vincent at cojot.name
2021-Jun-06 21:07 UTC
[Samba] TLS problems after 4.12 -> 4.14 update
Hi everyone, I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 and I just noticed this: [2021/06/06 16:21:01.074696, 0] ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send) _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 - The request is invalid.. Failed to set default priorities I'm now unable to do the following successfully from either RHEL7, RHEL8 or Fedora33: ---------------------------------------------- # openssl s_client -showcerts -connect dc00:636 CONNECTED(00000003) 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 289 bytes --- ---------------------------------------------- It seems similar to what some people have experienced on 4.13 (and this makes sense because I mostly skipped 4.13xz and went from 4.12 to 4.14) https://lists.samba.org/archive/samba/2020-December/233594.html I've been using self-signed certs and a trusted intermediate CA for my AD DC's but I now wonder if I've run into an issue using RHEL7.9 for my DCs. My certs (on the DC itself) still verify fine: # openssl verify -CAfile /etc/pki/ca-trust/source/anchors/KrynnCA.pem \ -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \ /var/lib/samba/private/tls/cert.pem /var/lib/samba/private/tls/cert.pem: OK But it is the connection which doesn't seem to work anymore.. Does anyone have any idea about what's going on? Andrew Bartlett said he wasn't experiencing the issue on RHEL7 on amazon and I wonder if I could make it work in place on plain RHEL here.. Any ideas, tips, workarounds? I first noticed this when OpenShift started being unable to auth my AD users after the update to 4.14.5 (for the two DCs). Win10 endpoints don't seem to care too much and I hope it will keep working but I'm a little worried. Vincent ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-, Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~ Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,. Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name They cannot scare me with their empty spaces Between stars - on stars where no human race is I have it in me so much nearer home To scare myself with my own desert places. - Robert Frost
Since your useing/testing certficates, always use the FQDN of the Server. Dont use : openssl s_client -showcerts -connect dc00:636 Do use : openssl s_client -showcerts -connect dc00.ad.lasthome.solace.krynn:636 I also wonder, on that W10 VM, why you needed at add these SPN'.s If the PC is domain joined, the SPN would in there already. And only HOST SPN added where i also see in the domain joined pc's RestrictedKrbHost/host.fqdn TERMSRV/host.fqdn The request is invalid.. Failed to set default priorities I suggest read this: https://passingcuriosity.com/2021/diffie-hellman-short-primes-disable/ Did you set in smb.conf the setting : tls priority Where this is the smb.conf default: tls priority = NORMAL:-VERS-SSL3.0 There you have examples how these are set (see also man smb.conf search : tls priority https://gnutls.org/manual/html_node/Priority-Strings.html And its up to you to validate where your using exacly. But most will be using or attempted to enforce TLSv1.2 since v1.1 and v1.0 are predicated. And one more extra question Is this OS upgraded? If yes, veryfiy the default configs of the system That these not still in/using outdated settings. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Vincent S. Cojot via samba > Verzonden: zondag 6 juni 2021 23:08 > Aan: sambalist > Onderwerp: [Samba] TLS problems after 4.12 -> 4.14 update > > > Hi everyone, > > I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 and I just > noticed this: > > [2021/06/06 16:21:01.074696, 0] > ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send) > _tstream_tls_accept_send: TLS > ../../source4/lib/tls/tls_tstream.c:1300 - > The request is invalid.. Failed to set default priorities > > I'm now unable to do the following successfully from either > RHEL7, RHEL8 > or Fedora33: > > ---------------------------------------------- > # openssl s_client -showcerts -connect dc00:636 > CONNECTED(00000003) > 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl > handshake failure:s23_lib.c:177: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 289 bytes > --- > ---------------------------------------------- > > It seems similar to what some people have experienced on 4.13 > (and this > makes sense because I mostly skipped 4.13xz and went from > 4.12 to 4.14) > https://lists.samba.org/archive/samba/2020-December/233594.html > > I've been using self-signed certs and a trusted intermediate > CA for my AD > DC's but I now wonder if I've run into an issue using RHEL7.9 > for my DCs. > > My certs (on the DC itself) still verify fine: > > # openssl verify -CAfile > /etc/pki/ca-trust/source/anchors/KrynnCA.pem \ > -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \ > /var/lib/samba/private/tls/cert.pem > /var/lib/samba/private/tls/cert.pem: OK > > But it is the connection which doesn't seem to work anymore.. > Does anyone > have any idea about what's going on? Andrew Bartlett said he wasn't > experiencing the issue on RHEL7 on amazon and I wonder if I > could make it > work in place on plain RHEL here.. > > Any ideas, tips, workarounds? I first noticed this when > OpenShift started > being unable to auth my AD users after the update to 4.14.5 > (for the two DCs). > > Win10 endpoints don't seem to care too much and I hope it will keep > working but I'm a little worried. > > Vincent > > ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,. > _.,-*~'`^`'~*-, > Vincent S. Cojot, Computer Engineering. STEP project. > _.,-*~'`^`'~*-,._.,-*~ > Ecole Polytechnique de Montreal, Comite Micro-Informatique. > _.,-*~'`^`'~*-,. > Linux Xview/OpenLook resources page > _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' > http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ > coyote at NOSPAM4cojot.name > > They cannot scare me with their empty spaces > Between stars - on stars where no human race is > I have it in me so much nearer home > To scare myself with my own desert places. - Robert Frost > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >