Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

samba 2:4.3.9+dfsg-0ubuntu0.14.04.1 was just released and was supposed to resolve this issue (https://launchpad.net/bugs/1577739), but the issue still persists. Here is a log snippet, same reproducible steps:

2016/05/05 18:06:29 kid1| WARNING: ntlmauthenticator #1 exited
2016/05/05 18:06:29 kid1| Too few ntlmauthenticator processes are running (need 1/20)
2016/05/05 18:06:29 kid1| Starting new helpers
2016/05/05 18:06:29 kid1| helperOpenServers: Starting 1/20 'ntlm_auth' processes
2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication Helper '0x7f4040471a98' crashed!.
2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'

Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error

I don't think this is a regression. The Samba security update is now more strict when validating TLS certs.

I'm not sure why it's using the ip address instead of the hostname, that's probably a configuration issue.

If you want a workaround, you can try adjusting cert checking, see:

https://wiki.samba.org/index.php/Samba_4.3_Features_added/changed#tls_verify_peer_.28G.29

In our config, we removed ldap ssl ads = Yes and replaced it with ldap server require strong auth = Yes and we don't get the StartTLS error anymore, but this error still pops up:

2016/05/06 19:50:26 kid1| ERROR: NTLM Authentication Helper '0x7f483b420888' crashed!.
2016/05/06 19:50:26 kid1| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'

Here is another bug I found with the exact same regression: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1578576

In the syslog:
May 5 17:48:14 hostname winbindd[798]: Failed to issue the StartTLS instruction: Connect error
May 5 17:48:14 hostname kernel: [ 155.558023] ntlm_auth[2208]: segfault at 8 ip 00007f87361309b0 sp 00007fff54b93398 error 4 in libsamba-security.so.0[7f8736125000+1b000]
May 5 17:48:14 hostname winbindd[798]: [2016/05/05 17:48:14.254386, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
May 5 17:48:14 hostname winbindd[798]: Failed to issue the StartTLS instruction: Connect error
May 5 17:48:14 hostname winbindd[798]: [2016/05/05 17:48:14.321247, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
May 5 17:48:14 hostname winbindd[798]: Failed to issue the StartTLS instruction: Connect error
May 5 17:48:14 hostname kernel: [ 155.730606] ntlm_auth[2213]: segfault at 8 ip 00007f4b143eb9b0 sp 00007fff1e8557f8 error 4 in libsamba-security.so.0[7f4b143e0000+1b000]

I am also getting the same error
 TLS: hostname (IP) does not match common name in certificate (win.cifs.com).
Note :-
After replacing ldap ssl ads = Yes to ldap server require strong auth = Yes parameter i am able to communicate but communication is not secure.
i have tried ldapsearch command which is working fine and communicating in encryption only.

Please suggest what is to be done.

Status changed to 'Confirmed' because the bug affects multiple users.

Can someone please share config files of a setup and the topology that is showing the problem? I'm seeing winbind and squid logs in this bug. I think the squid ntlm helper crash should be a separate bug: let's concentrate on samba first.

Hi Team,

I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf

#TLS_REQCERT HARD
TLS_REQCERT ALLOW
TLS_CACERT /etc/ssl/certs/msadmaster.pem

After above changes net ads is succesfull with ssl/tls
I have verified at Windows AD DC end that TLS is being used for communication with the help of wireshark.
Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD if certificates is being used.

Now i have configured ubuntu as AD DC and try to join another ubuntu machine as member server but i am getting below error.

[LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required

ubuntu AD DC smb.conf

[global]
        workgroup = TECHMINT
        realm = TECHMINT.LAN
        netbios name = ADC1
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash

[netlogon]
        path = /var/lib/samba/sysvol/techmint.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

smb.conf for ads member server

[global]
       security = ADS
       workgroup = TECHMINT
       realm = TECHMINT.LAN

       log file = /var/opt/samba/%m.log
       log level = 1

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
       username map = /etc/opt/samba/user.map
# ldap ssl = start tls
# ldap ssl ads = yes
       ldap debug level = 1
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no

ldap ssl = start tls
ldap ssl ads = yes

are un-commented for smb.conf of ads member server

Hello @arjitkumar, what are the samba packages you have? Sorry if I missed that information, but I can't find it in the bug.

And what is the ldapsearch test command you are using? I'm interested in the ssl/tls and authentication parameters, not the search filter. For example, is it using gssapi? start tls (-ZZ)?

In particular, one of the fixes introduced in samba 4.3.7 was to properly check certificates, as @mdeslaur said in comment #2:

"o CVE-2016-2113 (Missing TLS certificate validation)"

So I would ask you to double check your certificates and chain to make sure all is correct in that front, as samba would have skipped some validation checks before.

ldapsearch -x -Z -h I.P -p 389 -D cn=administrator,cn=users,dc=techmint,dc=lan -w XXXXXXXX -b 'dc=techmint,dc=lan'

I am able to confirm with tcpdump that communication is in encrypted mode.

samba packages at AD DC server
apt list --installed | grep samba

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

python-samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-common/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 all [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-common-bin/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-dsdb-modules/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-libs/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-testsuite/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-vfs-modules/now 2:4.3.11+dfsg

samba Packages other server where net ads is run
 apt list --installed | grep samba

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed]
samba-common/xenial-updates,xenial-updates,xenial-security,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 all [installed,automatic]
samba-common-bin/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-dsdb-modules/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-libs/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-vfs-modules/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]

Note:- The issue i have mentioned in 5 is also reported in samba bugzilla.

https://bugzilla.samba.org/show_bug.cgi?id=13124

> ldapsearch -x -Z -h I.P -p 389 -D cn=administrator,cn=users,dc=techmint,dc=lan -w XXXXXXXX -b 'dc=techmint,dc=lan'

Please use -ZZ. And did you use the IP for -h? Why not the hostname, which I think (from a previous comment you made) is win.cifs.com?

> I am able to confirm with tcpdump that communication is in encrypted mode.

That doesn't mean it's secure. If your client is told to accept any certificate from the server, it would still be vulnerable to MITM attacks.

You need to change this setting back to "hard" in your /etc/ldap/ldap.conf:

TLS_REQCERT hard

and then repeat the ldapsearch command with -ZZ. And use the certificate's commonName value for your ldapsearch "-h" parameter, or one of the certificate's subjectAltName fields that are prefixed with DNS.

That being said, the linked samba bug is interesting:

https://bugzilla.samba.org/show_bug.cgi?id=13124

samba git master still has that change, i.e., use addr (ip) instead of ldap_server_name.

I have updated /etc/ldap/ldap.conf:
to
TLS_REQCERT hard

and run ldapsearch as below.

ldapsearch -x -ZZ -h hostname -p 389 -D cn=administrator,cn=users,dc=techmint,dc=lan -w XXXXXXXX -b 'dc=techmint,dc=lan'

I got output as expected.

then i run
net ads join -U Administrator%XXXXXXXX -d 12

I got same issue.

TLS: hostname (IP) does not match common name in certificate (hostname).

After changing
/etc/ldap/ldap.conf:
to
TLS_REQCERT Allow

i am getting other issue which i have mentioned earlier.
Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required

i have doubts/queries please clarify.

1. If above ldapsearch is returning results. then can i assume the certificate is fine?
2. Are these issues reproducible at your end ?
3. Should i provide any further log details ?

> 1. If above ldapsearch is returning results. then can i assume the certificate is fine?

yes. It looks like https://bugzilla.samba.org/show_bug.cgi?id=13124 is the culprit indeed.

> 2. Are these issues reproducible at your end ?

I don't have access to an AD server yet to try

> 3. Should i provide any further log details ?

Could you perhaps comment in this upstream bug? The developer who made the commit that apparently introduced this regression is asking if someone who could try "net rpc join" (note: rpc, not ads) could test without this patch.

https://bugzilla.samba.org/show_bug.cgi?id=13124

I can build you packages with that change reverted if you are willing to test.

Xenial samba packages with the mentioned change reversed are currently building in this PPA:

https://launchpad.net/~ahasenack/+archive/ubuntu/samba-tls-regression-1576799

Once it's done, and if you are willing to test it, you can add the ppa to your system following the instructions from that page and install/upgrade the packages.

Thanks for providing packages.

I have downloaded packages
apt list --installed | grep samba

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1]
samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1]

But still i am getting same errors.

TLS: hostname (IP) does not match common name in certificate (hostname).
When used with TLS_REQCERT Hard
And
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required
when used with TLS_REQCERT Allow

Thanks for checking.

The error happens only when you run "net ads join"?

Or does it also happen randomly during the day when the server is running?

I have only observe with net ads join.

Problem reproduced with the xenial packages, even when using -k in the join command (so it authenticates using kerberos).

With my updated packages, I get further but it fails elsewhere:
root@xenial:~# net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is unwilling to perform
Failed to join domain: failed to connect to AD: Server is unwilling to perform

Adding some debugging shows:
[LDAP] res_errno: 53, res_error: <00002029: LdapErr: DSID-0C0904CB, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v3839>, res_matched: <>

Looks like there is a bad interaction between kerberos and ldap ssl

Similarly, I can't use ldap tools with GSSAPI authentication together with TLS or start tls, so this doesn't seem to be exclusive to samba:

root@xenial:~# kinit Administrator
Password for <email address hidden>:

root@xenial:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: <email address hidden>
SASL SSF: 56
SASL data security layer installed.
u:LOWTECH\Administrator

root@xenial:~# ldapwhoami -ZZ
SASL/GSSAPI authentication started
SASL username: <email address hidden>
SASL SSF: 56
SASL data security layer installed.
ldap_result: Can't contact LDAP server (-1)

The tools do fetch the ldap service ticket:
root@xenial:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>

Valid starting Expires Service principal
12/28/2017 18:52:19 12/29/2017 04:52:19 <email address hidden>
 renew until 12/29/2017 18:52:17
12/28/2017 18:52:21 12/29/2017 04:52:19 ldap/win-5gvsuklmr3c.lowtech.internal@
 renew until 12/29/2017 18:52:17
12/28/2017 18:52:21 12/29/2017 04:52:19 <email address hidden>
 renew until 12/29/2017 18:52:17

Might be a windows issue: https://social.technet.microsoft.com/Forums/windowsserver/en-US/44b0ee8f-bb22-4e1c-8de0-21578d204cfc/win-2k8-ldap-with-ssl-anfd-gssapi-kerberos?forum=winservergen

I'm still updating this server, will try again after the update is finished.

Looks like this follow-up problem I hit could be https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819

With this workaround in smb.conf it works:

client ldap sasl wrapping = plain

Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads = yes", it looks like "plain" is safe enough, since ldap is using ssl, but ymmv.

All in all, I think the bug about the connection using the IP instead of the hostname specified in the configs is fixed in my ppa packages. I reproduced it in xenial and also in bionic.

@arjitkumar can you please double check that you are getting the TLS error about the hostname/ip mismatch, and not something else, with the new packages?

It seems that i am not able to add ppa properly to my system.
Thus required changes are not getting reflected.
I have done below:-
Manually copy below lines to /etc/apt/sources.list

/etc/apt# grep -r "ahasenack" sources.list
deb http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial main
deb-src http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial main

run apt-get update:-

apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://in.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial InRelease
Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Get:5 http://in.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]
Fetched 306 kB in 1s (182 kB/s)
Reading package lists... Done

It seems that required code changes are part of libads library.
I have checked mine /usr/lib/x86_64-linux-gnu/samba/libads.so.0 it is not updated.

Can you please check which versions of samba you have available, and from where, with the following command:

apt-cache policy samba

Please let me know how can i update PPA packages.

Please run the command from comment #27, it will help diagnose why you didn't get my PPA packages.

I also have observe that you are joining to windows Active Directory Domain Controller instead of ubuntu Active Directory Domain Controller.
As mentioned in the comment #15 on 2017-12-18

When i changed
/etc/ldap/ldap.conf:
to
TLS_REQCERT Allow
and connect to Windows Active directory Domain controller i was able to join with client ldap sasl wrapping = plain workaround but
when used tried to join Ubuntu AD DC i get below error:-
Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required.

Please re run this test when other ubuntu is configured as AD DC.

apt-cache policy samba
samba:
  Installed: 2:4.3.11+dfsg-0ubuntu0.16.04.12
  Candidate: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1
  Version table:
     2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1 500
        500 http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial/main amd64 Packages
 *** 2:4.3.11+dfsg-0ubuntu0.16.04.12 500
        500 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.3.8+dfsg-0ubuntu1 500
        500 http://in.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

It shows your PPA repository.

As mentioned earlier libads.so.0 is updated on 16 nov
ll /usr/lib/x86_64-linux-gnu/samba/libads.so.0
-rw-r--r-- 1 root root 162128 Nov 16 18:11 /usr/lib/x86_64-linux-gnu/samba/libads.so.0

Alternately If you can provide library i will replace the same in my machine.

What is the output you get when you run:

sudo apt install samba

?

Sorry,
I was not running sudo apt install samba.
I have run it and the issue related to IP is resolved.
I also have added client ldap sasl wrapping = plain in smb.conf

As my Active Directory server is on ubuntu not Windows.

I am getting below error:-
[LDAP] ldap_int_select
[LDAP] read1msg: ld 0x55886543a690 msgid 8 all 1
[LDAP] read1msg: ld 0x55886543a690 msgid 8 message type bind
[LDAP] read1msg: ld 0x55886543a690 0 new referrals
[LDAP] read1msg: mark request completed, ld 0x55886543a690 msgid 8
[LDAP] request done: ld 0x55886543a690 msgid 8
[LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are required.>, res_matched: <>
[LDAP] ldap_free_request (origid 8, msgid 8)
[LDAP] ldap_parse_sasl_bind_result
[LDAP] ldap_parse_result
[LDAP] ldap_msgfree
[LDAP] ldap_err2string
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required.

You only need to set the sasl wrapping to plain when talking to windows ad. With a samba/ubuntu AD, Try removing that setting entirely from smb.conf. The default value ("sign") should be enough in that case.

I have tried with commenting it also.
Still same error.
Please try to reproduce my use case by configuring ubuntu as AD DC along with tls and run net join from other ubuntu machine.

Will do.

Please let me know if issue is reproducible at your end or any further information is required form me.

Sorry I couldn't get to this yet, it's still in my queue.

ok,
Thanks for letting me know.

Hi,
I come by trying to clear or revive bugs that are dormant for too long.
Especially since the originally reported release was Xenial which is now in extended security maintenance it might be worth to re-visit the validity of the issue going forward.

OTOH all the time in the last 4 years nobody else chimed in here, so maybe (hopefully) this isn't a problem for anyone anymore - at least not in the newer releases? Lowering severity based on this for now.

It seems the many tasks of Andreas kept him too busy for making progress/updates on this :-/
We do so much more tests in the new versions, maybe we just know that it works at least with the newer versions already?
@Andreas - is this worth to be revisited?