[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

Andreas Hasenack andreas at canonical.com
Fri Dec 29 14:04:33 UTC 2017 

With this workaround in smb.conf it works:

client ldap sasl wrapping = plain

Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads
= yes", it looks like "plain" is safe enough, since ldap is using ssl,
but ymmv.

All in all, I think the bug about the connection using the IP instead of
the hostname specified in the configs is fixed in my ppa packages. I
reproduced it in xenial and also in bionic.

@arjitkumar can you please double check that you are getting the TLS
error about the hostname/ip mismatch, and not something else, with the
new packages?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  With the recent samba upgrade to 2:4.3.8+dfsg-0ubuntu0.14.04.2, we
  were seeing regression with authentication:

  /var/log/syslog
  Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.415470,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error
  Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.898408,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error

  
  We had to rollback to: 2:4.1.6+dfsg-1ubuntu2.14.04.13 and everything worked again.

  Here's a basic samba config that reproduces the issue:

  Perfectly reproducible with this:
    realm = AD.DOMAIN.COM
    security = ads
    ldap ssl = start_tls
    ldap ssl ads = yes

  [LDAP] TLS: hostname (172.12.12.12) does not match common name in certificate (hostname).
  [LDAP] ldap_err2string
  Failed to issue the StartTLS instruction: Connect error

  Samba seems to construct the LDAP URL with the IP of the AD controller
  in it instead of the hostname and then because our ldap.conf requires
  it, the server cert validation fails

  Please let me know if there are any other logs I can provide

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

More information about the foundations-bugs mailing list