Hi list, since this week my clients keep getting rejected when performing an LDAP query via LDAPS (port 636) using one of my two DCs running samba 4.13.2. This is the log on server side (log level 5) of such a failed attempt: ldb_wrap open of secrets.ldb _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 - The request is invalid.. Failed to set default priorities stream_terminate_connection: Terminating connection - 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid argument' Client says this: me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3 ldap_url_parse_ext(ldaps://dc1.fq.dn) ldap_create ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP dc1.fq.dn:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying <ip.dc1>:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=293, written=293 <dump of hello packet> TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=0 TLS trace: SSL_connect:error in SSLv3/TLS write client hello TLS: can't connect: . ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) The relevant portion of my DCs' smb.conf looks as follows: [global] netbios name = DC1 realm = FQ.DN server role = active directory domain controller server services = -dns workgroup = ICINTERN dns forwarder = my.provider.dns smb ports = 445 ntlm auth = mschapv2-and-ntlmv2-only tls enabled = yes tls keyfile = tls/dc1.key tls certfile = tls/dc2020.pem tls cafile = tls/myca.pem Any ideas what might be behind this? Thanks a lot in advance. Best regards Johannes
On Mon, 2020-12-14 at 10:18 +0100, Johannes Engel via samba wrote:> > Any ideas what might be behind this? > > Thanks a lot in advance. > > > > Best regardsI got "Failed to set default priorities" on RHEL 7 when testing updated backported GnuTLS packages. I never got to the bottom of it, but didn't get it on Amazon Linux 2 so suspect it is due to the system-wide gnutls configuration on your host OS. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
On 14/12/2020 09:18, Johannes Engel via samba wrote:> Hi list, > > since this week my clients keep getting rejected when performing an LDAP > query via LDAPS (port 636) using one of my two DCs running samba 4.13.2. > > This is the log on server side (log level 5) of such a failed attempt: > ldb_wrap open of secrets.ldb > _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 - > The request is invalid.. Failed to set default priorities > stream_terminate_connection: Terminating connection - > 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid argument' > > Client says this: > me at client:~> ldapsearch -H ldaps://dc1.fq.dn -d3 > ldap_url_parse_ext(ldaps://dc1.fq.dn) > ldap_create > ldap_url_parse_ext(ldaps://dc1.fq.dn:636/??base) > ldap_pvt_sasl_getmech > ldap_search > put_filter: "(objectclass=*)" > put_filter: simple > put_simple_filter: "objectclass=*" > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP dc1.fq.dn:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying <ip.dc1>:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > attempting to connect: > connect success > TLS trace: SSL_connect:before SSL initialization > tls_write: want=293, written=293 > <dump of hello packet> > TLS trace: SSL_connect:SSLv3/TLS write client hello > tls_read: want=5, got=0 > > TLS trace: SSL_connect:error in SSLv3/TLS write client hello > TLS: can't connect: . > ldap_msgfree > ldap_err2string > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > The relevant portion of my DCs' smb.conf looks as follows: > [global] > netbios name = DC1 > realm = FQ.DN > server role = active directory domain controller > server services = -dns > workgroup = ICINTERN > dns forwarder = my.provider.dns > smb ports = 445 > > ntlm auth = mschapv2-and-ntlmv2-only > > tls enabled = yes > tls keyfile = tls/dc1.key > tls certfile = tls/dc2020.pem > tls cafile = tls/myca.pem > > Any ideas what might be behind this? > Thanks a lot in advance. > > Best regards > JohannesTry the search without the 's' i.e. ldapsearch -H ldap://dc1.fq.dn -d3 Rowland