Yesterday I set up the pfsense-OpenVPN-Server to auth against the samba-AD worked great already ... Now without a change I get errors and wonder why. I used the IP as "host" and TCP-STARTTLS to port 389 log.samba shows: [2019/09/18 18:38:22.123976, 1] ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been received. [2019/09/18 18:38:22.124027, 1] ../source4/ldap_server/ldap_extended.c:89(ldapsrv_starttls_postprocess_done) ldapsrv_starttls_postprocess_done: accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error => NT_STATUS_IO_DEVICE_ERRORstream_terminate_connection: Terminating connection - 'ldapsrv_call_postprocess_done: call->postprocess_recv() - NT_STATUS_IO_DEVICE_ERROR' hmmm unencrypted doesn't work at all ... right? As it worked already yesterday I assume it does not have to do with some certificate issues? AD-CA or so? We authed with specific bind credentials etc ... and I wonder what to look for. Samba version 4.9.13-Debian, btw thanks
More than likely, certificate issues. If you use the IP in pfsense, then the Samba certificate needs to have the IP as the CN. Kris Lou klou at themusiclink.net On Wed, Sep 18, 2019 at 9:42 AM Stefan G. Weichinger via samba < samba at lists.samba.org> wrote:> > Yesterday I set up the pfsense-OpenVPN-Server to auth against the samba-AD > > worked great already ... > > Now without a change I get errors and wonder why. > > I used the IP as "host" and TCP-STARTTLS to port 389 > > log.samba shows: > > [2019/09/18 18:38:22.123976, 1] > ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) > TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been > received. > [2019/09/18 18:38:22.124027, 1] > > ../source4/ldap_server/ldap_extended.c:89(ldapsrv_starttls_postprocess_done) > ldapsrv_starttls_postprocess_done: accept_tls_loop: > tstream_tls_accept_recv() - 5:Input/output error => > NT_STATUS_IO_DEVICE_ERRORstream_terminate_connection: Terminating > connection - 'ldapsrv_call_postprocess_done: call->postprocess_recv() - > NT_STATUS_IO_DEVICE_ERROR' > > hmmm > > unencrypted doesn't work at all ... right? > > As it worked already yesterday I assume it does not have to do with some > certificate issues? AD-CA or so? > > We authed with specific bind credentials etc ... and I wonder what to > look for. > > Samba version 4.9.13-Debian, btw > > thanks > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Am 18.09.19 um 19:16 schrieb Kris Lou via samba:> More than likely, certificate issues. > > If you use the IP in pfsense, then the Samba certificate needs to have the > IP as the CN.So you suggest to contact the dc via hostname ... googled this query command: # openssl s_client -connect adc1:636 tells me ... CONNECTED(00000003) depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = ADC1.arbeitsgruppe.mydomain.at verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = ADC1.arbeitsgruppe.mydomain.at verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST certificate/CN=ADC1.arbeitsgruppe.mydomain.at i:/O=Samba Administration/OU=Samba - temporary autogenerated CA certificate/CN=ADC1.arbeitsgruppe.mydomain.at So I would have to use "adc1.arbeitsgruppe.mydomain.at" ? But why did that work yesterday ... ? aside from this thread I also posted at netgate forum: https://forum.netgate.com/topic/146634/openvpn-auth-via-samba4-ads-ldap thanks