samba - Mar 2014 - A record packet with illegal version was received.

Hello,

I'm having a problem with using TLS in samba 4.1.4. When I try to 
connect to LDAP of samba 4 there is an error in the logs, which is:

[2014/03/18 15:34:12.631262,  1] 
../source4/lib/tls/tls_tstream.c:1338(tstream_tls_retry_handshake)
   TLS ../source4/lib/tls/tls_tstream.c:1338 - A record packet with 
illegal version was received.

Here's the php script that tries to connect to the samba 4:

<?php
    $ldap="samba.domain.com";
    $usr="test at domain.com";
    $pwd="s3cr3t";

    $ds=ldap_connect($ldap);
    ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
    $ldapbind=false;
    if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
       if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))
          if(ldap_start_tls($ds))
             $ldapbind = ldap_bind($ds, $usr, $pwd);

    if(!$ldapbind)
    {
       echo "ERROR: ";
       echo ldap_error($ds);
       echo " (".ldap_errno($ds).")";
    }
    else
       echo "OK";

    ldap_close($ds);
And the error from that script is:
ERROR: Connect error (-11)

Here's my smb.conf:
# Global parameters
[global]
         workgroup = DOMAIN
         realm = domain.com
         netbios name = SAMBA
         server role = active directory domain controller
         server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, smb
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver, winreg, srvsvc
         idmap_ldb:use rfc2307 = yes

# Debug logging information
         log level = 1
         log file = /var/log/samba4/samba.log
         max log size = 50
         debug timestamp = yes

         tls enabled  = yes
         tls keyfile  = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile   = tls/ca.pem

[netlogon]
         path = /usr/local/AD/samba/var/locks/sysvol/domain.com/scripts
         read only = No

[sysvol]
         path = /usr/local/AD/samba/var/locks/sysvol
         read only = No
[v01]
         read only=No
         path=vol1

When I run: openssl verify /usr/local/AD/samba/private/tls/cert.pem the 
output is:
/usr/local/AD/samba/private/tls/cert.pem: O = Samba Administration, OU = 
Samba - temporary autogenerated certificate, CN = SAMBA.domain.com
error 18 at 0 depth lookup:self signed certificate
OK

When I run: openssl s_client -showcerts -connect localhost:636 the 
output is:
CONNECTED(00000003)
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated 
certificate, CN = SAMBA.domain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated 
certificate, CN = SAMBA.domain.com
verify return:1
---
Certificate chain
  0 s:/O=Samba Administration/OU=Samba - temporary autogenerated 
certificate/CN=SAMBA.domain.com
    i:/O=Samba Administration/OU=Samba - temporary autogenerated 
certificate/CN=SAMBA.domain.com
-----BEGIN CERTIFICATE-----
fdsfsdfds
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Samba Administration/OU=Samba - temporary autogenerated 
certificate/CN=SAMBA.domain.com
issuer=/O=Samba Administration/OU=Samba - temporary autogenerated 
certificate/CN=SAMBA.domain.com
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated 
certificate/CN=SAMBA.domain.com
---
SSL handshake has read 1399 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: 
711C801E823B0F0D57841D52E4634B16914F52378126885FEFD06345164B1679
     Session-ID-ctx:
     Master-Key: 
8FC1B924DEDC1402E2F58B7CA445F9F322593089719263FE544C85D3D28EDC9E7A21A6C5768A3AB8E5A95391B2B0E6FD
     Key-Arg   : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1395130353
     Timeout   : 300 (sec)
     Verify return code: 18 (self signed certificate)
---

In this forum: 
http://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php
it says that I should set TLS_REQCERT to never but that is for openLDAP. 
How do I do this in samba 4?

Thanks for your help.

Shem Pasamba

On 3/18/2014 4:19 PM, Shem Pasamba wrote:
> Hello,
>
> I'm having a problem with using TLS in samba 4.1.4. When I try to
> connect to LDAP of samba 4 there is an error in the logs, which is:
>
> [2014/03/18 15:34:12.631262,  1]
> ../source4/lib/tls/tls_tstream.c:1338(tstream_tls_retry_handshake)
>    TLS ../source4/lib/tls/tls_tstream.c:1338 - A record packet with
> illegal version was received.
> In this forum:
>
http://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php
> it says that I should set TLS_REQCERT to never but that is for openLDAP.
> How do I do this in samba 4?
Turns out this was for PHP as well. Adding TLS_REQCERT never to 
/etc/openldap/ldap.conf makes PHP accept self-signed certificates, and 
the error above vanishes.