Patch to add TLS support to libads
Jeremy Naylor
jnaylor at gmail.com
Thu Oct 21 16:47:17 GMT 2004
Hello!
In trying to get a linux machine to join a Win2k3 AD domain, I kept
getting this error message when I ran "net join -U admin":
[2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183)
ads_connect: Strong(er) authentication required
After much googling and experimentation, I discovered that this was
caused by having this set in the Security Policy on the DC:
Domain Controller: LDAP server signing requirements = Require Signing
Changing this to "None" got it working. I assume this is because the
openldap code doesn't support signing? I couldn't find anything about
that.
I've attached a patch that enables TLS in the libads code. The
"Require Signing" setting allows for SSL/TLS instead of signing..
There needs to be a certificate installed on the domain controller for
TLS to work, but that's better than signing anyway. You also need the
CA certificate to verify the server cert, adding "TLS_CACERT
/etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the
CA cert and saving it in testca.cer) got that working.
I've only tested this on Fedora Core 2 with a DC that has "Require
Signing" set and has a certificate installed, but setting "ldap ssl =
off" should disable it.
Can someone let me know if there's anything else I need to do to get
this feature integrated in the trunk?
Thanks!
-Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.7-tls.patch
Type: text/x-patch
Size: 984 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20041021/27ca1fdc/samba-3.0.7-tls.bin
More information about the samba-technical
mailing list