enterprise-support team mailing list archive

[Cindy Quach <1576799@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

With the recent samba upgrade to 2:4.3.8+dfsg-0ubuntu0.14.04.2, we were
seeing regression with authentication:

/var/log/syslog
Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.415470,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error
Apr 28 17:45:52 hostname winbindd[769]: [2016/04/28 17:45:52.898408,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
Apr 28 17:45:52 hostname winbindd[769]:   Failed to issue the StartTLS instruction: Connect error


We had to rollback to: 2:4.1.6+dfsg-1ubuntu2.14.04.13 and everything worked again.

Here's a basic samba config that reproduces the issue:

Perfectly reproducible with this:
  realm = AD.DOMAIN.COM
  security = ads
  ldap ssl = start_tls
  ldap ssl ads = yes

[LDAP] TLS: hostname (172.12.12.12) does not match common name in certificate (hostname).
[LDAP] ldap_err2string
Failed to issue the StartTLS instruction: Connect error

Samba seems to construct the LDAP URL with the IP of the AD controller
in it instead of the hostname and then because our ldap.conf requires
it, the server cert validation fails

Please let me know if there are any other logs I can provide

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions