Bug 252385 - net/samba413: ldapsearch Invalid credentials
Summary: net/samba413: ldapsearch Invalid credentials
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Timur I. Bakeyev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-03 15:27 UTC by rdunkle
Modified: 2021-05-17 07:26 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (timur)

Attachments
patch for ldap client function is broken (581 bytes, patch)
2021-03-04 05:17 UTC, radi-sh 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description rdunkle 2021-01-03 15:27:49 UTC 
when I try to use ldapsearch it errors out with - Invalid credentials
# ldapsearch -x -W -D 'cn=administrator,dc=smallcatbrain,dc=com' -b 'dc=smallcatbrain,dc=com' -Z -LLL
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
-------
I am able to authenticate with kinit:
 # kinit administrator
-------
I also tried to authenticate with Apache Directory Studio.
Error while opening connection
 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
java.lang.Exception: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
Comment 1 rdunkle 2021-01-04 15:07:33 UTC 
I now understand why Apache Studio does not login to ldaps://  
There is a parameter in smb4.conf --   tls verify peer =
It defaults to tls verify peer = as_strict_as_possible

This will reject a wildcard certificate.

For testing I changed to:  tls verify peer = no_check

Apache Studio will now connect with: dc1 port 636 ldaps://
simple authentication | administrator | password
---
And Apache Directory Studio will connect with: dc1 port 389 use StartTLS
simple authentication | administrator | password
---------------------------
I think there is some other problem lurking with ldap.
I notice this command  fails:

 # samba-tool forest directory_service dsheuristics 0000002 -H ldaps://localhost --simple-bind-dn='administrator@smallcatbrain.com'
Failed to connect to ldap URL 'ldaps://localhost' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://localhost' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/forest.py", line 108, in run
    credentials=creds, lp=lp)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__
    options=options)
  File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect
    options=options)
Comment 2 rdunkle 2021-01-04 15:25:48 UTC 
I think this is another problem with ldap.  Unable to join a domain.

root@dc2:~ # samba-tool domain join smallcatbrain DC -k yes -U"SMALLCATBRAIN.COM\administrator" --option=' dns forwarder=192.168.2.1' --option='idmap_ldb:use rfc2307=yes' --option="vfs objects=zfsacl dfs_samba4 acl_xattr"
INFO 2021-01-04 17:20:07,613 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'smallcatbrain'
INFO 2021-01-04 17:20:07,647 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC dc1.smallcatbrain.com
Failed to connect to ldap URL 'ldap://dc1.smallcatbrain.com' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://dc1.smallcatbrain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 668, in run
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 1539, in join_DC
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 112, in __init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__
    options=options)
  File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect
    options=options)
Comment 3 radi-sh 2021-03-04 05:17:30 UTC 
Created attachment 222965 [details]
patch for ldap client function is broken

This seems to be a similar problem.
https://www.spinics.net/lists/samba/msg167028.html
Comment 4 radi-sh 2021-03-27 00:28:05 UTC 
From 4.13.0 to 4.13.7, important features are still broken.
What is the maintainer doing?
Comment 5 NetBLOKS 2021-04-15 14:44:01 UTC 
 Importance: 	--- Affects Only Me 
This is not true, this affects everyone running two domain contollers (so like nearly everyone using Samba for Active Directory).
4.13 is not usable and broken.
Comment 6 geoffroy desvernay 2021-05-17 07:24:35 UTC 
Hi,
We found this bug after succesfully setting up a pair of DC's on 4.12 and unsuccessfully upgrading with 4.13.7 with this exact errors and symptoms…

So it seems to affect more than one user ;)

I'll try the patch later, for now we'll stick to 4.12
Comment 7 geoffroy desvernay 2021-05-17 07:26:39 UTC 
(note: we are using jails and didn't try without)