Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
With the recent samba upgrade to 2:4.3.8+
/var/log/syslog
Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.415470, 0] ../source3/
Apr 28 17:45:52 hostname winbindd[769]: Failed to issue the StartTLS instruction: Connect error
Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.898408, 0] ../source3/
Apr 28 17:45:52 hostname winbindd[769]: Failed to issue the StartTLS instruction: Connect error
We had to rollback to: 2:4.1.6+
Here's a basic samba config that reproduces the issue:
Perfectly reproducible with this:
realm = AD.DOMAIN.COM
security = ads
ldap ssl = start_tls
ldap ssl ads = yes
[LDAP] TLS: hostname (172.12.12.12) does not match common name in certificate (hostname).
[LDAP] ldap_err2string
Failed to issue the StartTLS instruction: Connect error
Samba seems to construct the LDAP URL with the IP of the AD controller in it instead of the hostname and then because our ldap.conf requires it, the server cert validation fails
Please let me know if there are any other logs I can provide
Changed in samba (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
importance: | Undecided → High |
Changed in samba (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in samba (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
status: | Confirmed → Triaged |
samba 2:4.3.9+ dfsg-0ubuntu0. 14.04.1 was just released and was supposed to resolve this issue (https:/ /launchpad. net/bugs/ 1577739), but the issue still persists. Here is a log snippet, same reproducible steps:
2016/05/05 18:06:29 kid1| WARNING: ntlmauthenticator #1 exited
2016/05/05 18:06:29 kid1| Too few ntlmauthenticator processes are running (need 1/20)
2016/05/05 18:06:29 kid1| Starting new helpers
2016/05/05 18:06:29 kid1| helperOpenServers: Starting 1/20 'ntlm_auth' processes
2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication Helper '0x7f4040471a98' crashed!.
2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error