[Samba] samba net ads join windows active directory with ldap ssl
arjitk.gupta at gmail.com
Thu Dec 7 04:48:26 UTC 2017
Any one any suggestion how to make this work.
This issue is reported in ubuntu bug 1576799
But the solution suggested of replacing ldap ssl ads = Yes to ldap server
require strong auth = Yes leaves communication in plain format.
On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:
> On checking it further.
> I observe below message from net ads command.
> LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate
> [LDAP] ldap_err2string
> Failed to issue the StartTLS instruction: Connect error
> I am able to fetch data successfully from ldapsearch command.
> It seems samba is connecting to ldap with IP but in client certificate
> domain name is mentioned.
> Please suggest how should i modify my smb.conf.
> Arjit Kumar
> On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com>
>> Please help me identify what additional is to be done.
>> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote:
>>> I have enabled ldap ssl on Windows 2008 server active directory and want
>>> to join ads domain with net ads join command.
>>> I am getting below error:-
>>> net ads join -U Administrator
>>> ldap_init: trying /etc/ldap/ldap.conf
>>> ldap_init: using /etc/ldap/ldap.conf
>>> ldap_init: HOME env is /root
>>> ldap_init: trying /root/ldaprc
>>> ldap_init: trying /root/.ldaprc
>>> ldap_init: trying ldaprc
>>> ldap_init: LDAPCONF env is NULL
>>> ldap_init: LDAPRC env is NULL
>>> Enter Administrator's password:
>>> Failed to issue the StartTLS instruction: Connect error
>>> Failed to join domain: failed to connect to AD: Connect error
>>> I have done below steps:-
>>> 1. Configure secure ldap ssl on Active directory. Youtube link
>>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
>>> 2. Obtain client certificate.
>>> certutil -ca.cert client.crt
>>> 3. Copy client certificate to linux machine.
>>> 4. run net ads join -U Administrator command
>>> *My ldap .conf*
>>> cat /etc/ldap/ldap.conf
>>> # LDAP Defaults
>>> # See ldap.conf(5) for details
>>> # This file should be world readable but not world writable.
>>> #BASE dc=example,dc=com
>>> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>>> #SIZELIMIT 12
>>> #TIMELIMIT 15
>>> #DEREF never
>>> # TLS certificates (needed for GnuTLS)
>>> TLS_CACERT /etc/ssl/certs/client.crt
>>> *My smb.conf *
>>> ldap debug level = 1
>>> ldap ssl = start tls
>>> ldap ssl ads = yes
>>> workgroup = CIFS
>>> security = ads
>>> realm = cifs.com
>>> netbios name = ubuntu
>>> encrypt passwords = yes
>>> log file = /var/opt/samba/log.%m
>>> debug level =0
>>> max log size = 1000
>>> syslog = 0
>>> panic action = /var/opt/samba/panic-action %d
>>> preserve case = yes
>>> short preserve case = yes
>>> dos filetime resolution = yes
>>> read only = no
>>> socket options = TCP_NODELAY
>>> domain master = auto
>>> local master = yes
>>> preferred master = auto
>>> domain logons = no
>>> comment = Home Directories
>>> path = /home/%U
>>> browseable = no
>>> writable = no
>>> create mask = 0700
>>> directory mask = 0700
>>> comment = Temporary file space
>>> path = /tmp
>>> read only = no
>>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
>>> active directory domain.
>>> Arjit Kumar
More information about the samba