiate
Identify: Not set
                            .... .... .... 1... .... .... .... .... = Negotiate
Extended Session Security: Set
                            .... .... .... .0.. .... .... .... .... = Negotiate
0x00040000: Not set
                            .... .... .... ..0. .... .... .... .... = Target
Type Server: Not set
                            .... .... .... ...0 .... .... .... .... = Target
Type Domain: Not set
                            .... .... .... .... 0... .... .... .... = Negotiate
Always Sign: Not set
                            .... .... .... .... .0.. .... .... .... = Negotiate
0x00004000: Not set
                            .... .... .... .... ..0. .... .... .... = Negotiate
OEM Workstation Supplied: Not set
                            .... .... .... .... ...0 .... .... .... = Negotiate
OEM Domain Supplied: Not set
                            .... .... .... .... .... 0... .... .... = Negotiate
Anonymous: Not set
                            .... .... .... .... .... .0.. .... .... = Negotiate
0x00000400: Not set
                            .... .... .... .... .... ..0. .... .... = Negotiate
NTLM key: Not set
                            .... .... .... .... .... ...0 .... .... = Negotiate
0x00000100: Not set
                            .... .... .... .... .... .... 0... .... = Negotiate
Lan Manager Key: Not set
                            .... .... .... .... .... .... .0.. .... = Negotiate
Datagram: Not set
                            .... .... .... .... .... .... ..0. .... = Negotiate
Seal: Not set
                            .... .... .... .... .... .... ...0 .... = Negotiate
Sign: Not set
                            .... .... .... .... .... .... .... 0... = Request
0x00000008: Not set
                            .... .... .... .... .... .... .... .0.. = Request
Target: Not set
                            .... .... .... .... .... .... .... ..0. = Negotiate
OEM: Not set
                            .... .... .... .... .... .... .... ...1 = Negotiate
UNICODE: Set
                        Calling workstation domain: NULL
                        Calling workstation name: NULL

>[2025/10/23
> 13:12:05.359625,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> stream_terminate_connection: Terminating connection -
> 'LDAP_PROTOCOL_ERROR' [2025/10/23 13:12:05.359745, 10, pid=190027,
> effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=0x56413ff8f860 [2025/10/23
> 13:12:07.278532,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
> sigterm_signal_handler: Exiting pid 190027 on SIGTERM [2025/10/23
> 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=(nil)
>
> Here is my config :
> [global]
>         netbios name = DC-01
>         realm = AD.MYDOMAIN.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate ad dc functional level > 2016
workgroup = MYDOMAIN
>         idmap_ldb:use rfc2307 = yes
>         bind interfaces only = yes
>         interfaces = lo 192.168.102.66/22
>
>         # WINS
>         wins support = yes
>         dns proxy = yes
>         # WINS
Why 'WINS' ? Your clients should be using DNS, not NetBIOS.
It's due to an old machine that really needs WINS (an old Windows NT
Embedded). I would really like to disable that, but I sadly can't
>
>         # TLS
>         tls enabled  = yes
>         tls keyfile  = tls/dc-01.2023.key
>         tls certfile = tls/dc-01.2023.crt
>         tls cafile   = tls/CA/MYDOMAIN.2023.crt
>         # TLS
>
>         ntlm auth = ntlmv1-permitted
>         lanman auth = yes
>         client lanman auth = yes
>         server min protocol = NT1
>         client min protocol = NT1
Why are you using SMBv1 ?
It's also some configuration that I need to disable, but a production
machine is still using SMBv1. As soon as this machine is migrated to another SMB
server (for old machines), I'll remove those 5 config lines
>
> Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX
>
> Thank you in advance,
> Nicolas Martinussen
Thanks,
Nicolas