Nicolas Martinussen
2025-Nov-04 08:04 UTC
[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
Hello Denis and the Tranquil IT team, Thanks for your research ! Since your last message I sadly hadn't time (and probably knowledge too) to do more digging. I think you have correctly identified the issue. Let's now hope there will be an (easy ?) fix ! Nicolas> Hi Nicolas, > > After some more digging here and comparing MS-AD and Samba-AD wire trace, here is what we found up to now : > > * the issue is due to the client trying to do NTLM / Sicily authentication mechanism (Sicily [1] is a old and insecure auth protocol that is not accepted by MS-AD > either). Sicily is not SASL based [2]. > > * Samba does not implement Sicily AT ALL, so it drops the connection when the initial packet is coming to the server because it is "malformed" (since Samba has no knowledge of this auth mech) > > * MS-AD, on receiving a Sicily auth packet will start negotiating and then send a StrongerAuthRequired to the client (like I said above MS-AD is not accepting Sicily anymore, but is know about the protocol and properly answer to a client asking for it) > > * I guess that FortiEMS once receiving StrongerAuthRequired answer then use SASL for authentication. > > So in order for Samba to support this kind of corner case, there is some code to write just to be able to tell the client to use a better auth mechanism. Python ldap3 supports Sicily auth mech, so it is easy to make a test case that work on Linux. > > We'll open a Bugzilla entry shortly with wire trace and the initial debug we have made here. But it is very strange for Fortinet to use this auth mechanism, so there may be some other stuff that trigger this behavior...? > > Cheers, > > Yohann?s, Thomas and Denis > > [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982 > > [2] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e7d814a5-4cb5-4b0d-b408-09d79988b550
Nicolas Martinussen
2026-Jan-21 07:36 UTC
[Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request
Hello Denis, In the bug report 15956, you said:> In the mean time it seems that Fortinet realized that they did something wrong and provided the option to enforce the usage of SASL/GSSAPI auth rather than Sicily. The current fix is available on the latest 7.4 series (in the current fix one cannot set a preferred DC, so it must be hardcoded in /etc/hosts to target the right one, but it works).I've searched on the GUI and also a bit on the (almost undocumented) CLI, but I haven't found anything about that. I've updated my test FortiEMS server to 7.4.5.2111M. How do you force the usage of SASL/GSSAPI ? Thanks, Nicolas ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Nicolas Martinussen via samba <samba at lists.samba.org> Sent: Tuesday, 4 November 2025 09:04 To: Denis CARDON <dcardon at tranquil.it> Cc: samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] 'LDAP_PROTOCOL_ERROR' when NTLMSSP_NEGOTIATE bind request ATTENTION: Cet e-mail provient d'une personne externe ? votre organisation. Ne cliquez pas sur des liens ou n'ouvrez pas de pi?ces jointes, sauf si vous faites confiance ? l'exp?diteur et avez la certitude que le contenu est sans risque. Hello Denis and the Tranquil IT team, Thanks for your research ! Since your last message I sadly hadn't time (and probably knowledge too) to do more digging. I think you have correctly identified the issue. Let's now hope there will be an (easy ?) fix ! Nicolas> Hi Nicolas, > > After some more digging here and comparing MS-AD and Samba-AD wire trace, here is what we found up to now : > > * the issue is due to the client trying to do NTLM / Sicily authentication mechanism (Sicily [1] is a old and insecure auth protocol that is not accepted by MS-AD > either). Sicily is not SASL based [2]. > > * Samba does not implement Sicily AT ALL, so it drops the connection when the initial packet is coming to the server because it is "malformed" (since Samba has no knowledge of this auth mech) > > * MS-AD, on receiving a Sicily auth packet will start negotiating and then send a StrongerAuthRequired to the client (like I said above MS-AD is not accepting Sicily anymore, but is know about the protocol and properly answer to a client asking for it) > > * I guess that FortiEMS once receiving StrongerAuthRequired answer then use SASL for authentication. > > So in order for Samba to support this kind of corner case, there is some code to write just to be able to tell the client to use a better auth mechanism. Python ldap3 supports Sicily auth mech, so it is easy to make a test case that work on Linux. > > We'll open a Bugzilla entry shortly with wire trace and the initial debug we have made here. But it is very strange for Fortinet to use this auth mechanism, so there may be some other stuff that trigger this behavior... > > Cheers, > > Yohann?s, Thomas and Denis > > [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982 > > [2] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e7d814a5-4cb5-4b0d-b408-09d79988b550-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba