[Samba] samba net ads join windows active directory with ldap ssl

Arjit Gupta arjitk.gupta at gmail.com
Mon Dec 4 09:40:23 UTC 2017 

Hi,

I have enabled ldap ssl on Windows 2008 server active directory and want to
join ads domain with net ads join command.

I am getting below error:-
net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error

I have done below steps:-

1. Configure secure ldap ssl on Active directory. Youtube link
<https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
2. Obtain client certificate.
     certutil -ca.cert client.crt
3. Copy client certificate to linux machine.
4. run  net ads join -U Administrator command


*My ldap .conf*
cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/client.crt

*My smb.conf *

[global]
ldap debug level = 1
ldap ssl = start tls
ldap ssl ads = yes
workgroup = CIFS
security = ads
realm = cifs.com
netbios name = ubuntu
encrypt passwords = yes
log file = /var/opt/samba/log.%m
debug level =0
max log size = 1000
syslog = 0
panic action = /var/opt/samba/panic-action %d
preserve case = yes
short preserve case = yes
dos filetime resolution = yes
read only = no
socket options = TCP_NODELAY
domain master = auto
local master = yes
preferred master = auto
domain logons = no
[homes]
   comment = Home Directories
   path = /home/%U
   browseable = no
   writable = no
   create mask = 0700
   directory mask = 0700
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no

*NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
active directory domain.

Arjit Kumar

More information about the samba mailing list