samba - Oct 2025 - 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request

> Hello,
>
> I have an issue with the way FortiEMS authenticate (which Fortinet
> won't revert back). Before, it was using 'sasl' authentication
at the
> bind request but now, it's using 'NTLMSSP_NEGOTIATE' and it
seems my
> Samba AD doesn't like it and return an 'LDAP_PROTOCOL_ERROR'.
>
> Is it an expected outcome or should NTLMSSP_NEGOTIATE work ?
Yes it should, it is the first stage in the protocol negotiation.

>
> Here are the error logs (in debug) :
> [2025/10/23 13:12:05.355283, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:92(messaging_dgm_ref)
> messaging_dgm_ref: messaging_dgm_get_unique returned Success
> [2025/10/23 13:12:05.355305, 10, pid=190027, effective(0, 0), real(0,
> 0)] ../../lib/messaging/messages_dgm_ref.c:109(messaging_dgm_ref)
> messaging_dgm_ref: unique = 7718602353702169936 [2025/10/23
> 13:12:05.355484, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../libcli/security/security_token.c:113(security_token_debug)
> Security token SIDs (1): SID[  0]: S-1-5-7 Privileges (0x
>   0): Rights (0x               0): [2025/10/23 13:12:05.356147,  3,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:563(loadparm_s3_init_globals)
> Initialising global parameters [2025/10/23 13:12:05.356174,  2,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source3/param/loadparm.c:331(max_open_files) rlimit_max:
> increasing rlimit_max (1024) to minimum Windows limit (16384)
> [2025/10/23 13:12:05.356259,  3, pid=190027, effective(0, 0), real(0,
> 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb [2025/10/23 13:12:05.356407, 10,
> pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/dsdb/common/util.c:5785(dsdb_search) dsdb_search: SUB
> flags=0x00000200 cn=Primary Domains
> (&(flatname=MYDOMAIN)(objectclass=primaryDomain)) -> 1
This appears to be searching in 'secrets.ldb' and failing, any idea
what the search command is ?
From what I see in the packet capture I have done, it doesn't look like
it's searching anything at that moment. Here is the packet decoded by
Wireshark :

Lightweight Directory Access Protocol
    LDAPMessage bindRequest(1) "<ROOT>" ntlmsspNegotiate
        messageID: 1
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: <MISSING>
                authentication: ntlmsspNegotiate (10)
                    NTLM Secure Service Provider
                        NTLMSSP identifier: NTLMSSP
                        NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
                        Negotiate Flags: 0xa0880001, Negotiate 56, Negotiate
128, Negotiate Target Info, Negotiate Extended Session Security, Negotiate
UNICODE
                            1... .... .... .... .... .... .... .... = Negotiate
56: Set
                            .0.. .... .... .... .... .... .... .... = Negotiate
Key Exchange: Not set
                            ..1. .... .... .... .... .... .... .... = Negotiate
128: Set
                            ...0 .... .... .... .... .... .... .... = Negotiate
0x10000000: Not set
                            .... 0... .... .... .... .... .... .... = Negotiate
0x08000000: Not set
                            .... .0.. .... .... .... .... .... .... = Negotiate
0x04000000: Not set
                            .... ..0. .... .... .... .... .... .... = Negotiate
Version: Not set
                            .... ...0 .... .... .... .... .... .... = Negotiate
0x01000000: Not set
                            .... .... 1... .... .... .... .... .... = Negotiate
Target Info: Set
                            .... .... .0.. .... .... .... .... .... = Request
Non-NT Session Key: Not set
                            .... .... ..0. .... .... .... .... .... = Negotiate
0x00200000: Not set
                            .... .... ...0 .... .... .... .... .... = Negotiate
Identify: Not set
                            .... .... .... 1... .... .... .... .... = Negotiate
Extended Session Security: Set
                            .... .... .... .0.. .... .... .... .... = Negotiate
0x00040000: Not set
                            .... .... .... ..0. .... .... .... .... = Target
Type Server: Not set
                            .... .... .... ...0 .... .... .... .... = Target
Type Domain: Not set
                            .... .... .... .... 0... .... .... .... = Negotiate
Always Sign: Not set
                            .... .... .... .... .0.. .... .... .... = Negotiate
0x00004000: Not set
                            .... .... .... .... ..0. .... .... .... = Negotiate
OEM Workstation Supplied: Not set
                            .... .... .... .... ...0 .... .... .... = Negotiate
OEM Domain Supplied: Not set
                            .... .... .... .... .... 0... .... .... = Negotiate
Anonymous: Not set
                            .... .... .... .... .... .0.. .... .... = Negotiate
0x00000400: Not set
                            .... .... .... .... .... ..0. .... .... = Negotiate
NTLM key: Not set
                            .... .... .... .... .... ...0 .... .... = Negotiate
0x00000100: Not set
                            .... .... .... .... .... .... 0... .... = Negotiate
Lan Manager Key: Not set
                            .... .... .... .... .... .... .0.. .... = Negotiate
Datagram: Not set
                            .... .... .... .... .... .... ..0. .... = Negotiate
Seal: Not set
                            .... .... .... .... .... .... ...0 .... = Negotiate
Sign: Not set
                            .... .... .... .... .... .... .... 0... = Request
0x00000008: Not set
                            .... .... .... .... .... .... .... .0.. = Request
Target: Not set
                            .... .... .... .... .... .... .... ..0. = Negotiate
OEM: Not set
                            .... .... .... .... .... .... .... ...1 = Negotiate
UNICODE: Set
                        Calling workstation domain: NULL
                        Calling workstation name: NULL

>[2025/10/23
> 13:12:05.359625,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> stream_terminate_connection: Terminating connection -
> 'LDAP_PROTOCOL_ERROR' [2025/10/23 13:12:05.359745, 10, pid=190027,
> effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=0x56413ff8f860 [2025/10/23
> 13:12:07.278532,  3, pid=190027, effective(0, 0), real(0, 0)]
> ../../source4/samba/process_prefork.c:136(sigterm_signal_handler)
> sigterm_signal_handler: Exiting pid 190027 on SIGTERM [2025/10/23
> 13:12:07.279005, 10, pid=190027, effective(0, 0), real(0, 0)]
> ../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
> msg_dgm_ref_destructor: refs=(nil)
>
> Here is my config :
> [global]
>         netbios name = DC-01
>         realm = AD.MYDOMAIN.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate ad dc functional level > 2016
workgroup = MYDOMAIN
>         idmap_ldb:use rfc2307 = yes
>         bind interfaces only = yes
>         interfaces = lo 192.168.102.66/22
>
>         # WINS
>         wins support = yes
>         dns proxy = yes
>         # WINS
Why 'WINS' ? Your clients should be using DNS, not NetBIOS.
It's due to an old machine that really needs WINS (an old Windows NT
Embedded). I would really like to disable that, but I sadly can't
>
>         # TLS
>         tls enabled  = yes
>         tls keyfile  = tls/dc-01.2023.key
>         tls certfile = tls/dc-01.2023.crt
>         tls cafile   = tls/CA/MYDOMAIN.2023.crt
>         # TLS
>
>         ntlm auth = ntlmv1-permitted
>         lanman auth = yes
>         client lanman auth = yes
>         server min protocol = NT1
>         client min protocol = NT1
Why are you using SMBv1 ?
It's also some configuration that I need to disable, but a production
machine is still using SMBv1. As soon as this machine is migrated to another SMB
server (for old machines), I'll remove those 5 config lines
>
> Here are a packet capture : https://limewire.com/d/aMDII#izxwDwbIzX
>
> Thank you in advance,
> Nicolas Martinussen
Thanks,
Nicolas

On Thu, 23 Oct 2025 14:15:13 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> 
> This appears to be searching in 'secrets.ldb' and failing, any idea
> what the search command is ?
> From what I see in the packet capture I have done, it doesn't look
> like it's searching anything at that moment. 
Something must be starting off the process, it is that command I was
referring to.
> 
> Why 'WINS' ? Your clients should be using DNS, not NetBIOS.
> It's due to an old machine that really needs WINS (an old Windows NT
> Embedded). I would really like to disable that, but I sadly can't
Are we talking about something like a very expensive machine tool ? If
so, you would probably be better off setting up an intermediate Samba
server that can talk to the tool in SMB1, but can only listen to the
rest of the domain in SMBv2/3.
> 
> >
> >         # TLS
> >         tls enabled  = yes
> >         tls keyfile  = tls/dc-01.2023.key
> >         tls certfile = tls/dc-01.2023.crt
> >         tls cafile   = tls/CA/MYDOMAIN.2023.crt
> >         # TLS
> >
> >         ntlm auth = ntlmv1-permitted
> >         lanman auth = yes
> >         client lanman auth = yes
> >         server min protocol = NT1
> >         client min protocol = NT1
> 
> Why are you using SMBv1 ?
> It's also some configuration that I need to disable, but a production
> machine is still using SMBv1. As soon as this machine is migrated to
> another SMB server (for old machines), I'll remove those 5 config
> lines
All that SMBv1 stuff may be your problem.

Rowland