[Samba] samba net ads join windows active directory with ldap ssl

Arjit Gupta arjitk.gupta at gmail.com
Thu Dec 7 04:48:26 UTC 2017 

Hi,

Any one any suggestion how to make this work.
This issue is reported in ubuntu bug 1576799
<https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all>
 earlier
But the solution suggested of replacing ldap ssl ads = Yes to ldap server
require strong auth = Yes leaves communication in plain format.

Arjit Kumar
9650104435

On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:

> Hi,
>
> On checking it further.
> I observe below message from net ads command.
>
> LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate
> (win.cifs.com).
> [LDAP] ldap_err2string
> Failed to issue the StartTLS instruction: Connect error
>
> I am able to fetch data successfully from ldapsearch command.
>
> It seems samba is connecting to ldap with IP but in client certificate
> domain name is mentioned.
> Please suggest how should i modify my smb.conf.
>
>
> Arjit Kumar
> 9650104435
>
> On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com>
> wrote:
>
>> Hi,
>>
>> Please help me identify what additional is to be done.
>>
>> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have enabled ldap ssl on Windows 2008 server active directory and want
>>> to join ads domain with net ads join command.
>>>
>>> I am getting below error:-
>>> net ads join -U Administrator
>>> ldap_url_parse_ext(ldap://localhost/)
>>> ldap_init: trying /etc/ldap/ldap.conf
>>> ldap_init: using /etc/ldap/ldap.conf
>>> ldap_init: HOME env is /root
>>> ldap_init: trying /root/ldaprc
>>> ldap_init: trying /root/.ldaprc
>>> ldap_init: trying ldaprc
>>> ldap_init: LDAPCONF env is NULL
>>> ldap_init: LDAPRC env is NULL
>>> Enter Administrator's password:
>>> Failed to issue the StartTLS instruction: Connect error
>>> Failed to join domain: failed to connect to AD: Connect error
>>>
>>> I have done below steps:-
>>>
>>> 1. Configure secure ldap ssl on Active directory. Youtube link
>>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
>>> 2. Obtain client certificate.
>>>      certutil -ca.cert client.crt
>>> 3. Copy client certificate to linux machine.
>>> 4. run  net ads join -U Administrator command
>>>
>>>
>>> *My ldap .conf*
>>> cat /etc/ldap/ldap.conf
>>> #
>>> # LDAP Defaults
>>> #
>>>
>>> # See ldap.conf(5) for details
>>> # This file should be world readable but not world writable.
>>>
>>> #BASE   dc=example,dc=com
>>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>>
>>> #SIZELIMIT      12
>>> #TIMELIMIT      15
>>> #DEREF          never
>>>
>>> # TLS certificates (needed for GnuTLS)
>>> TLS_CACERT      /etc/ssl/certs/client.crt
>>>
>>> *My smb.conf *
>>>
>>> [global]
>>> ldap debug level = 1
>>> ldap ssl = start tls
>>> ldap ssl ads = yes
>>> workgroup = CIFS
>>> security = ads
>>> realm = cifs.com
>>> netbios name = ubuntu
>>> encrypt passwords = yes
>>> log file = /var/opt/samba/log.%m
>>> debug level =0
>>> max log size = 1000
>>> syslog = 0
>>> panic action = /var/opt/samba/panic-action %d
>>> preserve case = yes
>>> short preserve case = yes
>>> dos filetime resolution = yes
>>> read only = no
>>> socket options = TCP_NODELAY
>>> domain master = auto
>>> local master = yes
>>> preferred master = auto
>>> domain logons = no
>>> [homes]
>>>    comment = Home Directories
>>>    path = /home/%U
>>>    browseable = no
>>>    writable = no
>>>    create mask = 0700
>>>    directory mask = 0700
>>> [tmp]
>>>    comment = Temporary file space
>>>    path = /tmp
>>>    read only = no
>>>
>>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
>>> active directory domain.
>>>
>>> Arjit Kumar
>>>
>>>
>

More information about the samba mailing list