[Samba] LDAPS on DC
Fred Smith
fs582087 at gmail.com
Thu Apr 16 22:26:42 MDT 2015
I'm trying to confirm that LDAP traffic is encrypted on my Samba 4 DC. I
have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
but when I attempt to connect to the DC on port 636 or via ldaps:// or both
via ldapsearch (linux) and ldp (windows) I cannot connect.
Failed tests:
*ldapsearch -I -H ldaps://dc*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
*ldapsearch -I -H ldaps://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
*ldapsearch -I -H ldap://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Standard connection works:
*ldapsearch -I -H ldap://dc:389*
SASL/NTLM authentication started
SASL Interaction
Default: issupport
Please enter your authentication name: Administrator
Please enter your password:
SASL username: Administrator
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
text: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:611
# numResponses: 1
Confirmed ports are open and ports open and service is running:
*netstat -lpn*
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 823/sshd
tcp 0 0 0.0.0.0:88 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 127.0.0.1:953 0.0.0.0:*
LISTEN 6866/named
tcp 0 0 0.0.0.0:636 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN 15881/smbd
tcp 0 0 0.0.0.0:1024 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:3268 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:3269 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:135 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN 15881/smbd
tcp 0 0 0.0.0.0:464 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 10.10.2.50:53 0.0.0.0:*
LISTEN 6866/named
tcp 0 0 127.0.0.1:53 0.0.0.0:*
LISTEN 6866/named
*nmap dc*
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-17 12:24 ACST
Nmap scan report for dc (10.10.2.50)
Host is up (0.00099s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
My smb.conf:
# Global parameters
[global]
workgroup = EXAMPLE
realm = SAMDOM.EXAMPLE.ORG
netbios name = DC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
# Disable printing
printcap name = /dev/null
load printers = no
printing = bsd
# Enable ldaps
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[netlogon]
path = /usr/local/samba/var/locks/sysvol/
samdom.baptistcaresa.org.au/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
*samba-tool testparm -v*
...
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
...
More information about the samba
mailing list