Since your useing/testing certficates, always use the FQDN of the Server. Dont use : openssl s_client -showcerts -connect dc00:636 Do use : openssl s_client -showcerts -connect dc00.ad.lasthome.solace.krynn:636 I also wonder, on that W10 VM, why you needed at add these SPN'.s If the PC is domain joined, the SPN would in there already. And only HOST SPN added where i also see in the domain joined pc's RestrictedKrbHost/host.fqdn TERMSRV/host.fqdn The request is invalid.. Failed to set default priorities I suggest read this: https://passingcuriosity.com/2021/diffie-hellman-short-primes-disable/ Did you set in smb.conf the setting : tls priority Where this is the smb.conf default: tls priority = NORMAL:-VERS-SSL3.0 There you have examples how these are set (see also man smb.conf search : tls priority https://gnutls.org/manual/html_node/Priority-Strings.html And its up to you to validate where your using exacly. But most will be using or attempted to enforce TLSv1.2 since v1.1 and v1.0 are predicated. And one more extra question Is this OS upgraded? If yes, veryfiy the default configs of the system That these not still in/using outdated settings. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Vincent S. Cojot via samba > Verzonden: zondag 6 juni 2021 23:08 > Aan: sambalist > Onderwerp: [Samba] TLS problems after 4.12 -> 4.14 update > > > Hi everyone, > > I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 and I just > noticed this: > > [2021/06/06 16:21:01.074696, 0] > ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send) > _tstream_tls_accept_send: TLS > ../../source4/lib/tls/tls_tstream.c:1300 - > The request is invalid.. Failed to set default priorities > > I'm now unable to do the following successfully from either > RHEL7, RHEL8 > or Fedora33: > > ---------------------------------------------- > # openssl s_client -showcerts -connect dc00:636 > CONNECTED(00000003) > 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl > handshake failure:s23_lib.c:177: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 289 bytes > --- > ---------------------------------------------- > > It seems similar to what some people have experienced on 4.13 > (and this > makes sense because I mostly skipped 4.13xz and went from > 4.12 to 4.14) > https://lists.samba.org/archive/samba/2020-December/233594.html > > I've been using self-signed certs and a trusted intermediate > CA for my AD > DC's but I now wonder if I've run into an issue using RHEL7.9 > for my DCs. > > My certs (on the DC itself) still verify fine: > > # openssl verify -CAfile > /etc/pki/ca-trust/source/anchors/KrynnCA.pem \ > -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \ > /var/lib/samba/private/tls/cert.pem > /var/lib/samba/private/tls/cert.pem: OK > > But it is the connection which doesn't seem to work anymore.. > Does anyone > have any idea about what's going on? Andrew Bartlett said he wasn't > experiencing the issue on RHEL7 on amazon and I wonder if I > could make it > work in place on plain RHEL here.. > > Any ideas, tips, workarounds? I first noticed this when > OpenShift started > being unable to auth my AD users after the update to 4.14.5 > (for the two DCs). > > Win10 endpoints don't seem to care too much and I hope it will keep > working but I'm a little worried. > > Vincent > > ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,. > _.,-*~'`^`'~*-, > Vincent S. Cojot, Computer Engineering. STEP project. > _.,-*~'`^`'~*-,._.,-*~ > Ecole Polytechnique de Montreal, Comite Micro-Informatique. > _.,-*~'`^`'~*-,. > Linux Xview/OpenLook resources page > _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' > http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ > coyote at NOSPAM4cojot.name > > They cannot scare me with their empty spaces > Between stars - on stars where no human race is > I have it in me so much nearer home > To scare myself with my own desert places. - Robert Frost > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
vincent at cojot.name
2021-Jun-07 12:23 UTC
[Samba] TLS problems after 4.12 -> 4.14 update
Hi Louis, The SPNs were a different problem: I needed to add the floating hostnames for the VIPs between the cluster nodes (the clustered fileservers) and I now realize that I need to read up on ctdb. As for the TLS thing, nope, I didn't have 'tls priority' set at all. Like I said, I upgraded the two RHEL7.9 DCs (two small VMs, fully updated) from 4.12.15 to 4.14.5 with custom-built rpms of samba. I noticed last night that TranquilIT had been producing rpms of samba 4.13 and 4.14 for Centos8 (similar to RHEL8) only and no longer for Centos7 (similar to RHEL7). Perhaps there might be something related to the version of gnutls + compat-gnutls in el7.9 which no longer works on 4.13+. Since they (TranqulIT) are supporting samba DC's in the field, they probably have a lot more data than myself (I'm only doing this for a household of 5). Thanks for the tip about using the FQDN, I hadn't thought of that as I had never needed to do that to obtain the cert. I'm going to be upgrading my build chains for 4.14.x to RHEL8 and I've downgraded to 4.12.x while I research this issue. Thanks for reaching out, Vincent S. Cojot On Mon, 7 Jun 2021, L.P.H. van Belle via samba wrote:> > Since your useing/testing certficates, always use the FQDN of the Server. > Dont use : openssl s_client -showcerts -connect dc00:636 > Do use : openssl s_client -showcerts -connect dc00.ad.lasthome.solace.krynn:636 > > > I also wonder, on that W10 VM, why you needed at add these SPN'.s > If the PC is domain joined, the SPN would in there already. > And only HOST SPN added where i also see in the domain joined pc's > RestrictedKrbHost/host.fqdn > TERMSRV/host.fqdn > > The request is invalid.. Failed to set default priorities > I suggest read this: > https://passingcuriosity.com/2021/diffie-hellman-short-primes-disable/ > > Did you set in smb.conf the setting : tls priority > Where this is the smb.conf default: tls priority = NORMAL:-VERS-SSL3.0 > > There you have examples how these are set (see also man smb.conf search : tls priority > https://gnutls.org/manual/html_node/Priority-Strings.html > > And its up to you to validate where your using exacly. > But most will be using or attempted to enforce TLSv1.2 since v1.1 and v1.0 are predicated. > > And one more extra question > Is this OS upgraded? If yes, veryfiy the default configs of the system > That these not still in/using outdated settings. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Vincent S. Cojot via samba >> Verzonden: zondag 6 juni 2021 23:08 >> Aan: sambalist >> Onderwerp: [Samba] TLS problems after 4.12 -> 4.14 update >> >> >> Hi everyone, >> >> I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 and I just >> noticed this: >> >> [2021/06/06 16:21:01.074696, 0] >> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send) >> _tstream_tls_accept_send: TLS >> ../../source4/lib/tls/tls_tstream.c:1300 - >> The request is invalid.. Failed to set default priorities >> >> I'm now unable to do the following successfully from either >> RHEL7, RHEL8 >> or Fedora33: >> >> ---------------------------------------------- >> # openssl s_client -showcerts -connect dc00:636 >> CONNECTED(00000003) >> 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl >> handshake failure:s23_lib.c:177: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 0 bytes and written 289 bytes >> --- >> ---------------------------------------------- >> >> It seems similar to what some people have experienced on 4.13 >> (and this >> makes sense because I mostly skipped 4.13xz and went from >> 4.12 to 4.14) >> https://lists.samba.org/archive/samba/2020-December/233594.html >> >> I've been using self-signed certs and a trusted intermediate >> CA for my AD >> DC's but I now wonder if I've run into an issue using RHEL7.9 >> for my DCs. >> >> My certs (on the DC itself) still verify fine: >> >> # openssl verify -CAfile >> /etc/pki/ca-trust/source/anchors/KrynnCA.pem \ >> -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \ >> /var/lib/samba/private/tls/cert.pem >> /var/lib/samba/private/tls/cert.pem: OK >> >> But it is the connection which doesn't seem to work anymore.. >> Does anyone >> have any idea about what's going on? Andrew Bartlett said he wasn't >> experiencing the issue on RHEL7 on amazon and I wonder if I >> could make it >> work in place on plain RHEL here.. >> >> Any ideas, tips, workarounds? I first noticed this when >> OpenShift started >> being unable to auth my AD users after the update to 4.14.5 >> (for the two DCs). >> >> Win10 endpoints don't seem to care too much and I hope it will keep >> working but I'm a little worried. >> >> Vincent >> >> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,. >> _.,-*~'`^`'~*-, >> Vincent S. Cojot, Computer Engineering. STEP project. >> _.,-*~'`^`'~*-,._.,-*~ >> Ecole Polytechnique de Montreal, Comite Micro-Informatique. >> _.,-*~'`^`'~*-,. >> Linux Xview/OpenLook resources page >> _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' >> http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ >> coyote at NOSPAM4cojot.name >> >> They cannot scare me with their empty spaces >> Between stars - on stars where no human race is >> I have it in me so much nearer home >> To scare myself with my own desert places. - Robert Frost >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Yes, there is something goingon on RH/Centos latest version. But im only into Debian and related. RH/Centos not really my cookie..> (similar to RHEL7). Perhaps there might be something related to the > version of gnutls + compat-gnutls in el7.9 which no longer > works on 4.13+.This yes.. I can give you 1 solution, move to the Debian camp ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: vincent at cojot.name [mailto:vincent at cojot.name] > Verzonden: maandag 7 juni 2021 14:24 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] TLS problems after 4.12 -> 4.14 update > > > Hi Louis, > > The SPNs were a different problem: I needed to add the > floating hostnames > for the VIPs between the cluster nodes (the clustered > fileservers) and I > now realize that I need to read up on ctdb. > > As for the TLS thing, nope, I didn't have 'tls priority' set > at all. Like > I said, I upgraded the two RHEL7.9 DCs (two small VMs, fully > updated) from > 4.12.15 to 4.14.5 with custom-built rpms of samba. > > I noticed last night that TranquilIT had been producing rpms > of samba 4.13 > and 4.14 for Centos8 (similar to RHEL8) only and no longer > for Centos7 > (similar to RHEL7). Perhaps there might be something related to the > version of gnutls + compat-gnutls in el7.9 which no longer > works on 4.13+. > Since they (TranqulIT) are supporting samba DC's in the field, they > probably have a lot more data than myself (I'm only doing this for a > household of 5). > > Thanks for the tip about using the FQDN, I hadn't thought of > that as I had > never needed to do that to obtain the cert. > > I'm going to be upgrading my build chains for 4.14.x to RHEL8 > and I've > downgraded to 4.12.x while I research this issue. > > Thanks for reaching out, > > Vincent S. Cojot > > > On Mon, 7 Jun 2021, L.P.H. van Belle via samba wrote: > > > > > Since your useing/testing certficates, always use the FQDN > of the Server. > > Dont use : openssl s_client -showcerts -connect dc00:636 > > Do use : openssl s_client -showcerts -connect > dc00.ad.lasthome.solace.krynn:636 > > > > > > I also wonder, on that W10 VM, why you needed at add these SPN'.s > > If the PC is domain joined, the SPN would in there already. > > And only HOST SPN added where i also see in the domain joined pc's > > RestrictedKrbHost/host.fqdn > > TERMSRV/host.fqdn > > > > The request is invalid.. Failed to set default priorities > > I suggest read this: > > > https://passingcuriosity.com/2021/diffie-hellman-short-primes-disable/ > > > > Did you set in smb.conf the setting : tls priority > > Where this is the smb.conf default: tls priority = > NORMAL:-VERS-SSL3.0 > > > > There you have examples how these are set (see also man > smb.conf search : tls priority > > https://gnutls.org/manual/html_node/Priority-Strings.html > > > > And its up to you to validate where your using exacly. > > But most will be using or attempted to enforce TLSv1.2 > since v1.1 and v1.0 are predicated. > > > > And one more extra question > > Is this OS upgraded? If yes, veryfiy the default configs of > the system > > That these not still in/using outdated settings. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Vincent S. Cojot via samba > >> Verzonden: zondag 6 juni 2021 23:08 > >> Aan: sambalist > >> Onderwerp: [Samba] TLS problems after 4.12 -> 4.14 update > >> > >> > >> Hi everyone, > >> > >> I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 > and I just > >> noticed this: > >> > >> [2021/06/06 16:21:01.074696, 0] > >> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send) > >> _tstream_tls_accept_send: TLS > >> ../../source4/lib/tls/tls_tstream.c:1300 - > >> The request is invalid.. Failed to set default priorities > >> > >> I'm now unable to do the following successfully from either > >> RHEL7, RHEL8 > >> or Fedora33: > >> > >> ---------------------------------------------- > >> # openssl s_client -showcerts -connect dc00:636 > >> CONNECTED(00000003) > >> 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl > >> handshake failure:s23_lib.c:177: > >> --- > >> no peer certificate available > >> --- > >> No client certificate CA names sent > >> --- > >> SSL handshake has read 0 bytes and written 289 bytes > >> --- > >> ---------------------------------------------- > >> > >> It seems similar to what some people have experienced on 4.13 > >> (and this > >> makes sense because I mostly skipped 4.13xz and went from > >> 4.12 to 4.14) > >> https://lists.samba.org/archive/samba/2020-December/233594.html > >> > >> I've been using self-signed certs and a trusted intermediate > >> CA for my AD > >> DC's but I now wonder if I've run into an issue using RHEL7.9 > >> for my DCs. > >> > >> My certs (on the DC itself) still verify fine: > >> > >> # openssl verify -CAfile > >> /etc/pki/ca-trust/source/anchors/KrynnCA.pem \ > >> -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \ > >> /var/lib/samba/private/tls/cert.pem > >> /var/lib/samba/private/tls/cert.pem: OK > >> > >> But it is the connection which doesn't seem to work anymore.. > >> Does anyone > >> have any idea about what's going on? Andrew Bartlett said he wasn't > >> experiencing the issue on RHEL7 on amazon and I wonder if I > >> could make it > >> work in place on plain RHEL here.. > >> > >> Any ideas, tips, workarounds? I first noticed this when > >> OpenShift started > >> being unable to auth my AD users after the update to 4.14.5 > >> (for the two DCs). > >> > >> Win10 endpoints don't seem to care too much and I hope it will keep > >> working but I'm a little worried. > >> > >> Vincent > >> > >> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,. > >> _.,-*~'`^`'~*-, > >> Vincent S. Cojot, Computer Engineering. STEP project. > >> _.,-*~'`^`'~*-,._.,-*~ > >> Ecole Polytechnique de Montreal, Comite Micro-Informatique. > >> _.,-*~'`^`'~*-,. > >> Linux Xview/OpenLook resources page > >> _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' > >> http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ > >> coyote at NOSPAM4cojot.name > >> > >> They cannot scare me with their empty spaces > >> Between stars - on stars where no human race is > >> I have it in me so much nearer home > >> To scare myself with my own desert places. - Robert Frost > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > >