[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

** Changed in: samba (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: samba (Ubuntu)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

** Changed in: samba (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: samba (Ubuntu)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

ok,
Thanks for letting me know.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Sorry I couldn't get to this yet, it's still in my queue.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Sorry I couldn't get to this yet, it's still in my queue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

Please let me know if issue is reproducible at your end or any further
information is required form me.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Will do.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Will do.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

I have tried with commenting it also. 
Still same error.
Please try to reproduce my use case by configuring ubuntu as AD DC along with 
tls and run net join from other ubuntu machine.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

You only need to set the sasl wrapping to plain when talking to windows
ad. With a samba/ubuntu AD, Try removing that setting entirely from
smb.conf. The default value ("sign") should be enough in that case.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

You only need to set the sasl wrapping to plain when talking to windows
ad. With a samba/ubuntu AD, Try removing that setting entirely from
smb.conf. The default value ("sign") should be enough in that case.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

Sorry,
I was not running sudo apt install samba.
I have run it and the issue related to IP is resolved.
I also have added client ldap sasl wrapping = plain in smb.conf

As my Active Directory server is on ubuntu not Windows.
 
I am getting below error:-
[LDAP] ldap_int_select
[LDAP] read1msg: ld 0x55886543a690 msgid 8 all 1
[LDAP] read1msg: ld 0x55886543a690 msgid 8 message type bind
[LDAP] read1msg: ld 0x55886543a690 0 new referrals
[LDAP] read1msg:  mark request completed, ld 0x55886543a690 msgid 8
[LDAP] request done: ld 0x55886543a690 msgid 8
[LDAP] res_errno: 8, res_error: , res_matched: <>
[LDAP] ldap_free_request (origid 8, msgid 8)
[LDAP] ldap_parse_sasl_bind_result
[LDAP] ldap_parse_result
[LDAP] ldap_msgfree
[LDAP] ldap_err2string
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) 
authentication required.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

What is the output you get when you run:

sudo apt install samba

?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

What is the output you get when you run:

sudo apt install samba

?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

apt-cache policy samba
samba:
  Installed: 2:4.3.11+dfsg-0ubuntu0.16.04.12
  Candidate: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1
  Version table:
 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1 500
500 
http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu 
xenial/main amd64 Packages
 *** 2:4.3.11+dfsg-0ubuntu0.16.04.12 500
500 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
100 /var/lib/dpkg/status
 2:4.3.8+dfsg-0ubuntu1 500
500 http://in.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

It shows your PPA repository.

As mentioned earlier libads.so.0 is updated on 16 nov
ll  /usr/lib/x86_64-linux-gnu/samba/libads.so.0
-rw-r--r-- 1 root root 162128 Nov 16 18:11 
/usr/lib/x86_64-linux-gnu/samba/libads.so.0

Alternately If you can provide library i will replace the same in my
machine.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

I also have observe that you are joining to windows Active Directory Domain 
Controller instead of ubuntu Active Directory Domain Controller.
As mentioned in the comment #15 on 2017-12-18

When i changed 
/etc/ldap/ldap.conf:
to
TLS_REQCERT Allow
and connect to Windows Active directory Domain controller i was able to join 
with client ldap sasl wrapping = plain workaround but 
when used tried to join Ubuntu AD DC i get below error:-
Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) 
authentication required.

Please re run this test when other ubuntu is configured as AD DC.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Please run the command from comment #27, it will help diagnose why you
didn't get my PPA packages.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Please run the command from comment #27, it will help diagnose why you
didn't get my PPA packages.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

Please let me know how can i update PPA packages.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Can you please check which versions of samba you have available, and
from where, with the following command:

apt-cache policy samba

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Can you please check which versions of samba you have available, and
from where, with the following command:

apt-cache policy samba

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

It seems that i am not able to add ppa properly to my system.
Thus required changes are not getting reflected. 
I have done below:-
Manually copy below lines to /etc/apt/sources.list

/etc/apt# grep -r "ahasenack" sources.list
deb http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu 
xenial main
deb-src http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu 
xenial main

run apt-get update:-

apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://in.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu 
xenial InRelease
Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Get:5 http://in.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]
Fetched 306 kB in 1s (182 kB/s)
Reading package lists... Done

It seems that required code changes are part of libads library.
I have checked mine /usr/lib/x86_64-linux-gnu/samba/libads.so.0 it is not 
updated.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

With this workaround in smb.conf it works:

client ldap sasl wrapping = plain

Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads
= yes", it looks like "plain" is safe enough, since ldap is using ssl,
but ymmv.

All in all, I think the bug about the connection using the IP instead of
the hostname specified in the configs is fixed in my ppa packages. I
reproduced it in xenial and also in bionic.

@arjitkumar can you please double check that you are getting the TLS
error about the hostname/ip mismatch, and not something else, with the
new packages?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

With this workaround in smb.conf it works:

client ldap sasl wrapping = plain

Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads
= yes", it looks like "plain" is safe enough, since ldap is using ssl,
but ymmv.

All in all, I think the bug about the connection using the IP instead of
the hostname specified in the configs is fixed in my ppa packages. I
reproduced it in xenial and also in bionic.

@arjitkumar can you please double check that you are getting the TLS
error about the hostname/ip mismatch, and not something else, with the
new packages?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Looks like this follow-up problem I hit could be
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Looks like this follow-up problem I hit could be
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Might be a windows issue:
https://social.technet.microsoft.com/Forums/windowsserver/en-US
/44b0ee8f-bb22-4e1c-8de0-21578d204cfc/win-2k8-ldap-with-ssl-anfd-gssapi-
kerberos?forum=winservergen

I'm still updating this server, will try again after the update is
finished.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Might be a windows issue:
https://social.technet.microsoft.com/Forums/windowsserver/en-US
/44b0ee8f-bb22-4e1c-8de0-21578d204cfc/win-2k8-ldap-with-ssl-anfd-gssapi-
kerberos?forum=winservergen

I'm still updating this server, will try again after the update is
finished.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Problem reproduced with the xenial packages, even when using -k in the
join command (so it authenticates using kerberos).

With my updated packages, I get further but it fails elsewhere:
root@xenial:~# net ads join -U Administrator 
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is 
unwilling to perform
Failed to join domain: failed to connect to AD: Server is unwilling to perform


Adding some debugging shows:
[LDAP] res_errno: 53, res_error: <2029: LdapErr: DSID-0C0904CB, comment: 
Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, 
data 0, v3839>, res_matched: <>

Looks like there is a bad interaction between kerberos and ldap ssl


Similarly, I can't use ldap tools with GSSAPI authentication together with TLS 
or start tls, so this doesn't seem to be exclusive to samba:

root@xenial:~# kinit Administrator
Password for Administrator@LOWTECH.INTERNAL: 

root@xenial:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: Administrator@LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
u:LOWTECH\Administrator

root@xenial:~# ldapwhoami -ZZ
SASL/GSSAPI authentication started
SASL username: Administrator@LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
ldap_result: Can't contact LDAP server (-1)

The tools do fetch the ldap service ticket:
root@xenial:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LOWTECH.INTERNAL

Valid starting   Expires  Service principal
12/28/2017 18:52:19  12/29/2017 04:52:19  
krbtgt/LOWTECH.INTERNAL@LOWTECH.INTERNAL
renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  ldap/win-5gvsuklmr3c.lowtech.internal@
renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  
ldap/win-5gvsuklmr3c.lowtech.internal@LOWTECH.INTERNAL
renew until 12/29/2017 18:52:17

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Problem reproduced with the xenial packages, even when using -k in the
join command (so it authenticates using kerberos).

With my updated packages, I get further but it fails elsewhere:
root@xenial:~# net ads join -U Administrator 
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is 
unwilling to perform
Failed to join domain: failed to connect to AD: Server is unwilling to perform


Adding some debugging shows:
[LDAP] res_errno: 53, res_error: <2029: LdapErr: DSID-0C0904CB, comment: 
Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, 
data 0, v3839>, res_matched: <>

Looks like there is a bad interaction between kerberos and ldap ssl


Similarly, I can't use ldap tools with GSSAPI authentication together with TLS 
or start tls, so this doesn't seem to be exclusive to samba:

root@xenial:~# kinit Administrator
Password for Administrator@LOWTECH.INTERNAL: 

root@xenial:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: Administrator@LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
u:LOWTECH\Administrator

root@xenial:~# ldapwhoami -ZZ
SASL/GSSAPI authentication started
SASL username: Administrator@LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
ldap_result: Can't contact LDAP server (-1)

The tools do fetch the ldap service ticket:
root@xenial:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LOWTECH.INTERNAL

Valid starting   Expires  Service principal
12/28/2017 18:52:19  12/29/2017 04:52:19  
krbtgt/LOWTECH.INTERNAL@LOWTECH.INTERNAL
renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  ldap/win-5gvsuklmr3c.lowtech.internal@
renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  
ldap/win-5gvsuklmr3c.lowtech.internal@LOWTECH.INTERNAL
renew until 12/29/2017 18:52:17

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

I have only observe with net ads join.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Or does it also happen randomly during the day when the server is
running?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Or does it also happen randomly during the day when the server is
running?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Thanks for checking.

The error happens only when you run "net ads join"?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Thanks for checking.

The error happens only when you run "net ads join"?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

Thanks for providing packages.

I have downloaded packages 
apt list --installed | grep samba

WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.

python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 
amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1]
samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 
[installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1]

But still i am getting same errors.

TLS: hostname (IP) does not match common name in certificate (hostname).
When used with TLS_REQCERT Hard
And
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) 
authentication required
when used with TLS_REQCERT Allow

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Xenial samba packages with the mentioned change reversed are currently
building in this PPA:

https://launchpad.net/~ahasenack/+archive/ubuntu/samba-tls-
regression-1576799

Once it's done, and if you are willing to test it, you can add the ppa
to your system following the instructions from that page and
install/upgrade the packages.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Xenial samba packages with the mentioned change reversed are currently
building in this PPA:

https://launchpad.net/~ahasenack/+archive/ubuntu/samba-tls-
regression-1576799

Once it's done, and if you are willing to test it, you can add the ppa
to your system following the instructions from that page and
install/upgrade the packages.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

** Changed in: samba (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

** Changed in: samba (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

> 1. If above ldapsearch is returning results. then can i assume the
certificate is fine?

yes. It looks like https://bugzilla.samba.org/show_bug.cgi?id=13124 is
the culprit indeed.

> 2. Are these issues reproducible at your end ?

I don't have access to an AD server yet to try


> 3. Should i provide any further log details ?

Could you perhaps comment in this upstream bug? The developer who made
the commit that apparently introduced this regression is asking if
someone who could try "net rpc join" (note: rpc, not ads) could test
without this patch.

https://bugzilla.samba.org/show_bug.cgi?id=13124

I can build you packages with that change reverted if you are willing to
test.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

> 1. If above ldapsearch is returning results. then can i assume the
certificate is fine?

yes. It looks like https://bugzilla.samba.org/show_bug.cgi?id=13124 is
the culprit indeed.

> 2. Are these issues reproducible at your end ?

I don't have access to an AD server yet to try


> 3. Should i provide any further log details ?

Could you perhaps comment in this upstream bug? The developer who made
the commit that apparently introduced this regression is asking if
someone who could try "net rpc join" (note: rpc, not ads) could test
without this patch.

https://bugzilla.samba.org/show_bug.cgi?id=13124

I can build you packages with that change reverted if you are willing to
test.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

I have updated /etc/ldap/ldap.conf:
to 
TLS_REQCERT hard

and run ldapsearch as below.

ldapsearch -x -ZZ -h hostname  -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w  -b
'dc=techmint,dc=lan'

I got output as expected.

then i run 
net ads join -U Administrator% -d 12

I got same issue.

TLS: hostname (IP) does not match common name in certificate (hostname).

After changing 
/etc/ldap/ldap.conf:
to 
TLS_REQCERT Allow

i am getting other issue which i have mentioned earlier.
Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) 
authentication required

i have doubts/queries please clarify.

1. If above ldapsearch is returning results. then can i assume the certificate 
is fine?
2. Are these issues reproducible at your end ?
3. Should i provide any further log details ?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

That being said, the linked samba bug is interesting:

https://bugzilla.samba.org/show_bug.cgi?id=13124

samba git master still has that change, i.e., use addr (ip) instead of
ldap_server_name.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

That being said, the linked samba bug is interesting:

https://bugzilla.samba.org/show_bug.cgi?id=13124

samba git master still has that change, i.e., use addr (ip) instead of
ldap_server_name.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

> ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w  -b
'dc=techmint,dc=lan'

Please use -ZZ. And did you use the IP for -h? Why not the hostname,
which I think (from a previous comment you made) is win.cifs.com?

> I am able to confirm with tcpdump that communication is in encrypted
mode.

That doesn't mean it's secure. If your client is told to accept any
certificate from the server, it would still be vulnerable to MITM
attacks.

You need to change this setting back to "hard" in your
/etc/ldap/ldap.conf:

TLS_REQCERT hard

and then repeat the ldapsearch command with -ZZ. And use the
certificate's commonName value for your ldapsearch "-h" parameter, or
one of the certificate's subjectAltName fields that are prefixed with
DNS.


** Changed in: samba (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

> ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w  -b
'dc=techmint,dc=lan'

Please use -ZZ. And did you use the IP for -h? Why not the hostname,
which I think (from a previous comment you made) is win.cifs.com?

> I am able to confirm with tcpdump that communication is in encrypted
mode.

That doesn't mean it's secure. If your client is told to accept any
certificate from the server, it would still be vulnerable to MITM
attacks.

You need to change this setting back to "hard" in your
/etc/ldap/ldap.conf:

TLS_REQCERT hard

and then repeat the ldapsearch command with -ZZ. And use the
certificate's commonName value for your ldapsearch "-h" parameter, or
one of the certificate's subjectAltName fields that are prefixed with
DNS.


** Changed in: samba (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w  -b
'dc=techmint,dc=lan'

I am able to confirm with tcpdump that communication is in encrypted
mode.

samba packages at AD DC server
apt list --installed | grep samba

WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.

python-samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable 
to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 
2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-common/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 all [installed,upgradable to: 
2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-common-bin/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 
[installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-dsdb-modules/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 
[installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-libs/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 
2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-testsuite/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable 
to: 2:4.3.11+dfsg-0ubuntu0.16.04.12]
samba-vfs-modules/now 2:4.3.11+dfsg

samba Packages other server where net ads is run 
 apt list --installed | grep samba

WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.

python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 
amd64 [installed,automatic]
samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 
[installed]
samba-common/xenial-updates,xenial-updates,xenial-security,xenial-security,now 
2:4.3.11+dfsg-0ubuntu0.16.04.12 all [installed,automatic]
samba-common-bin/xenial-updates,xenial-security,now 
2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-dsdb-modules/xenial-updates,xenial-security,now 
2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]
samba-libs/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 
amd64 [installed,automatic]
samba-vfs-modules/xenial-updates,xenial-security,now 
2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic]


Note:- The issue i have mentioned in 5 is also reported in samba bugzilla.

https://bugzilla.samba.org/show_bug.cgi?id=13124


** Bug watch added: Samba Bugzilla #13124
   https://bugzilla.samba.org/show_bug.cgi?id=13124

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

In particular, one of the fixes introduced in samba 4.3.7 was to
properly check certificates, as @mdeslaur said in comment #2:

"o  CVE-2016-2113 (Missing TLS certificate validation)"

So I would ask you to double check your certificates and chain to make
sure all is correct in that front, as samba would have skipped some
validation checks before.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

In particular, one of the fixes introduced in samba 4.3.7 was to
properly check certificates, as @mdeslaur said in comment #2:

"o  CVE-2016-2113 (Missing TLS certificate validation)"

So I would ask you to double check your certificates and chain to make
sure all is correct in that front, as samba would have skipped some
validation checks before.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Hello @arjitkumar, what are the samba packages you have? Sorry if I
missed that information, but I can't find it in the bug.

And what is the ldapsearch test command you are using? I'm interested in
the ssl/tls and authentication parameters, not the search filter. For
example, is it using gssapi? start tls (-ZZ)?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Hello @arjitkumar, what are the samba packages you have? Sorry if I
missed that information, but I can't find it in the bug.

And what is the ldapsearch test command you are using? I'm interested in
the ssl/tls and authentication parameters, not the search filter. For
example, is it using gssapi? start tls (-ZZ)?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

Hi Team,

I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf

#TLS_REQCERT HARD
TLS_REQCERT ALLOW
TLS_CACERT  /etc/ssl/certs/msadmaster.pem

After above changes net ads is succesfull with ssl/tls 
I have verified at Windows AD DC end that TLS is being used for communication 
with the help of wireshark.
Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD 
if certificates is being used.

Now i have configured ubuntu as AD DC and try to join another ubuntu
machine as member server but i am getting below error.

[LDAP] res_errno: 8, res_error: , res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) 
authentication required


ubuntu AD DC smb.conf 

[global]
workgroup = TECHMINT
realm = TECHMINT.LAN
netbios name = ADC1
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash

[netlogon]
path = /var/lib/samba/sysvol/techmint.lan/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

smb.conf for ads member server

[global]
   security = ADS
   workgroup = TECHMINT
   realm = TECHMINT.LAN

   log file = /var/opt/samba/%m.log
   log level = 1

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use a read-write-enabled back end, such as tdb.
   # - Adding just this is not enough
   # - You must set a DOMAIN backend configuration, see below
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   username map = /etc/opt/samba/user.map
#   ldap ssl = start tls
#   ldap ssl ads = yes
   ldap debug level = 1
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

ldap ssl = start tls
ldap ssl ads = yes

are un-commented for smb.conf of ads member server

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Can someone please share config files of a setup and the topology that
is showing the problem? I'm seeing winbind and squid logs in this bug. I
think the squid ntlm helper crash should be a separate bug: let's
concentrate on samba first.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Andreas Hasenack]

Can someone please share config files of a setup and the topology that
is showing the problem? I'm seeing winbind and squid logs in this bug. I
think the squid ntlm helper crash should be a separate bug: let's
concentrate on samba first.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: samba (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Arjit]

I am also getting the same error 
 TLS: hostname (IP) does not match common name in certificate (win.cifs.com).
Note :- 
After replacing ldap ssl ads = Yes to ldap server require strong auth = Yes 
parameter i am able to communicate but communication is not secure.
i have tried ldapsearch command which is working fine and communicating in 
encryption only.

Please suggest what is to be done.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Cindy Quach]

Here is another bug I found with the exact same regression:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1578576

In the syslog:
May  5 17:48:14 hostname winbindd[798]:   Failed to issue the StartTLS 
instruction: Connect error
May  5 17:48:14 hostname kernel: [  155.558023] ntlm_auth[2208]: segfault at 8 
ip 7f87361309b0 sp 7fff54b93398 error 4 in 
libsamba-security.so.0[7f8736125000+1b000]
May  5 17:48:14 hostname winbindd[798]: [2016/05/05 17:48:14.254386,  0] 
../source3/lib/smbldap.c:575(smbldap_start_tls)
May  5 17:48:14 hostname winbindd[798]:   Failed to issue the StartTLS 
instruction: Connect error
May  5 17:48:14 hostname winbindd[798]: [2016/05/05 17:48:14.321247,  0] 
../source3/lib/smbldap.c:575(smbldap_start_tls)
May  5 17:48:14 hostname winbindd[798]:   Failed to issue the StartTLS 
instruction: Connect error
May  5 17:48:14 hostname kernel: [  155.730606] ntlm_auth[2213]: segfault at 8 
ip 7f4b143eb9b0 sp 7fff1e8557f8 error 4 in 
libsamba-security.so.0[7f4b143e+1b000]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Cindy Quach]

In our config, we removed ldap ssl ads = Yes and replaced it with ldap
server require strong auth = Yes and we don't get the StartTLS error
anymore, but this error still pops up:

2016/05/06 19:50:26 kid1| ERROR: NTLM Authentication Helper '0x7f483b420888' 
crashed!.
2016/05/06 19:50:26 kid1| ERROR: NTLM Authentication validating user. Error 
returned 'BH Internal error'

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Marc Deslauriers]

I don't think this is a regression. The Samba security update is now
more strict when validating TLS certs.

I'm not sure why it's using the ip address instead of the hostname,
that's probably a configuration issue.

If you want a workaround, you can try adjusting cert checking, see:

https://wiki.samba.org/index.php/Samba_4.3_Features_added/changed#tls_verify_peer_.28G.29

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Cindy Quach]

samba 2:4.3.9+dfsg-0ubuntu0.14.04.1 was just released and was supposed
to resolve this issue (https://launchpad.net/bugs/1577739), but the
issue still persists. Here is a log snippet, same reproducible steps:


2016/05/05 18:06:29 kid1| WARNING: ntlmauthenticator #1 exited
2016/05/05 18:06:29 kid1| Too few ntlmauthenticator processes are running (need 
1/20)
2016/05/05 18:06:29 kid1| Starting new helpers
2016/05/05 18:06:29 kid1| helperOpenServers: Starting 1/20 'ntlm_auth' processes
2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication Helper '0x7f4040471a98' 
crashed!.
2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication validating user. Error 
returned 'BH Internal error'

Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

[Sebastien Bacher]

** Changed in: samba (Ubuntu)
   Importance: Undecided => High

** Changed in: samba (Ubuntu)
 Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs