[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Arjit
1576799 at bugs.launchpad.net
Wed Dec 13 12:39:03 UTC 2017
ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w XXXXXXXX -b
'dc=techmint,dc=lan'
I am able to confirm with tcpdump that communication is in encrypted
mode.
samba packages at AD DC server
apt list --installed | grep samba
WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.
python-samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-common/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 all [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-common-bin/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-dsdb-modules/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-libs/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-testsuite/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-vfs-modules/now 2:4.3.11+dfsg
samba Packages other server where net ads is run
apt list --installed | grep samba
WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.
python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed]
samba-common/xenial-updates,xenial-updates,xenial-security,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 all [installed,automatic]
samba-common-bin/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-dsdb-modules/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-libs/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-vfs-modules/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
Note:- The issue i have mentioned in 5 is also reported in samba bugzilla.
https://bugzilla.samba.org/show_bug.cgi?id=13124
** Bug watch added: Samba Bugzilla #13124
https://bugzilla.samba.org/show_bug.cgi?id=13124
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
instruction
Status in samba package in Ubuntu:
Confirmed
Bug description:
With the recent samba upgrade to 2:4.3.8+dfsg-0ubuntu0.14.04.2, we
were seeing regression with authentication:
/var/log/syslog
Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.415470, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
Apr 28 17:45:52 hostname winbindd[769]: Failed to issue the StartTLS instruction: Connect error
Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.898408, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
Apr 28 17:45:52 hostname winbindd[769]: Failed to issue the StartTLS instruction: Connect error
We had to rollback to: 2:4.1.6+dfsg-1ubuntu2.14.04.13 and everything worked again.
Here's a basic samba config that reproduces the issue:
Perfectly reproducible with this:
realm = AD.DOMAIN.COM
security = ads
ldap ssl = start_tls
ldap ssl ads = yes
[LDAP] TLS: hostname (172.12.12.12) does not match common name in certificate (hostname).
[LDAP] ldap_err2string
Failed to issue the StartTLS instruction: Connect error
Samba seems to construct the LDAP URL with the IP of the AD controller
in it instead of the hostname and then because our ldap.conf requires
it, the server cert validation fails
Please let me know if there are any other logs I can provide
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions
More information about the foundations-bugs
mailing list