[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

Andreas Hasenack andreas at canonical.com
Thu Dec 28 18:56:01 UTC 2017 

Problem reproduced with the xenial packages, even when using -k in the
join command (so it authenticates using kerberos).

With my updated packages, I get further but it fails elsewhere:
root at xenial:~# net ads join -U Administrator 
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is unwilling to perform
Failed to join domain: failed to connect to AD: Server is unwilling to perform


Adding some debugging shows:
[LDAP] res_errno: 53, res_error: <00002029: LdapErr: DSID-0C0904CB, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v3839>, res_matched: <>

Looks like there is a bad interaction between kerberos and ldap ssl


Similarly, I can't use ldap tools with GSSAPI authentication together with TLS or start tls, so this doesn't seem to be exclusive to samba:

root at xenial:~# kinit Administrator
Password for Administrator at LOWTECH.INTERNAL: 

root at xenial:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: Administrator at LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
u:LOWTECH\Administrator

root at xenial:~# ldapwhoami -ZZ
SASL/GSSAPI authentication started
SASL username: Administrator at LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
ldap_result: Can't contact LDAP server (-1)

The tools do fetch the ldap service ticket:
root at xenial:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at LOWTECH.INTERNAL

Valid starting       Expires              Service principal
12/28/2017 18:52:19  12/29/2017 04:52:19  krbtgt/LOWTECH.INTERNAL at LOWTECH.INTERNAL
	renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  ldap/win-5gvsuklmr3c.lowtech.internal@
	renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  ldap/win-5gvsuklmr3c.lowtech.internal at LOWTECH.INTERNAL
	renew until 12/29/2017 18:52:17

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  With the recent samba upgrade to 2:4.3.8+dfsg-0ubuntu0.14.04.2, we
  were seeing regression with authentication:

  /var/log/syslog
  Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.415470,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error
  Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.898408,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error

  
  We had to rollback to: 2:4.1.6+dfsg-1ubuntu2.14.04.13 and everything worked again.

  Here's a basic samba config that reproduces the issue:

  Perfectly reproducible with this:
    realm = AD.DOMAIN.COM
    security = ads
    ldap ssl = start_tls
    ldap ssl ads = yes

  [LDAP] TLS: hostname (172.12.12.12) does not match common name in certificate (hostname).
  [LDAP] ldap_err2string
  Failed to issue the StartTLS instruction: Connect error

  Samba seems to construct the LDAP URL with the IP of the AD controller
  in it instead of the hostname and then because our ldap.conf requires
  it, the server cert validation fails

  Please let me know if there are any other logs I can provide

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

More information about the foundations-bugs mailing list