[Samba] samba net ads join windows active directory with ldap ssl
arjitk.gupta at gmail.com
Tue Dec 5 06:48:50 UTC 2017
On checking it further.
I observe below message from net ads command.
LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate (
Failed to issue the StartTLS instruction: Connect error
I am able to fetch data successfully from ldapsearch command.
It seems samba is connecting to ldap with IP but in client certificate
domain name is mentioned.
Please suggest how should i modify my smb.conf.
On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:
> Please help me identify what additional is to be done.
> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote:
>> I have enabled ldap ssl on Windows 2008 server active directory and want
>> to join ads domain with net ads join command.
>> I am getting below error:-
>> net ads join -U Administrator
>> ldap_init: trying /etc/ldap/ldap.conf
>> ldap_init: using /etc/ldap/ldap.conf
>> ldap_init: HOME env is /root
>> ldap_init: trying /root/ldaprc
>> ldap_init: trying /root/.ldaprc
>> ldap_init: trying ldaprc
>> ldap_init: LDAPCONF env is NULL
>> ldap_init: LDAPRC env is NULL
>> Enter Administrator's password:
>> Failed to issue the StartTLS instruction: Connect error
>> Failed to join domain: failed to connect to AD: Connect error
>> I have done below steps:-
>> 1. Configure secure ldap ssl on Active directory. Youtube link
>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
>> 2. Obtain client certificate.
>> certutil -ca.cert client.crt
>> 3. Copy client certificate to linux machine.
>> 4. run net ads join -U Administrator command
>> *My ldap .conf*
>> cat /etc/ldap/ldap.conf
>> # LDAP Defaults
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>> #BASE dc=example,dc=com
>> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>> #SIZELIMIT 12
>> #TIMELIMIT 15
>> #DEREF never
>> # TLS certificates (needed for GnuTLS)
>> TLS_CACERT /etc/ssl/certs/client.crt
>> *My smb.conf *
>> ldap debug level = 1
>> ldap ssl = start tls
>> ldap ssl ads = yes
>> workgroup = CIFS
>> security = ads
>> realm = cifs.com
>> netbios name = ubuntu
>> encrypt passwords = yes
>> log file = /var/opt/samba/log.%m
>> debug level =0
>> max log size = 1000
>> syslog = 0
>> panic action = /var/opt/samba/panic-action %d
>> preserve case = yes
>> short preserve case = yes
>> dos filetime resolution = yes
>> read only = no
>> socket options = TCP_NODELAY
>> domain master = auto
>> local master = yes
>> preferred master = auto
>> domain logons = no
>> comment = Home Directories
>> path = /home/%U
>> browseable = no
>> writable = no
>> create mask = 0700
>> directory mask = 0700
>> comment = Temporary file space
>> path = /tmp
>> read only = no
>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
>> active directory domain.
>> Arjit Kumar
More information about the samba