252385 – net/samba413: ldapsearch Invalid credentials

Bug 252385 - net/samba413: ldapsearch Invalid credentials

Summary: net/samba413: ldapsearch Invalid credentials

Status:	New

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Timur I. Bakeyev

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-01-03 15:27 UTC by rdunkle
Modified:	2021-05-12 12:44 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (timur)

Attachments
patch for ldap client function is broken (581 bytes, patch) 2021-03-04 05:17 UTC, radi-sh	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rdunkle 2021-01-03 15:27:49 UTC

when I try to use ldapsearch it errors out with - Invalid credentials
# ldapsearch -x -W -D 'cn=administrator,dc=smallcatbrain,dc=com' -b 'dc=smallcatbrain,dc=com' -Z -LLL
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
-------
I am able to authenticate with kinit:
 # kinit administrator
-------
I also tried to authenticate with Apache Directory Studio.
Error while opening connection
 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
java.lang.Exception: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

Comment 1 rdunkle 2021-01-04 15:07:33 UTC

I now understand why Apache Studio does not login to ldaps://  
There is a parameter in smb4.conf --   tls verify peer =
It defaults to tls verify peer = as_strict_as_possible

This will reject a wildcard certificate.

For testing I changed to:  tls verify peer = no_check

Apache Studio will now connect with: dc1 port 636 ldaps://
simple authentication | administrator | password
---
And Apache Directory Studio will connect with: dc1 port 389 use StartTLS
simple authentication | administrator | password
---------------------------
I think there is some other problem lurking with ldap.
I notice this command  fails:

 # samba-tool forest directory_service dsheuristics 0000002 -H ldaps://localhost --simple-bind-dn='administrator@smallcatbrain.com'
Failed to connect to ldap URL 'ldaps://localhost' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://localhost' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/forest.py", line 108, in run
    credentials=creds, lp=lp)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__
    options=options)
  File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect
    options=options)

Comment 2 rdunkle 2021-01-04 15:25:48 UTC

I think this is another problem with ldap.  Unable to join a domain.

root@dc2:~ # samba-tool domain join smallcatbrain DC -k yes -U"SMALLCATBRAIN.COM\administrator" --option=' dns forwarder=192.168.2.1' --option='idmap_ldb:use rfc2307=yes' --option="vfs objects=zfsacl dfs_samba4 acl_xattr"
INFO 2021-01-04 17:20:07,613 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'smallcatbrain'
INFO 2021-01-04 17:20:07,647 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC dc1.smallcatbrain.com
Failed to connect to ldap URL 'ldap://dc1.smallcatbrain.com' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://dc1.smallcatbrain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 668, in run
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 1539, in join_DC
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 112, in __init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__
    options=options)
  File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect
    options=options)

Comment 3 radi-sh 2021-03-04 05:17:30 UTC

Created attachment 222965 [details]
patch for ldap client function is broken

This seems to be a similar problem.
https://www.spinics.net/lists/samba/msg167028.html

Comment 4 radi-sh 2021-03-27 00:28:05 UTC

From 4.13.0 to 4.13.7, important features are still broken.
What is the maintainer doing?

Comment 5 NetBLOKS 2021-04-15 14:44:01 UTC

 Importance: 	--- Affects Only Me 
This is not true, this affects everyone running two domain contollers (so like nearly everyone using Samba for Active Directory).
4.13 is not usable and broken.