[Samba] LDAPS on DC

Fred Smith fs582087 at gmail.com
Thu Apr 16 22:26:42 MDT 2015


I'm trying to confirm that LDAP traffic is encrypted on my Samba 4 DC. I
have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
but when I attempt to connect to the DC on port 636 or via ldaps:// or both
via ldapsearch (linux) and ldp (windows) I cannot connect.

Failed tests:

*ldapsearch -I -H ldaps://dc*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: (unknown error code)

*ldapsearch -I -H ldaps://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: (unknown error code)

*ldapsearch -I -H ldap://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Standard connection works:

*ldapsearch -I -H ldap://dc:389*
SASL/NTLM authentication started
SASL Interaction
Default: issupport
Please enter your authentication name: Administrator
Please enter your password:
SASL username: Administrator
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 4
result: 32 No such object
text: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:611

# numResponses: 1


Confirmed ports are open and ports open and service is running:

*netstat -lpn*

tcp        0      0 0.0.0.0:22              0.0.0.0:*
LISTEN      823/sshd
tcp        0      0 0.0.0.0:88              0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 127.0.0.1:953           0.0.0.0:*
LISTEN      6866/named
tcp        0      0 0.0.0.0:636             0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 0.0.0.0:445             0.0.0.0:*
LISTEN      15881/smbd
tcp        0      0 0.0.0.0:1024            0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 0.0.0.0:3268            0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 0.0.0.0:3269            0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 0.0.0.0:389             0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 0.0.0.0:135             0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 0.0.0.0:139             0.0.0.0:*
LISTEN      15881/smbd
tcp        0      0 0.0.0.0:464             0.0.0.0:*
LISTEN      15880/samba
tcp        0      0 10.10.2.50:53           0.0.0.0:*
LISTEN      6866/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*
LISTEN      6866/named

*nmap dc*

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-17 12:24 ACST
Nmap scan report for dc (10.10.2.50)
Host is up (0.00099s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
636/tcp  open  ldapssl
1024/tcp open  kdm
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds


My smb.conf:

# Global parameters
[global]
        workgroup = EXAMPLE
        realm = SAMDOM.EXAMPLE.ORG
        netbios name = DC
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

        # Disable printing
        printcap name = /dev/null
        load printers = no
        printing = bsd

        # Enable ldaps
        tls enabled  = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/
samdom.baptistcaresa.org.au/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


*samba-tool testparm -v*

...
        tls enabled = Yes
        tls keyfile = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile = tls/ca.pem
        tls crlfile =
        tls dh params file =
...


More information about the samba mailing list