Patch to add TLS support to libads

Jeremy Naylor jnaylor at
Mon Oct 25 22:08:13 GMT 2004

Can someone please tell me what I need to do to get this feature added?



On Thu, 21 Oct 2004 12:47:17 -0400, Jeremy Naylor <jnaylor at> wrote:
> Hello!
> In trying to get a linux machine to join a Win2k3 AD domain, I kept
> getting this error message when I ran "net join -U admin":
> [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183)
>   ads_connect: Strong(er) authentication required
> After much googling and experimentation, I discovered that this was
> caused by having this set in the Security Policy on the DC:
>    Domain Controller: LDAP server signing requirements = Require Signing
> Changing this to "None" got it working.  I assume this is because the
> openldap code doesn't support signing?  I couldn't find anything about
> that.
> I've attached a patch that enables TLS in the libads code.  The
> "Require Signing" setting allows for SSL/TLS instead of signing..
> There needs to be a certificate installed on the domain controller for
> TLS to work, but that's better than signing anyway.  You also need the
> CA certificate to verify the server cert, adding "TLS_CACERT
> /etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the
> CA cert and saving it in testca.cer) got that working.
> I've only tested this on Fedora Core 2 with a DC that has "Require
> Signing" set and has a certificate installed, but setting "ldap ssl =
> off" should disable it.
> Can someone let me know if there's anything else I need to do to get
> this feature integrated in the trunk?
> Thanks!
> -Jeremy

More information about the samba-technical mailing list