Bug 13124 - StartTLS certificate verification broken in ldap ssl ads
StartTLS certificate verification broken in ldap ssl ads
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.5.12
x86 Linux
: P5 major
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-07 15:40 UTC by john.workman
Modified: 2017-11-08 07:42 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description john.workman 2017-11-07 15:40:22 UTC
Summary:

StartTLS certificate verification broken in ldap ssl ads.


Configuration: 

 - Windows domain with at least one domain controller with LDAP starttls enabled and valid SSL certificates installed for this service
 - winbindd joined to the domain
 - windbind configured with /etc/samba/smb.conf with the following:
         
         ldap ssl = start_tls
         ldap ssl ads = yes
         client ldap sasl wrapping = plain
         ldap debug level = 10

- /etc/ldap/ldap.conf (libldap-2.4) configured with the following

         TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
         TLS_REQCERT	demand
         

Steps to trigger the bug:

Start winbindd as:
windbind -F -S -d 11


Then run:
wbinfo --user-info=some_user_in_active_directory


winbindd will produce a message like:
[LDAP] TLS: hostname (134.29.52.75) does not match common name in certificate (mavdisk.mnsu.edu).


The problem appears to be in source3/libads/ldap.c, ldap_open() is being supplied with the LDAP server's IP address, instead of hostname.

Reversing the following change fixes this issue:

https://github.com/samba-team/samba/commit/2b44c85c7b322b392c8d3d0f393171ca54bb5f47#diff-bfc4ccf9689e89040e08d5730d53961e


References:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799