[Samba] ldap start_tls to microsoft active directory

Andrew Bartlett abartlet at samba.org
Thu Jan 29 11:49:33 MST 2015

On Wed, 2015-01-28 at 10:11 -0600, Russell Poyner wrote:
> I have 20+ freebsd 10 samba 4 servers joined to our local microsoft 
> active directory. At the moment things work well enough. However the 
> windows administrator wants to tighten his AD security by requiring tls 
> encrypted ldap.
> When I add:
> ldap ssl = start_tls
> ldap ssl ads = yes
> cldap port = 389
> the net ads commands fail:
> net ads testjoin
> Failed to issue the StartTLS instruction: Connect error
> Failed to issue the StartTLS instruction: Connect error
> Join to domain is not valid: NT code 0xfffffff5
> Capturing packets with wireshark shows the samba machine ending the tls 
> negotiation with an unrecognized CA message.
> The windows domain uses self signed certificates, and I have copies of 
> the CA cert and the individual client certs in pem format. Using these I 
> can connect to the domain controllers with gnutls-cli using start tls on 
> port 389.
> smbd -b |grep ENABLE_GNUTLS
> shows that I do in fact have GNUTLS support.
> I've tried multiple variations of
> tls keyfile
> tls certfile
> and also added the certs in openldap/ldap.conf
> but I've not been able to get samba to connect to AD  ldap over tls. I 
> can't seem to convince it to trust the AD machines certificate.
> Does anyone have ldap ssl working against a MS domain controller?

You have tripped up that we have two different, independent LDAP paths
in Samba.  We have one using GNUTLS, which is used by the AD DC and the
ldb tools, and another using OpenSSL, or whatever your libldap was
linked to.  You are looking for that second path, and it is configured
however (presumably) OpenLDAP's ldap client libs are configured. 

However, you may wish to just try a Samba 4.2 pre-release, where we
turned on a different form of encrypted LDAP (based on Kerberos or
NTLMSSP) by default.  If that works for you, the final 4.2 should not be
too far off, or just change the same smb.conf options mentioned in the

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list