thr3ads.net - samba - [Samba] macOS Sequoia join to Samba 4 AD fails over LDAPS (GSSAPI error 49/35b) [Sep 2025]

If this information is useful, please help other people find it:
Share via:

Roberto Iandolo

2025-Sep-12 15:45 UTC

[Samba] macOS Sequoia join to Samba 4 AD fails over LDAPS (GSSAPI error 49/35b)

Hi all,

I?m having issues joining macOS Sequoia to a Samba 4 AD domain.

Setup: Samba 4 AD DC on Debian 13 (hostname: dc1.example.lan). Internal CA, TLS
certificates installed, CA trusted on macOS. SPNs registered on DC account
(HOST/?, CIFS/?, LDAP/?). /etc/krb5.keytab contains AES256/AES128 entries.
Kerberos works (kinit user at example.lan ? TGT OK). Time sync and DNS are
correct. Server cert includes SAN + EKU (TLS Web Server Authentication).

Symptoms: macOS dsconfigad join fails with error 5103. From macOS terminal:
ldapsearch -H ldap://dc1.example.lan -Y GSSAPI -N -b
"DC=example,DC=lan" -s base namingContexts ? works (result: 0
Success). But with ldapsearch -H ldaps://dc1.example.lan -Y GSSAPI -N -b
"DC=example,DC=lan" -s base namingContexts ? fails with:
ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info:
AcceptSecurityContext error, data 35b.

Interpretation: It looks like a TLS channel binding (CBT) issue: macOS enforces
CBT on LDAPS+GSSAPI, but Samba AD rejects it. Plain LDAP with Kerberos (389)
works fine and is already encrypted by Kerberos.

Questions: Is this a known limitation of Samba (no CBT support on LDAPS+GSSAPI)?
Is it safe to join macOS using LDAP+Kerberos over 389 (without TLS) and rely on
Kerberos encryption? Or is there a workaround/patch to make LDAPS+GSSAPI work
with macOS Sequoia?

Thanks in advance!

Roberto

samba - Sep 2025 - macOS Sequoia join to Samba 4 AD fails over LDAPS (GSSAPI error 49/35b)

[Samba] macOS Sequoia join to Samba 4 AD fails over LDAPS (GSSAPI error 49/35b)