[Samba] winbind, idmap_ad and ldaps

Ollenburg, Andreas (KRZ) A.Ollenburg at krz.de
Thu Jul 28 04:31:22 MDT 2011

Hello from Germany,

I have a problem with the following constellation:

A Samba-Fileserver - Samba 3.5.6 - running in a Windows AD as a member server using idmap_ad for the mapping the User-IDs. This all works fine as long as the LDAP-port 389 is available on the domain controllers. Now, our AD admin wants to close this and move over to LDAPS. And here is my problem. How do I configure my Samba server - resp., winbindd - so it only communicates on port 636? I think I tried all combinations available in the manuals but it still uses port 389. (e.g. ldap ssl=start tls + ldap ssl ad = yes, winbind rpc only = Yes, name resolve order = host). The idmap backend should stay on "ad" for the ADS and we do not want to change it to an ldap.

What we discovered is this:

-       In the gencache he always has the NBT/<DOMAIN>#1C entry for the DCs with a port 389
-       We changed the SRV-entries for _ldap._tcp.dc._msdcd.<domain> so it returns port 636 for - no difference regarding the entry in the gencache.
-       As soon as I close outgoing communications on port 389 using iptables, the gencache entry changes to port 636 - but the winbindd is unable to open any network connection.

So, obviously winbindd needs some initial communication on port 389 when connecting to AD - which it shouldn't. Any ideas welcome.

Andreas Ollenburg
Kommunales Rechenzentrum
Minden-Ravensberg / Lippe
Tel.: 05261 / 252-108
Fax: 05261 / 932-108
E-Mail: a.ollenburg at krz.de<mailto:a.ollenburg at krz.de>
Immer up to date sein? update newsletter hier abonnieren!<https://www.db.krz.de/bestellung%5Fupdateletter/>
 [cid:image002.jpg at 01CC47CF.1B3719A0]
* Bitte prüfen, ob diese Mail wirklich ausgedruckt werden muss!

More information about the samba mailing list