Rowland Penny
2025-Oct-24 12:32 UTC
[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
On Fri, 24 Oct 2025 11:44:49 +0000 Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:> I've found a way to reproduce the issue I have with a small C# code > executed on Windows. It gets me almost the same packets when I do a > capture, I also get the 'LDAP_PROTOCOL_ERROR' in the Samba logs, and > when I try it against a Windows DC, it works. > > Here is the code: > > using System.DirectoryServices.Protocols; > using System.Net; > > class Program > { > static void Main() > { > string ldapServer = "dc-01.ad.mydomain.com"; > > LdapConnection ldap = new LdapConnection(ldapServer); > ldap.AuthType = AuthType.Ntlm; > ldap.Credential = new NetworkCredential("ldap", "PASSWORD", > "MYDOMAIN"); > > ldap.Bind(); > } > } > > It seems like AuthType.Ntlm isn't supported by the Samba code. When I > try the same code with AuthType.Basic, in that case, it works (I get > the "Strong authentication is required for this operation.", but > that's normal as I use LDAP and not LDAPS). >I am also fairly certain it is supported, but I am also running out of ideas. My last idea is, you are using 'ldap at ad.mydomain.com' for the username, what if it expects the samaccountname ? try it with just 'ldap' (which I presume is an AD username). Rowland
Nicolas Martinussen
2025-Oct-24 12:42 UTC
[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
> > I've found a way to reproduce the issue I have with a small C# code > > executed on Windows. It gets me almost the same packets when I do a > > capture, I also get the 'LDAP_PROTOCOL_ERROR' in the Samba logs, and > > when I try it against a Windows DC, it works. > > > > Here is the code: > > > > using System.DirectoryServices.Protocols; > > using System.Net; > > > > class Program > > { > >???? static void Main() > >???? { > >???????? string ldapServer = "dc-01.ad.mydomain.com"; > > > >???????? LdapConnection ldap = new LdapConnection(ldapServer); > >???????? ldap.AuthType = AuthType.Ntlm; > >???????? ldap.Credential = new NetworkCredential("ldap", "PASSWORD", > > "MYDOMAIN"); > > > >???????? ldap.Bind(); > >???? } > > } > > > > It seems like AuthType.Ntlm isn't supported by the Samba code. When I > > try the same code with AuthType.Basic, in that case, it works (I get > > the "Strong authentication is required for this operation.", but > > that's normal as I use LDAP and not LDAPS). > > > > I am also fairly certain it is supported, but I am also running out of > ideas. My last idea is, you are using 'ldap at ad.mydomain.com' for the > username, what if it expects the samaccountname ? try it with just > 'ldap' (which I presume is an AD username). > > RowlandYes, 'ldap' is in fact the username I try. I've already tried 'CN=LDAP,CN=Users,CN=AD,CN=MYDOMAIN,CN=com', 'ldap at ad.mydomain.com', 'MYDOMAIN\ldap' and just 'ldap'. When I check the packet trace, I don't even see the username in the packet that result in a TCP RESET from the DC. The username is sent later when I check the same traffic with a Windows DC. So, what I'm guessing is that for some reason, this specific bind packet isn't correctly recognized by Samba. I'm willing to try to do a code debugging to see exactly where there is an issue, but I didn't find any info about how to debug the Samba code in the wiki and I have never really used GDB, so I have no idea where to start. Nicolas