samba - Jun 2017 - LDAP ssl issue on port 636

Hello All,

We have interesting issue.


When application connect to PDC by port 389 (without ssl) everything 
works fine.
When we try to use SSL by port 636 we have issue.

ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b 
"DC=dc,DC=local"  -w pass
output: ldap_result: Can't contact LDAP server (-1)

ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b 
"DC=dc,DC=local"  -w pass -Z
output: ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b 
"DC=dc,DC=local"  -w pass -ZZ
output: ldap_start_tls: Can't contact LDAP server (-1)


openssl s_client -connect PDC:636

CONNECTED(00000003)
---
Certificate chain
  0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST 
certificate/CN=PDC.dc.local
    i:/O=Samba Administration/OU=Samba - temporary autogenerated CA 
certificate/CN=PDC.dc.local
---
Server certificate
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
subject=/O=Samba Administration/OU=Samba - temporary autogenerated HOST 
certificate/CN=PDC.dc.local
issuer=/O=Samba Administration/OU=Samba - temporary autogenerated CA 
certificate/CN=PDC.dc.local
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated CA 
certificate/CN=PDC.dc.local
---
SSL handshake has read 2454 bytes and written 523 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID: 2XXX9
     Session-ID-ctx:
     Master-Key: FXXX4
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1497693590
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
...



[global]
         ...
         ldap ssl = start tls
         ldap ssl ads = No
         tls cafile = tls/ca.pem
         tls certfile = tls/cert.pem
         tls crlfile          tls dh params file          tls enabled = Yes
         tls keyfile = tls/key.pem
         tls priority = NORMAL:-VERS-SSL3.0
         tls verify peer = ca_and_name

Version: samba 4.6.5


Best regards,
Supporter 3eb

On Sat, 17 Jun 2017 12:03:17 +0200
Supporter via samba <samba at lists.samba.org> wrote:
> Hello All,
> 
> We have interesting issue.
> 
> 
> When application connect to PDC by port 389 (without ssl) everything 
> works fine.
> When we try to use SSL by port 636 we have issue.
> 
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC
-b
> "DC=dc,DC=local"  -w pass
> output: ldap_result: Can't contact LDAP server (-1)
> 
> [global]
>          ...
>          ldap ssl = start tls
>          ldap ssl ads = No
>          tls cafile = tls/ca.pem
>          tls certfile = tls/cert.pem
>          tls crlfile >          tls dh params file >          tls
enabled = Yes
>          tls keyfile = tls/key.pem
>          tls priority = NORMAL:-VERS-SSL3.0
>          tls verify peer = ca_and_name
> 
> Version: samba 4.6.5
> 
You only need this in smb.conf:

         tls cafile = 
         tls certfile = tls/cert.pem
         tls enabled = Yes
         tls keyfile = tls/key.pem

Along with:

    ldap server require strong auth = allow_sasl_over_tls

/etc/ldap/ldap.conf

Should contain this:

HOST pdc.dc.local
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

If you then run this:

ldapsearch -D "cn=user,ou=users,dc=dc,dc=local" -b
"DC=dc,DC=local" -H
ldaps://pdc.dc.local -w pass

should get you the users & groups, note that you use 'ldaps' instead
of
the port '636'
This always supposes that your user 'user' is in the OU 'users'
instead
of the CN 'users'

Rowland

On 13:10:56 wrote Supporter via samba:
> Hello All,
> 
> We have interesting issue.
> 
> 
> When application connect to PDC by port 389 (without ssl) everything
> works fine.
> When we try to use SSL by port 636 we have issue.
> 
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC
-b
> "DC=dc,DC=local"  -w pass
> output: ldap_result: Can't contact LDAP server (-1)
> 
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC
-b
> "DC=dc,DC=local"  -w pass -Z
> output: ldap_start_tls: Can't contact LDAP server (-1)
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> 
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC
-b
> "DC=dc,DC=local"  -w pass -ZZ
> output: ldap_start_tls: Can't contact LDAP server (-1)
All these ldapsearch commands are wrong. Instead of "-h PDC -p 636"
use
"-H ldaps://PDC/".

As your ldapsearch logs "output: ldap_start_tls:" you are using an 
unencrypted connection try on an encrypted server port (636). This must 
fail.
> openssl s_client -connect PDC:636
> 
> CONNECTED(00000003)
> ---
> Certificate chain
>   0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST
> certificate/CN=PDC.dc.local
>     i:/O=Samba Administration/OU=Samba - temporary autogenerated CA
> certificate/CN=PDC.dc.local
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> XXX
> -----END CERTIFICATE-----
> subject=/O=Samba Administration/OU=Samba - temporary autogenerated
> HOST certificate/CN=PDC.dc.local
> issuer=/O=Samba Administration/OU=Samba - temporary autogenerated CA
> certificate/CN=PDC.dc.local
> ---
> Acceptable client certificate CA names
> /O=Samba Administration/OU=Samba - temporary autogenerated CA
> certificate/CN=PDC.dc.local
> ---
> SSL handshake has read 2454 bytes and written 523 bytes
Here you see that s_client trys succesfully a "SSL handshale" *and
not*
a "TLS handshake" as you have tried with the ldapsearch command.

> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>      Protocol  : TLSv1.2
>      Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>      Session-ID: 2XXX9
>      Session-ID-ctx:
>      Master-Key: FXXX4
>      Key-Arg   : None
>      PSK identity: None
>      PSK identity hint: None
>      SRP username: None
>      Start Time: 1497693590
>      Timeout   : 300 (sec)
>      Verify return code: 21 (unable to verify the first certificate)
> ...
> 
> 
> 
> [global]
>          ...
>          ldap ssl = start tls
>          ldap ssl ads = No
>          tls cafile = tls/ca.pem
>          tls certfile = tls/cert.pem
>          tls crlfile >          tls dh params file >          tls
enabled = Yes
>          tls keyfile = tls/key.pem
>          tls priority = NORMAL:-VERS-SSL3.0
>          tls verify peer = ca_and_name
> 
> Version: samba 4.6.5
> 
> 
> Best regards,
> Supporter 3eb

-- 

Regards
	Harry Jede