Failed To Issue The Starttls Instruction Connect Error Samba
Contents |
my head against the wall for about 4 days now trying to get Samba to use LDAP authentication (using SSL). I think I have failed to issue the starttls instruction protocol error the smb.conf setup properly. e.g. passdb backend = ldapsam:ldaps://virt-ldap-srv.mydomain.int:636/ However, when testing
Failed To Issue The Starttls Instruction Can't Contact Ldap Server
the client side (test user "eva") I keep getting: tree connect failed: NT_STATUS_ACCESS_DENIED Tailing the samba log file, I passdb backend = ldapsam find several errors in succession: [2009/10/02 11:22:35, 0] lib/smbldap.c:smb_ldap_start_tls(600) Failed to issue the StartTLS instruction: Operations error [2009/10/02 11:22:35, 1] lib/smbldap.c:another_ldap_try(1175) Connection to LDAP server failed for the 1 try! [2009/10/02 11:22:36, 1] passdb/pdb_get_set.c:pdb_set_user_sid_from_string(517) pdb_set_user_sid_from_string: 0-815-4711-4003 isn't a valid SID! [2009/10/02 11:22:36, 1] passdb/pdb_ldap.c:init_sam_from_ldap(617) init_sam_from_ldap: no sambaSID or sambaSID attribute found for this user eva [2009/10/02 11:22:36, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531) ldapsam_getsampwnam: init_sam_from_ldap failed for user 'eva'! [2009/10/02 11:22:36, 0] lib/smbldap.c:smb_ldap_start_tls(600) Failed to issue the StartTLS instruction: Operations error [2009/10/02 11:22:36, 1] lib/smbldap.c:another_ldap_try(1175) Connection to LDAP server failed for the 1 try! [2009/10/02 11:22:37, 0] lib/smbldap.c:smb_ldap_start_tls(600) Failed to issue the StartTLS instruction: Operations error [2009/10/02 11:22:37, 1] lib/smbldap.c:another_ldap_try(1175) Connection to LDAP server failed for the 1 try! [2009/10/02 11:22:38, 0] smbd/service.c:make_connection_snum(740) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED The first error seems pretty ominous: ("Failed to issue the StartTLS instruction: Operations error"). However, I can use ldaps from the command line on the samba server (and other machines) so I don't think the problem is on the LDAP server. All suggestions are welcome! awclemenOctober 2nd, 2009, 06:19 PMWell, since you are looking for any suggestions, here's one out of left field I think using TLS, you need to use port 389, not 636. http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html#smb.conf.tls Good Luck! HDaveOctober 2nd, 2009, 11:22 PMYou are right. In fact, I found out that if you provide the URI as "ldaps://..." then you need to explicitly tell Samba NOT to use TLS. The incredibly obtuse way you do this is with the following configuration in smb.conf: ldap ssl = off The default for ldap ssl is "Start TLS". The values of yes, no, and on or no longer valid. Powered by vBulletin Version 4.2.2 Copyright © 2016 vBulletin Solutions, Inc. All right
Ordonez
Format For Printing -XML -Clone This Bug -Last Comment First Last Prev Next This bug is https://bugzilla.redhat.com/show_bug.cgi?id=663485 not in your last search results. Bug663485 - Failed to issue the StartTLS instruction: Connect error Summary: Failed to issue the StartTLS instruction: Connect error Status: CLOSED DUPLICATE of bug https://bugs.launchpad.net/bugs/1576799 636956 Aliases: None Product: Fedora Classification: Fedora Component: openldap (Show other bugs) Sub Component: --- Version: 14 Hardware: i686 Linux Priority low Severity medium TargetMilestone: --- TargetRelease: --- Assigned failed to To: Guenther Deschner QA Contact: Fedora Extras Quality Assurance Docs Contact: URL: Whiteboard: Keywords: Depends On: Blocks: Show dependency tree /graph Reported: 2010-12-15 17:36 EST by Zoran Pericic Modified: 2011-01-18 20:51 EST (History) CC List: 6 users (show) bbuesker gdeschner jvcelak mike rmeggins ssorce See Also: Fixed In Version: Doc Type: Bug Fix Doc Text: Story failed to issue Points: --- Clone Of: Environment: Last Closed: 2011-01-18 20:51:33 EST Type: --- Regression: --- Mount Type: --- Documentation: --- CRM: Verified Versions: Category: --- oVirt Team: --- RHEL 7.3 requirements from Atomic Host: Cloudforms Team: --- Attachments (Terms of Use) Samba log with ldap debug level = -1 and some debug patches. (8.16 KB, text/x-log) 2010-12-26 14:35 EST, Zoran Pericic no flags Details Tempoary patch to enahance tls_m.c debbuging. (5.69 KB, patch) 2010-12-26 14:36 EST, Zoran Pericic no flags Details | Diff Tempoary patch to enhance samba-ldap debugging (1.14 KB, patch) 2010-12-26 14:37 EST, Zoran Pericic no flags Details | Diff Add an attachment (proposed patch, testcase, etc.) Groups: None (edit) Description Zoran Pericic 2010-12-15 17:36:53 EST Description of problem: Samba BDC can't connect to existing OpenLDAP with TLS when clients try to connect to samba. In main log (/var/log/samba/log.smb) I could see that samba could connect to server and it could retrieve info. Also pdbedit tool works correctly. But when client try to connect I get: "Failed to issue the StartTLS instr
affects 1 person Affects Status Importance Assigned to Milestone samba (Ubuntu) Edit New High Ubuntu Security Team Edit You need to log in to change this bug's status. Affecting: samba (Ubuntu) Filed here by: Cindy Quach When: 2016-04-29 Assigned: 2016-05-03 Target Distribution Baltix BOSS Juju Charms Collection Elbuntu Guadalinex Guadalinex Edu Kiwi Linux nUbuntu PLD Linux Tilix tuXlab Ubuntu Ubuntu Linaro Evaluation Build Ubuntu RTM Package (Find…) Project (Find…) Status Importance New High Assigned to Me Ubuntu Security Team (ubuntu-security) Comment on this change (optional) Email me about changes to this bug report Also affects project (?) Also affects distribution/package Nominate for series Bug Description With the recent samba upgrade to 2:4.3.8+dfsg-0ubuntu0.14.04.2, we were seeing regression with authentication: /var/log/syslog Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.415470, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Apr 28 17:45:52 hostname winbindd[769]: Failed to issue the StartTLS instruction: Connect error Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.898408, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Apr 28 17:45:52 hostname winbindd[769]: Failed to issue the StartTLS instruction: Connect error We had to rollback to: 2:4.1.6+dfsg-1ubuntu2.14.04.13 and everything worked again. Here's a basic samba config that reproduces the issue: Perfectly reproducible with this: realm = AD.DOMAIN.COM security = ads ldap ssl = start_tls ldap ssl ads = yes [LDAP] TLS: hostname (172.12.12.12) does not match common name in certificate (hostname). [LDAP] ldap_err2string Failed to issue the StartTLS instruction: Connect error Samba seems to construct the LDAP URL with the IP of the AD controller in it instead of the hostname and then because our ldap.conf requires it, the server cert validation fails Please let me know if there are any other logs I can provide Add tags Tag help Sebastien Bacher (seb128) on 2016-05-03 Changed in samba (Ubuntu): assignee: nobody → Ubuntu Security Team (ubuntu-security) importance: Undecided → High Cindy Quach (cindyq) wrote on 2016-05-06: #1 samba 2:4.3.9+dfsg-0ubuntu0.14.04.1 was just released and wa