samba - Oct 2025 - 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request

On Fri, 24 Oct 2025 08:30:21 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> > > > > This appears to be searching in 'secrets.ldb'
and failing, any
> > > > > idea what the search command is ?
> > > > > From what I see in the packet capture I have done, it
doesn't
> > > > > look like it's searching anything at that moment.
> > > >
> > > > Something must be starting off the process, it is that
command
> > > > I was referring to.
> > > >
> > > Oh sorry, hadn't understood that. It's in a webui, but
there
> > > isn't a lot to configure... On the previous version of
FortiEMS,
> > > there were more things to configure, but it seems they have
> > > removed the other options (and won't add it back as it works
with
> > > Windows AD, I've already tried opening a ticket). I'm
using LDAP
> > > (not S) just to have clear traffic in the capture, but when I try
> > > with LDAPS, I still have the same error and the same log. Here is
> > > a picture from the UI: https://imgur.com/a/LsFwGG2
> > 
> > Sorry, but I cannot see that, I am in the UK
> >
> 
> Here is on another site, I hope this one isn't blocked in the UK:
> https://ibb.co/q2ZPfvm
> 
I wonder if this could be an authentication problem ?
If I run this ldapsearch on a Unix domain member against one of my DCs:

ldapsearch -x -H ldap://dc03.samdom.example.com -D
CN=rowland,CN=Users,dc=samdom,dc=example,dc=com -w xxxxxxxxxxx -b
'dc=samdom,dc=example,dc=com' -s sub

I get this:

ldap_bind: Strong(er) authentication required (8)
	additional info: BindSimple: Transport encryption required.

If I go to the DC and add this to its smb.conf:

ldap server require strong auth = no

Then restart it, if I then rerun the ldapsearch on the Unix domain
member, I get the entire AD domain dumped.

After that, I am lost :-)

Rowland

I've found a way to reproduce the issue I have with a small C# code executed
on Windows. It gets me almost the same packets when I do a capture, I also get
the 'LDAP_PROTOCOL_ERROR' in the Samba logs, and when I try it against a
Windows DC, it works.

Here is the code:

using System.DirectoryServices.Protocols;
using System.Net;

class Program
{
    static void Main()
    {
        string ldapServer = "dc-01.ad.mydomain.com";
        
        LdapConnection ldap = new LdapConnection(ldapServer);
        ldap.AuthType = AuthType.Ntlm;
        ldap.Credential = new NetworkCredential("ldap",
"PASSWORD", "MYDOMAIN");

        ldap.Bind();
    }
}

It seems like AuthType.Ntlm isn't supported by the Samba code. When I try
the same code with AuthType.Basic, in that case, it works (I get the
"Strong authentication is required for this operation.", but
that's normal as I use LDAP and not LDAPS).
> I wonder if this could be an authentication problem ?
> If I run this ldapsearch on a Unix domain member against one of my DCs:
> 
> ldapsearch -x -H ldap://dc03.samdom.example.com -D
> CN=rowland,CN=Users,dc=samdom,dc=example,dc=com -w xxxxxxxxxxx -b
> 'dc=samdom,dc=example,dc=com' -s sub
> 
> I get this:
> 
> ldap_bind: Strong(er) authentication required (8)
> ??????? additional info: BindSimple: Transport encryption required.
> 
> If I go to the DC and add this to its smb.conf:
> 
> ldap server require strong auth = no
I've also tried that but it still sadly doesn't work...
> Then restart it, if I then rerun the ldapsearch on the Unix domain
> member, I get the entire AD domain dumped.
> 
> After that, I am lost :-)
> 
> Rowland
Nicolas