Bug 12478 - Missing ldaps in referral response from DC
Missing ldaps in referral response from DC
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-12-21 16:53 UTC by Davide Principi
Modified: 2016-12-21 20:36 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Davide Principi 2016-12-21 16:53:56 UTC
If the client connects to ldaps:// with simple bind, the Samba 4.4 DC response differs from Windows Server 2012: different URI scheme is present in LDAP referrals.

For instance, this is an ldapsearch command output against Samba DC:

   ldapsearch -D 'davidep@neth.eu' -w '*****' -H ldaps://neth.eu -b dc=neth,dc=eu '(objectClass=user)'
   # search reference
   ref: ldap://neth.eu/CN=Configuration,DC=neth,DC=eu

   # search reference
   ref: ldap://neth.eu/DC=DomainDnsZones,DC=neth,DC=eu

   # search reference
   ref: ldap://neth.eu/DC=ForestDnsZones,DC=neth,DC=eu

And this is against MS-2012 DC:

   ldapsearch -D 'davidep@adnethesis.it' -w '******' -H ldaps://192.168.*.* -b dc=adnethesis,dc=it '(objectClass=user)'
    # search reference
    ref: ldaps://ForestDnsZones.adnethesis.it/DC=ForestDnsZones,DC=adnethesis,DC=i

    # search reference
    ref: ldaps://DomainDnsZones.adnethesis.it/DC=DomainDnsZones,DC=adnethesis,DC=i

    # search reference
    ref: ldaps://adnethesis.it/CN=Configuration,DC=adnethesis,DC=it

Note the ldaps:// from MS, against ldap:// from Samba.

The Samba response may cause a client (roundcube-1.1.7/openldap-2.4.40-13.el7.x86_64) to fail silently because it cannot bind correctly to that URL if non-encrypted binds are disabled. Disabling referrals chasing in the client or connecting to ldap://+STARTTLS mitigates the problem.

More informations from samba ML: