Bug 13124 - StartTLS certificate verification broken in ldap ssl ads
StartTLS certificate verification broken in ldap ssl ads
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
x86 Linux
: P5 regression
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2017-11-07 15:40 UTC by john.workman
Modified: 2018-01-31 06:58 UTC (History)
5 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description john.workman 2017-11-07 15:40:22 UTC

StartTLS certificate verification broken in ldap ssl ads.


 - Windows domain with at least one domain controller with LDAP starttls enabled and valid SSL certificates installed for this service
 - winbindd joined to the domain
 - windbind configured with /etc/samba/smb.conf with the following:
         ldap ssl = start_tls
         ldap ssl ads = yes
         client ldap sasl wrapping = plain
         ldap debug level = 10

- /etc/ldap/ldap.conf (libldap-2.4) configured with the following

         TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
         TLS_REQCERT	demand

Steps to trigger the bug:

Start winbindd as:
windbind -F -S -d 11

Then run:
wbinfo --user-info=some_user_in_active_directory

winbindd will produce a message like:
[LDAP] TLS: hostname ( does not match common name in certificate (mavdisk.mnsu.edu).

The problem appears to be in source3/libads/ldap.c, ldap_open() is being supplied with the LDAP server's IP address, instead of hostname.

Reversing the following change fixes this issue:



Comment 1 Björn Baumbach 2017-12-13 14:37:49 UTC
(In reply to john.workman from comment #0)

Dear John,

thank you for reporting this.

Unfortunately my commit message for the watch was very short and does not point to the reason for the patch in detail.
I assume my intention was to fix 'net rpc join' on systems with a broken dns configuration. This path might not be necessary anymore and should be verified.
If it's working fine, we should reverse my patch and use it as the bug fix.

John, can you verify this? Otherwise I'll try this later.

Best regards,
Comment 2 Andreas Hasenack 2017-12-18 13:23:37 UTC
Ubuntu Xenial test packages with that change reversed are currently building in this PPA if someone wants to test them:


I don't have an AD at hand right now to try it myself.
Comment 3 arjithpe 2017-12-19 05:46:21 UTC
I have tried this fix.
But i am still getting the same issue.
Comment 4 john.workman 2017-12-19 15:47:04 UTC
(In reply to Björn Baumbach from comment #1)

I assumed this was the reason for the change I linked to (where the NetBIOS name cannot be resolved through DNS, so make LDAP just use the IP).

I confirm that reversing the patch fixed the TLS issue for me. I am running production winbind against Active Directory servers with full TLS crypto and certificate verification.
Comment 5 Andreas Hasenack 2017-12-31 13:33:05 UTC
Reverting that commit worked past the certificate issue for me, but I hit something else that looks like a microsoft issue:

[LDAP] res_errno: 53, res_error: <00002029: LdapErr: DSID-0C0904CB, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v3839>, res_matched: <>

I was able to work around that by setting "client ldap sasl wrapping = plain" in smb.conf.
Comment 6 arjithpe 2018-01-31 06:58:34 UTC
With the patch Andreas and setting "client ldap sasl wrapping = plain" in smb.conf.
I am able to run net ads join successfully with StartTLS when AD DC is windows server.
But if i configure samba as AD DC i get below error:-

Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required.

Note :- i have also tried to chnage "client ldap sasl wrapping = sign"

I have observe this issue on Ubuntu and hp-ux