samba - Oct 2025 - 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request

Hello,

I have an issue with the way FortiEMS authenticate (which Fortinet won't
revert back).
Before, it was using 'sasl' authentication at the bind request but now,
it's using 'NTLMSSP_NEGOTIATE' and it seems my Samba AD doesn't
like it and return an 'LDAP_PROTOCOL_ERROR'.

Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?

Here are the error logs (in debug) :
[2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0, 0)]
../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
  messaging_dgm_ref: messaging_dgm_get_unique returned Success
[2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0, 0)]
../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
  messaging_dgm_ref: unique = 7718602353702169936
[2025/10/23 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)]
../../libcli/security/security_token.c:113(security_token_debug)
  Security token SIDs (1):
    SID[  0]: S-1-5-7
   Privileges (0x               0):
   Rights (0x               0):
[2025/10/23 13:12:05.356147,  3, pid=190027, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
  Initialising global parameters
[2025/10/23 13:12:05.356174,  2, pid=190027, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:331(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2025/10/23 13:12:05.356259,  3, pid=190027, effective(0, 0), real(0, 0),
class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2025/10/23 13:12:05.356407, 10, pid=190027, effective(0, 0), real(0, 0)]
../../source4/dsdb/common/util.c:5785(dsdb_search)
  dsdb_search: SUB flags=0x00000200 cn=Primary Domains
(&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1
[2025/10/23 13:12:05.359625,  3, pid=190027, effective(0, 0), real(0, 0)]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection -
'LDAP_PROTOCOL_ERROR'
[2025/10/23 13:12:05.359745, 10, pid=190027, effective(0, 0), real(0, 0)]
../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
  msg_dgm_ref_destructor: refs=0x56413ff8f860
[2025/10/23 13:12:07.278532,  3, pid=190027, effective(0, 0), real(0, 0)]
../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 190027 on SIGTERM
[2025/10/23 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)]
../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
  msg_dgm_ref_destructor: refs=(nil)

Here is my config :
[global]
        netbios name = DC-01
        realm = AD.MYDOMAIN.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        ad dc functional level = 2016
        workgroup = MYDOMAIN
        idmap_ldb:use rfc2307 = yes
        bind interfaces only = yes
        interfaces = lo 192.168.102.66/22

        # WINS
        wins support = yes
        dns proxy = yes
        # WINS

        # TLS
        tls enabled  = yes
        tls keyfile  = tls/dc-01.2023.key
        tls certfile = tls/dc-01.2023.crt
        tls cafile   = tls/CA/MYDOMAIN.2023.crt
        # TLS

        ntlm auth = ntlmv1-permitted
        lanman auth = yes
        client lanman auth = yes
        server min protocol = NT1
        client min protocol = NT1

Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX

Thank you in advance,
Nicolas Martinussen

On Thu, 23 Oct 2025 12:37:22 +0000
Nicolas Martinussen via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I have an issue with the way FortiEMS authenticate (which Fortinet
> won't revert back). Before, it was using 'sasl' authentication
at the
> bind request but now, it's using 'NTLMSSP_NEGOTIATE' and it
seems my
> Samba AD doesn't like it and return an 'LDAP_PROTOCOL_ERROR'.
> 
> Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?
Yes it should, it is the first stage in the protocol negotiation.
> 
> Here are the error logs (in debug) :
> [2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
> messaging_dgm_ref: messaging_dgm_get_unique returned Success
> [2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
> messaging_dgm_ref: unique = 7718602353702169936 [2025/10/23
> 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../libcli/security/security_token.c:113(security_token_debug)
> Security token SIDs (1): SID[  0]: S-1-5-7 Privileges (0x
>   0): Rights (0x               0): [2025/10/23 13:12:05.356147,  3,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
> Initialising global parameters [2025/10/23 13:12:05.356174,  2,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:331(max_open_files) rlimit_max:
> increasing rlimit_max (1024) to minimum Windows limit (16384)
> [2025/10/23 13:12:05.356259,  3, pid=190027, effective(0, 0), real(0,
> 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb [2025/10/23 13:12:05.356407, 10,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/dsdb/common/util.c:5785(dsdb_search) dsdb_search: SUB
> flags=0x00000200 cn=Primary Domains
> (&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1 
This appears to be searching in 'secrets.ldb' and failing, any idea
what the search command is ?

>[2025/10/23
> 13:12:05.359625,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> stream_terminate_connection: Terminating connection -
> 'LDAP_PROTOCOL_ERROR' [2025/10/23 13:12:05.359745, 10, pid=190027,
> effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=0x56413ff8f860 [2025/10/23
> 13:12:07.278532,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
> sigterm_signal_handler: Exiting pid 190027 on SIGTERM [2025/10/23
> 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=(nil)
> 
> Here is my config :
> [global]
>         netbios name = DC-01
>         realm = AD.MYDOMAIN.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate ad dc functional level > 2016
workgroup = MYDOMAIN
>         idmap_ldb:use rfc2307 = yes
>         bind interfaces only = yes
>         interfaces = lo 192.168.102.66/22
> 
>         # WINS
>         wins support = yes
>         dns proxy = yes
>         # WINS
Why 'WINS' ? Your clients should be using DNS, not NetBIOS.
> 
>         # TLS
>         tls enabled  = yes
>         tls keyfile  = tls/dc-01.2023.key
>         tls certfile = tls/dc-01.2023.crt
>         tls cafile   = tls/CA/MYDOMAIN.2023.crt
>         # TLS
> 
>         ntlm auth = ntlmv1-permitted
>         lanman auth = yes
>         client lanman auth = yes
>         server min protocol = NT1
>         client min protocol = NT1
Why are you using SMBv1 ?
> 
> Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX
> 
> Thank you in advance,
> Nicolas Martinussen