Debian Samba AD DC: domain connected Win 10 can't connect to LDAPS

Question

I've installed Samba 4.9.5-Debian with Active Directory role on Debian 10. The installation is configured with SAMBA_INTERNAL DNS backend. When I try to connect with LDAPS with domain connected Windows 10 laptop with ldp.exe I get error below. Decrypted 389 works fine.

ld = ldap_sslinit("smb-dc01", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to smb-dc01.

Settings in ldp.exe:

Connect ->
    Server: smb-dc01
    Port: 636
    SSL: checked

When trying to connect LDAP with domain joined machine, the DC log /var/log/samba/log.samba shows:

[2020/04/02 17:41:11.671421,  3] ../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2020/04/02 17:41:11.695211,  3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 32:Broken pipe'

If I add the below line to Windows 10 machine's hosts file, then the machine will connect to LDAPS.

192.168.23.54 smb-dc01

I'm not sure what's wrong with the configuration. Non-domain-joined machines work with same settings. It seems quite peculiar that not-domain-joined machines work better than domain-joined.

Configuration files on the Samba DC:

/etc/samba/smb.conf

# Global parameters
[global]
        dns forwarder = 192.168.23.5
        netbios name = SMB-DC01
        realm = DM.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = DM
        idmap_ldb:use rfc2307 = yes

        tls enabled  = yes
        tls keyfile  = tls/smb-dc01.key
        tls certfile = tls/smb-dc01-server.cer
        tls cafile   = tls/root-ca.cer
        # Debugging / logging
        # https://serverfault.com/questions/389166/how-to-debug-samba-authorization-authentication-procedure
        log level = 3
[netlogon]
        path = /var/lib/samba/sysvol/dm.example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

/etc/resolv.conf

domain dm.example.com
search dm.example.com
nameserver 192.168.23.54

/etc/krb5.conf

[libdefaults]
        default_realm = DM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

/etc/hosts

127.0.0.1       localhost
192.168.23.54   smb-dc01.dm.example.com  smb-dc01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Test with non-domain-joined Windows 10 machines

I tested with two different Windows 10 machines, one is joined to another domain and one is without any domain. Connecting to LDAPS works good when DNS is set to point the Samba DC.

Log /var/log/samba/log.samba of successful connect / disconnect:

# Connect
[2020/04/02 17:38:17.646796,  3] ../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb

# Disconnect
[2020/04/02 17:39:42.623855,  2] ../source4/dsdb/kcc/kcc_periodic.c:785(kccsrv_samba_kcc)
  Calling samba_kcc script
[2020/04/02 17:39:42.825060,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
[2020/04/02 17:39:43.090504,  3] ../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)
  samba_runcmd_io_handler: Child /usr/sbin/samba_kcc exited 0
[2020/04/02 17:39:43.090585,  3] ../source4/dsdb/kcc/kcc_periodic.c:770(samba_kcc_done)
  Completed samba_kcc OK
[2020/04/02 17:39:44.216277,  3] ../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'

Answer 1

Writing a well structured question helps own thinking. I found that one needs to add the full FQDN to subjectAltNames in OpenSSL configuration before generating certificate signing request.

In the configuration below line DNS.2 = smb-dc01.dm.example.com has been added.

smb-dc01-openssl.conf

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=AT
ST=Wien
L=Wien
O=DM
OU=IT
emailAddress=it@example.com
CN = smb-dc01.dm.example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = smb-dc01
DNS.2 = smb-dc01.dm.example.com
DNS.3 = smb-dc01.dm
DNS.4 = smb-dc01.example
DNS.5 = smb-dc01.example.com

I use this command to generate the key and certifiate signing request:

openssl req -out "smb-dc01.csr" -newkey rsa:2048 -nodes -keyout "smb-dc01.key" -config "smb-dc01-openssl.conf"

I'm signing/generating a certificate on Win 2012 R2 server with Certificate Authority Services installed on it. Template Web Server was used as it has Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).

Document https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority states the FQDN must be in either CN or Subject Alternative Name, but it seems that with Samba AD DC 4.9.5 requires FQDN in Subject Alternative Name also.

UPDATE:

• This issue is mentioned also in OpenSSL Cookbook by Ivan Ristić.

Warning

When a certificate contains alternative names, all common names are ignored. Newer certificates produced by CAs may not even include any common names. For that reason, include all desired hostnames on the alternative names list.