[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
** Changed in: samba (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: samba (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
ok, Thanks for letting me know. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Sorry I couldn't get to this yet, it's still in my queue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Please let me know if issue is reproducible at your end or any further information is required form me. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Will do. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
I have tried with commenting it also. Still same error. Please try to reproduce my use case by configuring ubuntu as AD DC along with tls and run net join from other ubuntu machine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
You only need to set the sasl wrapping to plain when talking to windows ad. With a samba/ubuntu AD, Try removing that setting entirely from smb.conf. The default value ("sign") should be enough in that case. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Sorry, I was not running sudo apt install samba. I have run it and the issue related to IP is resolved. I also have added client ldap sasl wrapping = plain in smb.conf As my Active Directory server is on ubuntu not Windows. I am getting below error:- [LDAP] ldap_int_select [LDAP] read1msg: ld 0x55886543a690 msgid 8 all 1 [LDAP] read1msg: ld 0x55886543a690 msgid 8 message type bind [LDAP] read1msg: ld 0x55886543a690 0 new referrals [LDAP] read1msg: mark request completed, ld 0x55886543a690 msgid 8 [LDAP] request done: ld 0x55886543a690 msgid 8 [LDAP] res_errno: 8, res_error: , res_matched: <> [LDAP] ldap_free_request (origid 8, msgid 8) [LDAP] ldap_parse_sasl_bind_result [LDAP] ldap_parse_result [LDAP] ldap_msgfree [LDAP] ldap_err2string kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
What is the output you get when you run: sudo apt install samba ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
apt-cache policy samba samba: Installed: 2:4.3.11+dfsg-0ubuntu0.16.04.12 Candidate: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1 Version table: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1 500 500 http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial/main amd64 Packages *** 2:4.3.11+dfsg-0ubuntu0.16.04.12 500 500 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 2:4.3.8+dfsg-0ubuntu1 500 500 http://in.archive.ubuntu.com/ubuntu xenial/main amd64 Packages It shows your PPA repository. As mentioned earlier libads.so.0 is updated on 16 nov ll /usr/lib/x86_64-linux-gnu/samba/libads.so.0 -rw-r--r-- 1 root root 162128 Nov 16 18:11 /usr/lib/x86_64-linux-gnu/samba/libads.so.0 Alternately If you can provide library i will replace the same in my machine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
I also have observe that you are joining to windows Active Directory Domain Controller instead of ubuntu Active Directory Domain Controller. As mentioned in the comment #15 on 2017-12-18 When i changed /etc/ldap/ldap.conf: to TLS_REQCERT Allow and connect to Windows Active directory Domain controller i was able to join with client ldap sasl wrapping = plain workaround but when used tried to join Ubuntu AD DC i get below error:- Sign or Seal are required.>, res_matched: <> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required. Please re run this test when other ubuntu is configured as AD DC. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Please run the command from comment #27, it will help diagnose why you didn't get my PPA packages. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Please let me know how can i update PPA packages. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Can you please check which versions of samba you have available, and from where, with the following command: apt-cache policy samba -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
It seems that i am not able to add ppa properly to my system. Thus required changes are not getting reflected. I have done below:- Manually copy below lines to /etc/apt/sources.list /etc/apt# grep -r "ahasenack" sources.list deb http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial main deb-src http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial main run apt-get update:- apt-get update Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] Hit:2 http://in.archive.ubuntu.com/ubuntu xenial InRelease Hit:3 http://ppa.launchpad.net/ahasenack/samba-tls-regression-1576799/ubuntu xenial InRelease Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] Get:5 http://in.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB] Fetched 306 kB in 1s (182 kB/s) Reading package lists... Done It seems that required code changes are part of libads library. I have checked mine /usr/lib/x86_64-linux-gnu/samba/libads.so.0 it is not updated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
With this workaround in smb.conf it works: client ldap sasl wrapping = plain Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads = yes", it looks like "plain" is safe enough, since ldap is using ssl, but ymmv. All in all, I think the bug about the connection using the IP instead of the hostname specified in the configs is fixed in my ppa packages. I reproduced it in xenial and also in bionic. @arjitkumar can you please double check that you are getting the TLS error about the hostname/ip mismatch, and not something else, with the new packages? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Looks like this follow-up problem I hit could be https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Might be a windows issue: https://social.technet.microsoft.com/Forums/windowsserver/en-US /44b0ee8f-bb22-4e1c-8de0-21578d204cfc/win-2k8-ldap-with-ssl-anfd-gssapi- kerberos?forum=winservergen I'm still updating this server, will try again after the update is finished. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Problem reproduced with the xenial packages, even when using -k in the join command (so it authenticates using kerberos). With my updated packages, I get further but it fails elsewhere: root@xenial:~# net ads join -U Administrator ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /etc/ldap/ldap.conf ldap_init: using /etc/ldap/ldap.conf ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal) ldap_init: HOME env is /root ldap_init: trying /root/ldaprc ldap_init: trying /root/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL Enter Administrator's password: kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is unwilling to perform Failed to join domain: failed to connect to AD: Server is unwilling to perform Adding some debugging shows: [LDAP] res_errno: 53, res_error: <2029: LdapErr: DSID-0C0904CB, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v3839>, res_matched: <> Looks like there is a bad interaction between kerberos and ldap ssl Similarly, I can't use ldap tools with GSSAPI authentication together with TLS or start tls, so this doesn't seem to be exclusive to samba: root@xenial:~# kinit Administrator Password for Administrator@LOWTECH.INTERNAL: root@xenial:~# ldapwhoami SASL/GSSAPI authentication started SASL username: Administrator@LOWTECH.INTERNAL SASL SSF: 56 SASL data security layer installed. u:LOWTECH\Administrator root@xenial:~# ldapwhoami -ZZ SASL/GSSAPI authentication started SASL username: Administrator@LOWTECH.INTERNAL SASL SSF: 56 SASL data security layer installed. ldap_result: Can't contact LDAP server (-1) The tools do fetch the ldap service ticket: root@xenial:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@LOWTECH.INTERNAL Valid starting Expires Service principal 12/28/2017 18:52:19 12/29/2017 04:52:19 krbtgt/LOWTECH.INTERNAL@LOWTECH.INTERNAL renew until 12/29/2017 18:52:17 12/28/2017 18:52:21 12/29/2017 04:52:19 ldap/win-5gvsuklmr3c.lowtech.internal@ renew until 12/29/2017 18:52:17 12/28/2017 18:52:21 12/29/2017 04:52:19 ldap/win-5gvsuklmr3c.lowtech.internal@LOWTECH.INTERNAL renew until 12/29/2017 18:52:17 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
I have only observe with net ads join. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Or does it also happen randomly during the day when the server is running? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Thanks for checking. The error happens only when you run "net ads join"? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Thanks for providing packages. I have downloaded packages apt list --installed | grep samba WARNING: apt does not have a stable CLI interface. Use with caution in scripts. python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1] samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.13~ppa1] But still i am getting same errors. TLS: hostname (IP) does not match common name in certificate (hostname). When used with TLS_REQCERT Hard And kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required when used with TLS_REQCERT Allow -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Xenial samba packages with the mentioned change reversed are currently building in this PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-tls- regression-1576799 Once it's done, and if you are willing to test it, you can add the ppa to your system following the instructions from that page and install/upgrade the packages. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
** Changed in: samba (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
> 1. If above ldapsearch is returning results. then can i assume the certificate is fine? yes. It looks like https://bugzilla.samba.org/show_bug.cgi?id=13124 is the culprit indeed. > 2. Are these issues reproducible at your end ? I don't have access to an AD server yet to try > 3. Should i provide any further log details ? Could you perhaps comment in this upstream bug? The developer who made the commit that apparently introduced this regression is asking if someone who could try "net rpc join" (note: rpc, not ads) could test without this patch. https://bugzilla.samba.org/show_bug.cgi?id=13124 I can build you packages with that change reverted if you are willing to test. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
I have updated /etc/ldap/ldap.conf: to TLS_REQCERT hard and run ldapsearch as below. ldapsearch -x -ZZ -h hostname -p 389 -D cn=administrator,cn=users,dc=techmint,dc=lan -w -b 'dc=techmint,dc=lan' I got output as expected. then i run net ads join -U Administrator% -d 12 I got same issue. TLS: hostname (IP) does not match common name in certificate (hostname). After changing /etc/ldap/ldap.conf: to TLS_REQCERT Allow i am getting other issue which i have mentioned earlier. Sign or Seal are required.>, res_matched: <> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required i have doubts/queries please clarify. 1. If above ldapsearch is returning results. then can i assume the certificate is fine? 2. Are these issues reproducible at your end ? 3. Should i provide any further log details ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
That being said, the linked samba bug is interesting: https://bugzilla.samba.org/show_bug.cgi?id=13124 samba git master still has that change, i.e., use addr (ip) instead of ldap_server_name. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
> ldapsearch -x -Z -h I.P -p 389 -D cn=administrator,cn=users,dc=techmint,dc=lan -w -b 'dc=techmint,dc=lan' Please use -ZZ. And did you use the IP for -h? Why not the hostname, which I think (from a previous comment you made) is win.cifs.com? > I am able to confirm with tcpdump that communication is in encrypted mode. That doesn't mean it's secure. If your client is told to accept any certificate from the server, it would still be vulnerable to MITM attacks. You need to change this setting back to "hard" in your /etc/ldap/ldap.conf: TLS_REQCERT hard and then repeat the ldapsearch command with -ZZ. And use the certificate's commonName value for your ldapsearch "-h" parameter, or one of the certificate's subjectAltName fields that are prefixed with DNS. ** Changed in: samba (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
ldapsearch -x -Z -h I.P -p 389 -D cn=administrator,cn=users,dc=techmint,dc=lan -w -b 'dc=techmint,dc=lan' I am able to confirm with tcpdump that communication is in encrypted mode. samba packages at AD DC server apt list --installed | grep samba WARNING: apt does not have a stable CLI interface. Use with caution in scripts. python-samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12] samba/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12] samba-common/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 all [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12] samba-common-bin/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12] samba-dsdb-modules/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12] samba-libs/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12] samba-testsuite/now 2:4.3.11+dfsg-0ubuntu0.16.04.11 amd64 [installed,upgradable to: 2:4.3.11+dfsg-0ubuntu0.16.04.12] samba-vfs-modules/now 2:4.3.11+dfsg samba Packages other server where net ads is run apt list --installed | grep samba WARNING: apt does not have a stable CLI interface. Use with caution in scripts. python-samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic] samba/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed] samba-common/xenial-updates,xenial-updates,xenial-security,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 all [installed,automatic] samba-common-bin/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic] samba-dsdb-modules/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic] samba-libs/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic] samba-vfs-modules/xenial-updates,xenial-security,now 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 [installed,automatic] Note:- The issue i have mentioned in 5 is also reported in samba bugzilla. https://bugzilla.samba.org/show_bug.cgi?id=13124 ** Bug watch added: Samba Bugzilla #13124 https://bugzilla.samba.org/show_bug.cgi?id=13124 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
In particular, one of the fixes introduced in samba 4.3.7 was to properly check certificates, as @mdeslaur said in comment #2: "o CVE-2016-2113 (Missing TLS certificate validation)" So I would ask you to double check your certificates and chain to make sure all is correct in that front, as samba would have skipped some validation checks before. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2113 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Hello @arjitkumar, what are the samba packages you have? Sorry if I missed that information, but I can't find it in the bug. And what is the ldapsearch test command you are using? I'm interested in the ssl/tls and authentication parameters, not the search filter. For example, is it using gssapi? start tls (-ZZ)? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Hi Team, I have modified my /etc/ldap/ldap.conf cat /etc/ldap/ldap.conf #TLS_REQCERT HARD TLS_REQCERT ALLOW TLS_CACERT /etc/ssl/certs/msadmaster.pem After above changes net ads is succesfull with ssl/tls I have verified at Windows AD DC end that TLS is being used for communication with the help of wireshark. Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD if certificates is being used. Now i have configured ubuntu as AD DC and try to join another ubuntu machine as member server but i am getting below error. [LDAP] res_errno: 8, res_error: , res_matched: <> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required ubuntu AD DC smb.conf [global] workgroup = TECHMINT realm = TECHMINT.LAN netbios name = ADC1 server role = active directory domain controller dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash [netlogon] path = /var/lib/samba/sysvol/techmint.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No smb.conf for ads member server [global] security = ADS workgroup = TECHMINT realm = TECHMINT.LAN log file = /var/opt/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. # - Adding just this is not enough # - You must set a DOMAIN backend configuration, see below idmap config * : backend = tdb idmap config * : range = 3000-7999 username map = /etc/opt/samba/user.map # ldap ssl = start tls # ldap ssl ads = yes ldap debug level = 1 [tmp] comment = Temporary file space path = /tmp read only = no -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
ldap ssl = start tls ldap ssl ads = yes are un-commented for smb.conf of ads member server -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Can someone please share config files of a setup and the topology that is showing the problem? I'm seeing winbind and squid logs in this bug. I think the squid ntlm helper crash should be a separate bug: let's concentrate on samba first. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: samba (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
I am also getting the same error TLS: hostname (IP) does not match common name in certificate (win.cifs.com). Note :- After replacing ldap ssl ads = Yes to ldap server require strong auth = Yes parameter i am able to communicate but communication is not secure. i have tried ldapsearch command which is working fine and communicating in encryption only. Please suggest what is to be done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Here is another bug I found with the exact same regression: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1578576 In the syslog: May 5 17:48:14 hostname winbindd[798]: Failed to issue the StartTLS instruction: Connect error May 5 17:48:14 hostname kernel: [ 155.558023] ntlm_auth[2208]: segfault at 8 ip 7f87361309b0 sp 7fff54b93398 error 4 in libsamba-security.so.0[7f8736125000+1b000] May 5 17:48:14 hostname winbindd[798]: [2016/05/05 17:48:14.254386, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) May 5 17:48:14 hostname winbindd[798]: Failed to issue the StartTLS instruction: Connect error May 5 17:48:14 hostname winbindd[798]: [2016/05/05 17:48:14.321247, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) May 5 17:48:14 hostname winbindd[798]: Failed to issue the StartTLS instruction: Connect error May 5 17:48:14 hostname kernel: [ 155.730606] ntlm_auth[2213]: segfault at 8 ip 7f4b143eb9b0 sp 7fff1e8557f8 error 4 in libsamba-security.so.0[7f4b143e+1b000] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
In our config, we removed ldap ssl ads = Yes and replaced it with ldap server require strong auth = Yes and we don't get the StartTLS error anymore, but this error still pops up: 2016/05/06 19:50:26 kid1| ERROR: NTLM Authentication Helper '0x7f483b420888' crashed!. 2016/05/06 19:50:26 kid1| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
I don't think this is a regression. The Samba security update is now more strict when validating TLS certs. I'm not sure why it's using the ip address instead of the hostname, that's probably a configuration issue. If you want a workaround, you can try adjusting cert checking, see: https://wiki.samba.org/index.php/Samba_4.3_Features_added/changed#tls_verify_peer_.28G.29 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
samba 2:4.3.9+dfsg-0ubuntu0.14.04.1 was just released and was supposed to resolve this issue (https://launchpad.net/bugs/1577739), but the issue still persists. Here is a log snippet, same reproducible steps: 2016/05/05 18:06:29 kid1| WARNING: ntlmauthenticator #1 exited 2016/05/05 18:06:29 kid1| Too few ntlmauthenticator processes are running (need 1/20) 2016/05/05 18:06:29 kid1| Starting new helpers 2016/05/05 18:06:29 kid1| helperOpenServers: Starting 1/20 'ntlm_auth' processes 2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication Helper '0x7f4040471a98' crashed!. 2016/05/05 18:06:29 kid1| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error' Failed to issue the StartTLS instruction: Connect error Failed to join domain: failed to connect to AD: Connect error -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
** Changed in: samba (Ubuntu) Importance: Undecided => High ** Changed in: samba (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs