** Changed in: samba (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: samba (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
** Changed in: samba (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: samba (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
ok,
Thanks for letting me know.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
instruction
To manage
Sorry I couldn't get to this yet, it's still in my queue.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the
Sorry I couldn't get to this yet, it's still in my queue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
Please let me know if issue is reproducible at your end or any further
information is required form me.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression:
Will do.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
instruction
To manage notifications about this bug go
Will do.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
instruction
To manage notifications
I have tried with commenting it also.
Still same error.
Please try to reproduce my use case by configuring ubuntu as AD DC along with
tls and run net join from other ubuntu machine.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
You only need to set the sasl wrapping to plain when talking to windows
ad. With a samba/ubuntu AD, Try removing that setting entirely from
smb.conf. The default value ("sign") should be enough in that case.
--
You received this bug notification because you are a member of Ubuntu
Server Team,
You only need to set the sasl wrapping to plain when talking to windows
ad. With a samba/ubuntu AD, Try removing that setting entirely from
smb.conf. The default value ("sign") should be enough in that case.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Sorry,
I was not running sudo apt install samba.
I have run it and the issue related to IP is resolved.
I also have added client ldap sasl wrapping = plain in smb.conf
As my Active Directory server is on ubuntu not Windows.
I am getting below error:-
[LDAP] ldap_int_select
[LDAP] read1msg: ld
What is the output you get when you run:
sudo apt install samba
?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to
What is the output you get when you run:
sudo apt install samba
?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the
apt-cache policy samba
samba:
Installed: 2:4.3.11+dfsg-0ubuntu0.16.04.12
Candidate: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1
Version table:
2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1 500
500
http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu
xenial/main amd64
I also have observe that you are joining to windows Active Directory Domain
Controller instead of ubuntu Active Directory Domain Controller.
As mentioned in the comment #15 on 2017-12-18
When i changed
/etc/ldap/ldap.conf:
to
TLS_REQCERT Allow
and connect to Windows Active directory Domain
Please run the command from comment #27, it will help diagnose why you
didn't get my PPA packages.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression:
Please run the command from comment #27, it will help diagnose why you
didn't get my PPA packages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression:
Please let me know how can i update PPA packages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
instruction
Can you please check which versions of samba you have available, and
from where, with the following command:
apt-cache policy samba
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
Can you please check which versions of samba you have available, and
from where, with the following command:
apt-cache policy samba
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
It seems that i am not able to add ppa properly to my system.
Thus required changes are not getting reflected.
I have done below:-
Manually copy below lines to /etc/apt/sources.list
/etc/apt# grep -r "ahasenack" sources.list
deb
With this workaround in smb.conf it works:
client ldap sasl wrapping = plain
Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads
= yes", it looks like "plain" is safe enough, since ldap is using ssl,
but ymmv.
All in all, I think the bug about the connection using the IP
With this workaround in smb.conf it works:
client ldap sasl wrapping = plain
Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads
= yes", it looks like "plain" is safe enough, since ldap is using ssl,
but ymmv.
All in all, I think the bug about the connection using the IP
Looks like this follow-up problem I hit could be
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression:
Looks like this follow-up problem I hit could be
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Might be a windows issue:
https://social.technet.microsoft.com/Forums/windowsserver/en-US
/44b0ee8f-bb22-4e1c-8de0-21578d204cfc/win-2k8-ldap-with-ssl-anfd-gssapi-
kerberos?forum=winservergen
I'm still updating this server, will try again after the update is
finished.
--
You received this bug
Might be a windows issue:
https://social.technet.microsoft.com/Forums/windowsserver/en-US
/44b0ee8f-bb22-4e1c-8de0-21578d204cfc/win-2k8-ldap-with-ssl-anfd-gssapi-
kerberos?forum=winservergen
I'm still updating this server, will try again after the update is
finished.
--
You received this bug
Problem reproduced with the xenial packages, even when using -k in the
join command (so it authenticates using kerberos).
With my updated packages, I get further but it fails elsewhere:
root@xenial:~# net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying
Problem reproduced with the xenial packages, even when using -k in the
join command (so it authenticates using kerberos).
With my updated packages, I get further but it fails elsewhere:
root@xenial:~# net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying
I have only observe with net ads join.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
instruction
To manage
Or does it also happen randomly during the day when the server is
running?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2
Or does it also happen randomly during the day when the server is
running?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the
Thanks for checking.
The error happens only when you run "net ads join"?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the
Thanks for checking.
The error happens only when you run "net ads join"?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2
Thanks for providing packages.
I have downloaded packages
apt list --installed | grep samba
WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.
python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12
amd64 [installed,upgradable to:
Xenial samba packages with the mentioned change reversed are currently
building in this PPA:
https://launchpad.net/~ahasenack/+archive/ubuntu/samba-tls-
regression-1576799
Once it's done, and if you are willing to test it, you can add the ppa
to your system following the instructions from that
Xenial samba packages with the mentioned change reversed are currently
building in this PPA:
https://launchpad.net/~ahasenack/+archive/ubuntu/samba-tls-
regression-1576799
Once it's done, and if you are willing to test it, you can add the ppa
to your system following the instructions from that
** Changed in: samba (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to
** Changed in: samba (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the
> 1. If above ldapsearch is returning results. then can i assume the
certificate is fine?
yes. It looks like https://bugzilla.samba.org/show_bug.cgi?id=13124 is
the culprit indeed.
> 2. Are these issues reproducible at your end ?
I don't have access to an AD server yet to try
> 3. Should i
> 1. If above ldapsearch is returning results. then can i assume the
certificate is fine?
yes. It looks like https://bugzilla.samba.org/show_bug.cgi?id=13124 is
the culprit indeed.
> 2. Are these issues reproducible at your end ?
I don't have access to an AD server yet to try
> 3. Should i
I have updated /etc/ldap/ldap.conf:
to
TLS_REQCERT hard
and run ldapsearch as below.
ldapsearch -x -ZZ -h hostname -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w -b
'dc=techmint,dc=lan'
I got output as expected.
then i run
net ads join -U Administrator% -d 12
I
That being said, the linked samba bug is interesting:
https://bugzilla.samba.org/show_bug.cgi?id=13124
samba git master still has that change, i.e., use addr (ip) instead of
ldap_server_name.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
That being said, the linked samba bug is interesting:
https://bugzilla.samba.org/show_bug.cgi?id=13124
samba git master still has that change, i.e., use addr (ip) instead of
ldap_server_name.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
> ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w -b
'dc=techmint,dc=lan'
Please use -ZZ. And did you use the IP for -h? Why not the hostname,
which I think (from a previous comment you made) is win.cifs.com?
> I am able to confirm with tcpdump that
> ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w -b
'dc=techmint,dc=lan'
Please use -ZZ. And did you use the IP for -h? Why not the hostname,
which I think (from a previous comment you made) is win.cifs.com?
> I am able to confirm with tcpdump that
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the
ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w -b
'dc=techmint,dc=lan'
I am able to confirm with tcpdump that communication is in encrypted
mode.
samba packages at AD DC server
apt list --installed | grep samba
WARNING: apt does not have a stable CLI
In particular, one of the fixes introduced in samba 4.3.7 was to
properly check certificates, as @mdeslaur said in comment #2:
"o CVE-2016-2113 (Missing TLS certificate validation)"
So I would ask you to double check your certificates and chain to make
sure all is correct in that front, as
In particular, one of the fixes introduced in samba 4.3.7 was to
properly check certificates, as @mdeslaur said in comment #2:
"o CVE-2016-2113 (Missing TLS certificate validation)"
So I would ask you to double check your certificates and chain to make
sure all is correct in that front, as
Hello @arjitkumar, what are the samba packages you have? Sorry if I
missed that information, but I can't find it in the bug.
And what is the ldapsearch test command you are using? I'm interested in
the ssl/tls and authentication parameters, not the search filter. For
example, is it using gssapi?
Hello @arjitkumar, what are the samba packages you have? Sorry if I
missed that information, but I can't find it in the bug.
And what is the ldapsearch test command you are using? I'm interested in
the ssl/tls and authentication parameters, not the search filter. For
example, is it using gssapi?
Hi Team,
I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf
#TLS_REQCERT HARD
TLS_REQCERT ALLOW
TLS_CACERT /etc/ssl/certs/msadmaster.pem
After above changes net ads is succesfull with ssl/tls
I have verified at Windows AD DC end that TLS is being used for communication
ldap ssl = start tls
ldap ssl ads = yes
are un-commented for smb.conf of ads member server
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2
Can someone please share config files of a setup and the topology that
is showing the problem? I'm seeing winbind and squid logs in this bug. I
think the squid ntlm helper crash should be a separate bug: let's
concentrate on samba first.
--
You received this bug notification because you are a
Can someone please share config files of a setup and the topology that
is showing the problem? I'm seeing winbind and squid logs in this bug. I
think the squid ntlm helper crash should be a separate bug: let's
concentrate on samba first.
--
You received this bug notification because you are a
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: samba (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
I am also getting the same error
TLS: hostname (IP) does not match common name in certificate (win.cifs.com).
Note :-
After replacing ldap ssl ads = Yes to ldap server require strong auth = Yes
parameter i am able to communicate but communication is not secure.
i have tried ldapsearch command
Here is another bug I found with the exact same regression:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1578576
In the syslog:
May 5 17:48:14 hostname winbindd[798]: Failed to issue the StartTLS
instruction: Connect error
May 5 17:48:14 hostname kernel: [ 155.558023]
In our config, we removed ldap ssl ads = Yes and replaced it with ldap
server require strong auth = Yes and we don't get the StartTLS error
anymore, but this error still pops up:
2016/05/06 19:50:26 kid1| ERROR: NTLM Authentication Helper '0x7f483b420888'
crashed!.
2016/05/06 19:50:26 kid1|
I don't think this is a regression. The Samba security update is now
more strict when validating TLS certs.
I'm not sure why it's using the ip address instead of the hostname,
that's probably a configuration issue.
If you want a workaround, you can try adjusting cert checking, see:
samba 2:4.3.9+dfsg-0ubuntu0.14.04.1 was just released and was supposed
to resolve this issue (https://launchpad.net/bugs/1577739), but the
issue still persists. Here is a log snippet, same reproducible steps:
2016/05/05 18:06:29 kid1| WARNING: ntlmauthenticator #1 exited
2016/05/05 18:06:29
** Changed in: samba (Ubuntu)
Importance: Undecided => High
** Changed in: samba (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
65 matches
Mail list logo
