[Samba] ldap start_tls to microsoft active directory

Russell Poyner russell.poyner at wisc.edu
Wed Jan 28 09:11:52 MST 2015

I have 20+ freebsd 10 samba 4 servers joined to our local microsoft 
active directory. At the moment things work well enough. However the 
windows administrator wants to tighten his AD security by requiring tls 
encrypted ldap.

When I add:
ldap ssl = start_tls
ldap ssl ads = yes
cldap port = 389

the net ads commands fail:
net ads testjoin
Failed to issue the StartTLS instruction: Connect error
Failed to issue the StartTLS instruction: Connect error
Join to domain is not valid: NT code 0xfffffff5

Capturing packets with wireshark shows the samba machine ending the tls 
negotiation with an unrecognized CA message.

The windows domain uses self signed certificates, and I have copies of 
the CA cert and the individual client certs in pem format. Using these I 
can connect to the domain controllers with gnutls-cli using start tls on 
port 389.

smbd -b |grep ENABLE_GNUTLS
shows that I do in fact have GNUTLS support.

I've tried multiple variations of
tls keyfile
tls certfile

and also added the certs in openldap/ldap.conf

but I've not been able to get samba to connect to AD  ldap over tls. I 
can't seem to convince it to trust the AD machines certificate.

Does anyone have ldap ssl working against a MS domain controller?

Thanks in advance
Russ Poyner

More information about the samba mailing list