Bug 13124 - StartTLS certificate verification broken in ldap ssl ads
StartTLS certificate verification broken in ldap ssl ads
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.5.12
x86 Linux
: P5 regression
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-07 15:40 UTC by john.workman
Modified: 2017-12-31 13:33 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description john.workman 2017-11-07 15:40:22 UTC
Summary:

StartTLS certificate verification broken in ldap ssl ads.


Configuration: 

 - Windows domain with at least one domain controller with LDAP starttls enabled and valid SSL certificates installed for this service
 - winbindd joined to the domain
 - windbind configured with /etc/samba/smb.conf with the following:
         
         ldap ssl = start_tls
         ldap ssl ads = yes
         client ldap sasl wrapping = plain
         ldap debug level = 10

- /etc/ldap/ldap.conf (libldap-2.4) configured with the following

         TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
         TLS_REQCERT	demand
         

Steps to trigger the bug:

Start winbindd as:
windbind -F -S -d 11


Then run:
wbinfo --user-info=some_user_in_active_directory


winbindd will produce a message like:
[LDAP] TLS: hostname (134.29.52.75) does not match common name in certificate (mavdisk.mnsu.edu).


The problem appears to be in source3/libads/ldap.c, ldap_open() is being supplied with the LDAP server's IP address, instead of hostname.

Reversing the following change fixes this issue:

https://github.com/samba-team/samba/commit/2b44c85c7b322b392c8d3d0f393171ca54bb5f47#diff-bfc4ccf9689e89040e08d5730d53961e


References:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799
Comment 1 Björn Baumbach 2017-12-13 14:37:49 UTC
(In reply to john.workman from comment #0)

Dear John,

thank you for reporting this.

Unfortunately my commit message for the watch was very short and does not point to the reason for the patch in detail.
I assume my intention was to fix 'net rpc join' on systems with a broken dns configuration. This path might not be necessary anymore and should be verified.
If it's working fine, we should reverse my patch and use it as the bug fix.

John, can you verify this? Otherwise I'll try this later.

Best regards,
Björn
Comment 2 Andreas Hasenack 2017-12-18 13:23:37 UTC
Ubuntu Xenial test packages with that change reversed are currently building in this PPA if someone wants to test them:

https://launchpad.net/~ahasenack/+archive/ubuntu/samba-tls-regression-1576799

I don't have an AD at hand right now to try it myself.
Comment 3 arjithpe 2017-12-19 05:46:21 UTC
I have tried this fix.
But i am still getting the same issue.
Comment 4 john.workman 2017-12-19 15:47:04 UTC
(In reply to Björn Baumbach from comment #1)

I assumed this was the reason for the change I linked to (where the NetBIOS name cannot be resolved through DNS, so make LDAP just use the IP).

I confirm that reversing the patch fixed the TLS issue for me. I am running production winbind against Active Directory servers with full TLS crypto and certificate verification.
Comment 5 Andreas Hasenack 2017-12-31 13:33:05 UTC
Reverting that commit worked past the certificate issue for me, but I hit something else that looks like a microsoft issue:

[LDAP] res_errno: 53, res_error: <00002029: LdapErr: DSID-0C0904CB, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v3839>, res_matched: <>


I was able to work around that by setting "client ldap sasl wrapping = plain" in smb.conf.