[Samba] samba net ads join windows active directory with ldap ssl
Arjit Gupta
arjitk.gupta at gmail.com
Mon Dec 4 09:40:23 UTC 2017
Hi,
I have enabled ldap ssl on Windows 2008 server active directory and want to
join ads domain with net ads join command.
I am getting below error:-
net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error
I have done below steps:-
1. Configure secure ldap ssl on Active directory. Youtube link
<https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
2. Obtain client certificate.
certutil -ca.cert client.crt
3. Copy client certificate to linux machine.
4. run net ads join -U Administrator command
*My ldap .conf*
cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/client.crt
*My smb.conf *
[global]
ldap debug level = 1
ldap ssl = start tls
ldap ssl ads = yes
workgroup = CIFS
security = ads
realm = cifs.com
netbios name = ubuntu
encrypt passwords = yes
log file = /var/opt/samba/log.%m
debug level =0
max log size = 1000
syslog = 0
panic action = /var/opt/samba/panic-action %d
preserve case = yes
short preserve case = yes
dos filetime resolution = yes
read only = no
socket options = TCP_NODELAY
domain master = auto
local master = yes
preferred master = auto
domain logons = no
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = no
create mask = 0700
directory mask = 0700
[tmp]
comment = Temporary file space
path = /tmp
read only = no
*NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
active directory domain.
Arjit Kumar
More information about the samba
mailing list