[Samba] samba net ads join windows active directory with ldap ssl

Arjit Gupta arjitk.gupta at gmail.com
Tue Dec 5 06:48:50 UTC 2017 

Hi,

On checking it further.
I observe below message from net ads command.

LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate (
win.cifs.com).
[LDAP] ldap_err2string
Failed to issue the StartTLS instruction: Connect error

I am able to fetch data successfully from ldapsearch command.

It seems samba is connecting to ldap with IP but in client certificate
domain name is mentioned.
Please suggest how should i modify my smb.conf.


Arjit Kumar
9650104435

On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:

> Hi,
>
> Please help me identify what additional is to be done.
>
> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote:
>
>> Hi,
>>
>> I have enabled ldap ssl on Windows 2008 server active directory and want
>> to join ads domain with net ads join command.
>>
>> I am getting below error:-
>> net ads join -U Administrator
>> ldap_url_parse_ext(ldap://localhost/)
>> ldap_init: trying /etc/ldap/ldap.conf
>> ldap_init: using /etc/ldap/ldap.conf
>> ldap_init: HOME env is /root
>> ldap_init: trying /root/ldaprc
>> ldap_init: trying /root/.ldaprc
>> ldap_init: trying ldaprc
>> ldap_init: LDAPCONF env is NULL
>> ldap_init: LDAPRC env is NULL
>> Enter Administrator's password:
>> Failed to issue the StartTLS instruction: Connect error
>> Failed to join domain: failed to connect to AD: Connect error
>>
>> I have done below steps:-
>>
>> 1. Configure secure ldap ssl on Active directory. Youtube link
>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
>> 2. Obtain client certificate.
>>      certutil -ca.cert client.crt
>> 3. Copy client certificate to linux machine.
>> 4. run  net ads join -U Administrator command
>>
>>
>> *My ldap .conf*
>> cat /etc/ldap/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> #BASE   dc=example,dc=com
>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>
>> #SIZELIMIT      12
>> #TIMELIMIT      15
>> #DEREF          never
>>
>> # TLS certificates (needed for GnuTLS)
>> TLS_CACERT      /etc/ssl/certs/client.crt
>>
>> *My smb.conf *
>>
>> [global]
>> ldap debug level = 1
>> ldap ssl = start tls
>> ldap ssl ads = yes
>> workgroup = CIFS
>> security = ads
>> realm = cifs.com
>> netbios name = ubuntu
>> encrypt passwords = yes
>> log file = /var/opt/samba/log.%m
>> debug level =0
>> max log size = 1000
>> syslog = 0
>> panic action = /var/opt/samba/panic-action %d
>> preserve case = yes
>> short preserve case = yes
>> dos filetime resolution = yes
>> read only = no
>> socket options = TCP_NODELAY
>> domain master = auto
>> local master = yes
>> preferred master = auto
>> domain logons = no
>> [homes]
>>    comment = Home Directories
>>    path = /home/%U
>>    browseable = no
>>    writable = no
>>    create mask = 0700
>>    directory mask = 0700
>> [tmp]
>>    comment = Temporary file space
>>    path = /tmp
>>    read only = no
>>
>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
>> active directory domain.
>>
>> Arjit Kumar
>>
>>

More information about the samba mailing list