[Samba] ldap start_tls to microsoft active directory
Russell Poyner
russell.poyner at wisc.edu
Wed Jan 28 09:11:52 MST 2015
I have 20+ freebsd 10 samba 4 servers joined to our local microsoft
active directory. At the moment things work well enough. However the
windows administrator wants to tighten his AD security by requiring tls
encrypted ldap.
When I add:
ldap ssl = start_tls
ldap ssl ads = yes
cldap port = 389
the net ads commands fail:
net ads testjoin
Failed to issue the StartTLS instruction: Connect error
Failed to issue the StartTLS instruction: Connect error
Join to domain is not valid: NT code 0xfffffff5
Capturing packets with wireshark shows the samba machine ending the tls
negotiation with an unrecognized CA message.
The windows domain uses self signed certificates, and I have copies of
the CA cert and the individual client certs in pem format. Using these I
can connect to the domain controllers with gnutls-cli using start tls on
port 389.
smbd -b |grep ENABLE_GNUTLS
shows that I do in fact have GNUTLS support.
I've tried multiple variations of
tls keyfile
tls certfile
and also added the certs in openldap/ldap.conf
but I've not been able to get samba to connect to AD ldap over tls. I
can't seem to convince it to trust the AD machines certificate.
Does anyone have ldap ssl working against a MS domain controller?
Thanks in advance
Russ Poyner
More information about the samba
mailing list