samba - Oct 2025 - 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request

> > I've found a way to reproduce the issue I have with a small C#
code
> > executed on Windows. It gets me almost the same packets when I do a
> > capture, I also get the 'LDAP_PROTOCOL_ERROR' in the Samba
logs, and
> > when I try it against a Windows DC, it works.
> >
> > Here is the code:
> >
> > using System.DirectoryServices.Protocols;
> > using System.Net;
> >
> > class Program
> > {
> >???? static void Main()
> >???? {
> >???????? string ldapServer = "dc-01.ad.mydomain.com";
> >
> >???????? LdapConnection ldap = new LdapConnection(ldapServer);
> >???????? ldap.AuthType = AuthType.Ntlm;
> >???????? ldap.Credential = new NetworkCredential("ldap",
"PASSWORD",
> > "MYDOMAIN");
> >
> >???????? ldap.Bind();
> >???? }
> > }
> >
> > It seems like AuthType.Ntlm isn't supported by the Samba code.
When I
> > try the same code with AuthType.Basic, in that case, it works (I get
> > the "Strong authentication is required for this operation.",
but
> > that's normal as I use LDAP and not LDAPS).
> >
> 
> I am also fairly certain it is supported, but I am also running out of
> ideas. My last idea is, you are using 'ldap at ad.mydomain.com' for
the
> username, what if it expects the samaccountname ? try it with just
> 'ldap' (which I presume is an AD username).
> 
> Rowland
Yes, 'ldap' is in fact the username I try. I've already tried
'CN=LDAP,CN=Users,CN=AD,CN=MYDOMAIN,CN=com', 'ldap at
ad.mydomain.com', 'MYDOMAIN\ldap' and just 'ldap'.

When I check the packet trace, I don't even see the username in the packet
that result in a TCP RESET from the DC. The username is sent later when I check
the same traffic with a Windows DC. So, what I'm guessing is that for some
reason, this specific bind packet isn't correctly recognized by Samba.
I'm willing to try to do a code debugging to see exactly where there is an
issue, but I didn't find any info about how to debug the Samba code in the
wiki and I have never really used GDB, so I have no idea where to start.

Nicolas

On Fri, 24 Oct 2025 12:42:29 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> > > I've found a way to reproduce the issue I have with a small
C#
> > > code executed on Windows. It gets me almost the same packets when
> > > I do a capture, I also get the 'LDAP_PROTOCOL_ERROR' in
the Samba
> > > logs, and when I try it against a Windows DC, it works.
> > >
> > > Here is the code:
> > >
> > > using System.DirectoryServices.Protocols;
> > > using System.Net;
> > >
> > > class Program
> > > {
> > >???? static void Main()
> > >???? {
> > >???????? string ldapServer = "dc-01.ad.mydomain.com";
> > >
> > >???????? LdapConnection ldap = new LdapConnection(ldapServer);
> > >???????? ldap.AuthType = AuthType.Ntlm;
> > >???????? ldap.Credential = new NetworkCredential("ldap",
> > >"PASSWORD",
> > > "MYDOMAIN");
> > >
> > >???????? ldap.Bind();
> > >???? }
> > > }
> > >
> > > It seems like AuthType.Ntlm isn't supported by the Samba
code.
> > > When I try the same code with AuthType.Basic, in that case, it
> > > works (I get the "Strong authentication is required for this
> > > operation.", but that's normal as I use LDAP and not
LDAPS).
> > >
> > 
> > I am also fairly certain it is supported, but I am also running out
> > of ideas. My last idea is, you are using 'ldap at
ad.mydomain.com' for
> > the username, what if it expects the samaccountname ? try it with
> > just 'ldap' (which I presume is an AD username).
> > 
> > Rowland
> 
> Yes, 'ldap' is in fact the username I try. I've already tried
> 'CN=LDAP,CN=Users,CN=AD,CN=MYDOMAIN,CN=com', 'ldap at
ad.mydomain.com',
> 'MYDOMAIN\ldap' and just 'ldap'.
> 
> When I check the packet trace, I don't even see the username in the
> packet that result in a TCP RESET from the DC. The username is sent
> later when I check the same traffic with a Windows DC. So, what I'm
> guessing is that for some reason, this specific bind packet isn't
> correctly recognized by Samba. I'm willing to try to do a code
> debugging to see exactly where there is an issue, but I didn't find
> any info about how to debug the Samba code in the wiki and I have
> never really used GDB, so I have no idea where to start.
> 
> Nicolas
Debugging isn't really something I am into, but perhaps this will point
you in the right direction:

https://wiki.samba.org/index.php/Writing_a_Samba_VFS_Module#Source_Debugging

Rowland

Which version of EMS are you on? I have 7.2 and 7.4 in my lab.

On Fri, Oct 24, 2025 at 5:43?AM Nicolas Martinussen via samba <
samba at lists.samba.org> wrote:
> > > I've found a way to reproduce the issue I have with a small
C# code
> > > executed on Windows. It gets me almost the same packets when I do
a
> > > capture, I also get the 'LDAP_PROTOCOL_ERROR' in the
Samba logs, and
> > > when I try it against a Windows DC, it works.
> > >
> > > Here is the code:
> > >
> > > using System.DirectoryServices.Protocols;
> > > using System.Net;
> > >
> > > class Program
> > > {
> > >     static void Main()
> > >     {
> > >         string ldapServer = "dc-01.ad.mydomain.com";
> > >
> > >         LdapConnection ldap = new LdapConnection(ldapServer);
> > >         ldap.AuthType = AuthType.Ntlm;
> > >         ldap.Credential = new NetworkCredential("ldap",
"PASSWORD",
> > > "MYDOMAIN");
> > >
> > >         ldap.Bind();
> > >     }
> > > }
> > >
> > > It seems like AuthType.Ntlm isn't supported by the Samba
code. When I
> > > try the same code with AuthType.Basic, in that case, it works (I
get
> > > the "Strong authentication is required for this
operation.", but
> > > that's normal as I use LDAP and not LDAPS).
> > >
> >
> > I am also fairly certain it is supported, but I am also running out of
> > ideas. My last idea is, you are using 'ldap at
ad.mydomain.com' for the
> > username, what if it expects the samaccountname ? try it with just
> > 'ldap' (which I presume is an AD username).
> >
> > Rowland
>
> Yes, 'ldap' is in fact the username I try. I've already tried
> 'CN=LDAP,CN=Users,CN=AD,CN=MYDOMAIN,CN=com', 'ldap at
ad.mydomain.com',
> 'MYDOMAIN\ldap' and just 'ldap'.
>
> When I check the packet trace, I don't even see the username in the
packet
> that result in a TCP RESET from the DC. The username is sent later when I
> check the same traffic with a Windows DC. So, what I'm guessing is that
for
> some reason, this specific bind packet isn't correctly recognized by
Samba.
> I'm willing to try to do a code debugging to see exactly where there is
an
> issue, but I didn't find any info about how to debug the Samba code in
the
> wiki and I have never really used GDB, so I have no idea where to start.
>
> Nicolas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>