similar to: A record packet with illegal version was received.

So, I'm using Samba AD for user authentication by some web appliances, using LDAPS over port 636. I've been doing this for quite a while -- and my certificates and everything seem to check out. But this week (and with one appliance -- my firewall), I'm finding that maybe 3/20 times the bind will fail for perhaps 10 seconds. During this time, the logs read (for each failure):

Yesterday I set up the pfsense-OpenVPN-Server to auth against the samba-AD worked great already ... Now without a change I get errors and wonder why. I used the IP as "host" and TCP-STARTTLS to port 389 log.samba shows: [2019/09/18 18:38:22.123976, 1] ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert

Am 18.09.19 um 19:16 schrieb Kris Lou via samba: > More than likely, certificate issues. > > If you use the IP in pfsense, then the Samba certificate needs to have the > IP as the CN. So you suggest to contact the dc via hostname ... googled this query command: # openssl s_client -connect adc1:636 tells me ... CONNECTED(00000003) depth=0 O = Samba Administration, OU = Samba -

On Wed, 2018-09-26 at 11:33 -0700, Kris Lou via samba wrote: > So, I'm using Samba AD for user authentication by some web appliances, > using LDAPS over port 636. I've been doing this for quite a while -- and > my certificates and everything seem to check out. > > But this week (and with one appliance -- my firewall), I'm finding that > maybe 3/20 times the bind

More than likely, certificate issues. If you use the IP in pfsense, then the Samba certificate needs to have the IP as the CN. Kris Lou klou at themusiclink.net On Wed, Sep 18, 2019 at 9:42 AM Stefan G. Weichinger via samba < samba at lists.samba.org> wrote: > > Yesterday I set up the pfsense-OpenVPN-Server to auth against the samba-AD > > worked great already ... > >

Am 18.09.19 um 19:32 schrieb Stefan G. Weichinger via samba: > Am 18.09.19 um 19:28 schrieb Stefan G. Weichinger via samba: > >> So I would have to use "adc1.arbeitsgruppe.mydomain.at" > > Tried that. Doesn't help so far. > > gives: > > [2019/09/18 19:32:07.544332, 1] > ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) > TLS

Hi Andrew, Thanks for the response. I'm running 4.7.6, there are 3 DC's, but in my tests, I'm directly pointed at only 1. And the actual CPU/ memory load is minimal - ~4%/6GB free. >From the client side, I'm pretty sure my tests are PHP calling ldap_connect() <https://github.com/pfsense/pfsense/blob/157aff9e256aa235ba68ccc2168c61fc61e90072/src/etc/inc/auth.inc#L960> .

Rowland, dont be to hard on the guy.. ;-) Sorry that i cant help out more atm but im in process of win7 to win 10 testing with samba, and mainwhile doing a rollout.. :-/ Here are some working examples on debian jessie.. with samba 4.1.7 debian. an apache2.4 kerberos auth example. AuthType Kerberos AuthName "Website Login" KrbMethodNegotiate On KrbMethodK5Passwd

Hi folks ! Has someone any idea on this issue on AIX 5.3 TL 10 with winbind ? I'm really stuck now ... I think everything is working pretty well with WINBIND and AD 2k3 , but not my most important point : I absolutely need the Secondary groups of each AD user which get connected to the AIX to use this filter with sudo... I only get Primary Group (which is by default "Domain Users"

Hello, I'm trying to synchronize users with samba4 and Google apps using Google Apps Directory Sync. It's asking me to enter the user Password attribute. May I know what attribute does samba4 use to store user passwords? Also, what hash does it use? SHA1? or MD5? I imported the users using pdbedit. Thank you in advance. Sincerely, Windell Shem Pasamba

Hai,   Im seeing the following..    [2016/04/15 09:57:55.135038,  0] ../source4/lib/tls/tls_tstream.c:1216(tstream_tls_params_server)   Invalid permissions on TLS private key file 'server.key.pem':   owner uid 0 should be 0, mode 0440 should be 0600   This is known as CVE-2013-4476.   It there anyway to override this setting?  I do need 0440 here.  ( or 0400 ) 0600 is not

Hi, I just tried to build using http://dl.fedoraproject.org/pub/epel/6/SRPMS/pdns-3.1-2.el6.src.rpm on CentOS 6.4 final (kernel: 2.6.32-358.2.1.el6.x86_64), but it failed when looking for ldap libs: Note: I did not change anything in the original spec file. ... + ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu

So I have this centos 5.10 box which authenticates network users against ldap(authorizing)+kerberos(authentication). And I now would like to have sudo be able to allow admins (netgroup chinbeards) to sudo about. I am not using sssd though (yet). Here is the output of me trying sudo (debug on): [raub at centos5-x64 ~]$ sudo pwd LDAP Config Summary =================== uri

Hello, I would like to change samba4 AD user's password using php. Here's my code: function UpdateLdapPassword($username, $newpassword) { global $ds; global $rdn; $entry["clearTextPassword"][0]=base64_encode(iconv('UTF-8','UTF-16LE',$newpassword)); $bReturn= ldap_modify ($ds, $rdn, $entry);

Hi all, I'm having a problems with leaving and joining a client to the domain. I'm using samba-4.1.4 as an AD server. When I join and leave and join and leave after a while this error comes up: Failed to join domain: failed to join domain 'AIIAS' over rpc: NT_STATUS_IO_TIMEOUT And when I look at the logs it says: Failed to re-index objectSid in

Hi, I have written a php script to upgrade a fresh s4 AD with more details from a (s3) ldap server. I am no programmer AT ALL, so I guess this is very dirty and un-elegant, but it does the trick. We had multiple "mail" attributes in openldap, and since AD only allows 1 mail attribute, additional mail addresses are migrated to "otherMailbox" AD attributes. Perhaps someone

Hello, I'm trying to authenticate to a Samba file server version 3.6.6 which is joined to a samba AD version 4.1.17. The problem is that I can't seem to login using smbclient -L //172.16.0.229/itdev -U shemgp tothe file server and the server displays the error: winbind authentication for user [shemgp] FAILED with error NT_STATUS_WRONG_PASSWORD even if I use the correct password.

The latest version of this document can be found at http://pobox.com/~bcwhite/ldap-upgrade.txt Last Updated: 2006-05-23 I just upgraded our company's network from a system created 6 years ago (NIS and SMBPASSWD) to an up-to-date one (for 2006, at least) including a central LDAP server. It was a far from painless experience, so I thought I'd write up the experience in the

Greetings, Rowland Penny! >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >> >> Since "winbindd" is included in this line, shouldn't also "-winbind" >> be there? I think that when you use the normal winbind you must >> disable the internal one. >>

Hello, I try to add some Entries via PHP to samba 4 AD LDAP. The insert work only party, some values like telephonenumber, ipPhone and facsimileTelephoneNumber are not set. ldap_add always return success. Is there a way to see whats going on in ldap and whats wrong? I have try to set ldap_set_option($connect, LDAP_OPT_DEBUG_LEVEL, 7); in php, but it doesn't output more infos. Best