Patch to add TLS support to libads

Jeremy Naylor jnaylor at
Thu Oct 21 16:47:17 GMT 2004


In trying to get a linux machine to join a Win2k3 AD domain, I kept
getting this error message when I ran "net join -U admin":

[2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: Strong(er) authentication required

After much googling and experimentation, I discovered that this was
caused by having this set in the Security Policy on the DC:

   Domain Controller: LDAP server signing requirements = Require Signing

Changing this to "None" got it working.  I assume this is because the
openldap code doesn't support signing?  I couldn't find anything about

I've attached a patch that enables TLS in the libads code.  The
"Require Signing" setting allows for SSL/TLS instead of signing.. 
There needs to be a certificate installed on the domain controller for
TLS to work, but that's better than signing anyway.  You also need the
CA certificate to verify the server cert, adding "TLS_CACERT
/etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the
CA cert and saving it in testca.cer) got that working.

I've only tested this on Fedora Core 2 with a DC that has "Require
Signing" set and has a certificate installed, but setting "ldap ssl =
off" should disable it.

Can someone let me know if there's anything else I need to do to get
this feature integrated in the trunk?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.7-tls.patch
Type: text/x-patch
Size: 984 bytes
Desc: not available
Url :

More information about the samba-technical mailing list