If the client connects to ldaps:// with simple bind, the Samba 4.4 DC response differs from Windows Server 2012: different URI scheme is present in LDAP referrals. For instance, this is an ldapsearch command output against Samba DC: ldapsearch -D 'davidep@neth.eu' -w '*****' -H ldaps://neth.eu -b dc=neth,dc=eu '(objectClass=user)' ... # search reference ref: ldap://neth.eu/CN=Configuration,DC=neth,DC=eu # search reference ref: ldap://neth.eu/DC=DomainDnsZones,DC=neth,DC=eu # search reference ref: ldap://neth.eu/DC=ForestDnsZones,DC=neth,DC=eu And this is against MS-2012 DC: ldapsearch -D 'davidep@adnethesis.it' -w '******' -H ldaps://192.168.*.* -b dc=adnethesis,dc=it '(objectClass=user)' ... # search reference ref: ldaps://ForestDnsZones.adnethesis.it/DC=ForestDnsZones,DC=adnethesis,DC=i t # search reference ref: ldaps://DomainDnsZones.adnethesis.it/DC=DomainDnsZones,DC=adnethesis,DC=i t # search reference ref: ldaps://adnethesis.it/CN=Configuration,DC=adnethesis,DC=it Note the ldaps:// from MS, against ldap:// from Samba. The Samba response may cause a client (roundcube-1.1.7/openldap-2.4.40-13.el7.x86_64) to fail silently because it cannot bind correctly to that URL if non-encrypted binds are disabled. Disabling referrals chasing in the client or connecting to ldap://+STARTTLS mitigates the problem. More informations from samba ML: https://lists.samba.org/archive/samba/2016-December/205480.html
Fixed in master for V4.11 commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa
Created attachment 15191 [details] Proposed patch for V4.10 CI: https://gitlab.com/samba-team/devel/samba/pipelines/63231529 Had conflicts on source4/selftest/tests.py when cheery picking, also had to change the testenv to ad_dc_ntcfs.
Created attachment 15192 [details] Proposed patch fo V4.9 CI: https://gitlab.com/samba-team/devel/samba/pipelines/63232167 Had cherry pick conflicts on source4/selftest/tests.py and needed to change the test environment to "ad_dc_ntvfs"
Pushed to autobuild-v4-{9,10}-test.
(In reply to Karolin Seeger from comment #4) Pushed to both branches. Closing out bug report. Thanks!
Sadly the backports did not include a new ldb release number so this needs to be added. No change is needed in master (we only make ldb releases in master at rc0 and for ABI changes), but without a new version the backports break the build if a system ldb is found.
(In reply to Andrew Bartlett from comment #6) This blocks the 4.10 release today, right?
If the same is going to happen with 4.10 what happend with 4.9 then all packagers will have problems also with 4.10.. same happens ofcourse on my debian/ubuntu builds. ../source4/dsdb/samdb/ldb_modules/partition.c: In function 'partition_search': ../source4/dsdb/samdb/ldb_modules/partition.c:906:14: error: 'LDAP_REFERRAL_SCHEME_OPAQUE' undeclared (first use in this function) ldb, LDAP_REFERRAL_SCHEME_OPAQUE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ../source4/dsdb/samdb/ldb_modules/partition.c:906:14: note: each undeclared identifier is reported only once for each function it appears in Waf: Leaving directory `/home/pbuilder/archive/build-samba/11-samba/stretch/samba-4.9.10+nmu/bin' Build failed: -> task failed (err #1): {task: cc partition.c -> partition_55.o} debian/rules:96: recipe for target 'override_dh_auto_build' failed make[1]: *** [override_dh_auto_build] Error 1
Re-assigning to Gary.
ldb releases are done.
(In reply to Stefan Metzmacher from comment #10) Samba 4.9.11 has been released.
Closing out bug report. Thanks!