The only thing that comes to mind that could affect this, in samba 4.21.x, from the release notes[1], is the ldap channel binding support:
""" LDAP TLS/SASL channel binding support ===================================== The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. """ Can you perhaps bump the logging and see if something useful shows up in the samba logs? 1. https://www.samba.org/samba/history/samba-4.21.0.html ** Changed in: samba (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2107324 Title: samba-gpupdate fails(LdapErr: DSID-0C090C90 to perform this operation a successful bind must be completed on the connection) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2107324/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
