I found myself in a situation in which an Active Directory client (SSSD on Ubuntu) was not getting the expected search results from a Samba 4 Active Directory.

Ultimately it was a permissions issue. sigh

I used the following process to read the encrypted LDAP (Kerberos/GSS-API) stream between the client and the server. It didn't help but I thought I'd note it down anyway.

Wireshark Setup

First up, in order to decrypt the encrypted traffic, you need the keytab from the Domain Controller. With Samba 4 this is as easy as running the following on a Domain Controller:

sudo samba-tool domain exportkeytab /home/ubuntu/samba.keytab

Copy the resulting file to the machine you will run Wireshark on.

On non-Samba domains, use the details on this page to export a keytab: https://wiki.wireshark.org/Kerberos

In Wireshark's Preferences dialogue (Edit menu), expand Protocols and find the KRB5 entry. Check the Try to decrypt Kerberos blobs check box. Click the Browse button and select the keytab file you extracted earlier. Click OK.

Start the capture

In my case, both the client and server were remote machines. I used the process documented here to start remote packet capture on the client. My command was:

wireshark -k -i <(ssh [email protected] sudo /usr/sbin/tcpdump -i any -n -U -w - tcp port 389)

Port 389 is the default LDAP port.

Tips for reading the output

Did the decryption work?

If your keytab installation worked you should see entries in the info column marked as SASL GSS-API Privacy (decrypted)

Request and response

Each search query has a messageID that can be matched to a response. Look for searchRequest(X) entries. When you find the one that matches the thing you're trying to diagnose, there will be a searchResEntry(X) (where X is the same for search and response). If you expand the sections in the middle panel you will see the detail of the search or response. Wireshark will even kindly provide a hint such as “[Response To: X]”.