Symptoms:
the smbd lasts only about 5 seconds from the GUI stop/start
You see "Failed to issue the StartTLS instruction: Connect error"
Digging around ...
Invoking manually we see a failure
# smbd -i
...
added interface bge0 ip=xxx.xx.xx.xx bcast=xxx.xx.xx.xx netmask=255.255.255.0
loaded services
INFO: Profiling support unavailable in this build.
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MICKEY))]
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
If we add debug info
1) add "ldap debug = 1" to /usr/local/etc/smb4.conf
2) use -d 10 ( yes 10!) to -d option to smbd
# smbd -i -d 10
smb_ldap_setup_connection: ldap://ldapserver.fqdn
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
Failed search for base: dc=xx,dc=yy,dc=zz, error: -1 (Can't contact LDAP server) (error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac)
smb_ldap_setup_connection: ldap://ldapserver.fqdn
Failed to issue the StartTLS instruction: Connect error
Now "bad record mac" should NEVER happen (see References) and it didn't happen back on FreeNAS 9.3.
This behaviour was seen even in a pre-release back in January 6th (if you follow whole thread)
The same search attempted by smbd can be done manually without problems:
# ldapsearch -W -D "cn=someuser,ou=profile,dc=xx,dc=yy,dc=zz" -Z objectClass=sambaDomain |fgrep -i sambaDomainName
Enter LDAP Password: xxxxx
... (ldap entries presented OK)
References
On why bad record mac should not happen:
http://security.stackexchange.com/q...fatal-bad-record-mac-during-openssl-handshake
In this thread (link below) a user of FreeNAS (in thread entry by John Hixson) ran into problems (with a pre-release based of FreeNAS based on FreeBSD 10?). The thread started with problem of another user on upgrading from FreeBSD 9.3 to FreeBSD 10 - and that is what
this FreeNAS upgrade( 9.3 -> 9.10) does too right?
At the time of writing the thread offers no solution :(
https://lists.samba.org/archive/samba/2016-January/197053.html
"I work on FreeNAS and have at least one complaint about this exact same
issue. I'm interested in a solution (or reason for this) as well."
the smbd lasts only about 5 seconds from the GUI stop/start
You see "Failed to issue the StartTLS instruction: Connect error"
Digging around ...
Invoking manually we see a failure
# smbd -i
...
added interface bge0 ip=xxx.xx.xx.xx bcast=xxx.xx.xx.xx netmask=255.255.255.0
loaded services
INFO: Profiling support unavailable in this build.
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MICKEY))]
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
If we add debug info
1) add "ldap debug = 1" to /usr/local/etc/smb4.conf
2) use -d 10 ( yes 10!) to -d option to smbd
# smbd -i -d 10
smb_ldap_setup_connection: ldap://ldapserver.fqdn
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
Failed search for base: dc=xx,dc=yy,dc=zz, error: -1 (Can't contact LDAP server) (error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac)
smb_ldap_setup_connection: ldap://ldapserver.fqdn
Failed to issue the StartTLS instruction: Connect error
Now "bad record mac" should NEVER happen (see References) and it didn't happen back on FreeNAS 9.3.
This behaviour was seen even in a pre-release back in January 6th (if you follow whole thread)
The same search attempted by smbd can be done manually without problems:
# ldapsearch -W -D "cn=someuser,ou=profile,dc=xx,dc=yy,dc=zz" -Z objectClass=sambaDomain |fgrep -i sambaDomainName
Enter LDAP Password: xxxxx
... (ldap entries presented OK)
References
On why bad record mac should not happen:
http://security.stackexchange.com/q...fatal-bad-record-mac-during-openssl-handshake
In this thread (link below) a user of FreeNAS (in thread entry by John Hixson) ran into problems (with a pre-release based of FreeNAS based on FreeBSD 10?). The thread started with problem of another user on upgrading from FreeBSD 9.3 to FreeBSD 10 - and that is what
this FreeNAS upgrade( 9.3 -> 9.10) does too right?
At the time of writing the thread offers no solution :(
https://lists.samba.org/archive/samba/2016-January/197053.html
"I work on FreeNAS and have at least one complaint about this exact same
issue. I'm interested in a solution (or reason for this) as well."
