[Samba] samba net ads join windows/ubuntu active directory with ldap ssl

Arjit Gupta arjitk.gupta at gmail.com
Mon Dec 11 12:31:35 UTC 2017


Hi,

I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf

#TLS_REQCERT     HARD
TLS_REQCERT     ALLOW
TLS_CACERT      /etc/ssl/certs/msadmaster.pem

After above changes net ads is succesfull with ssl/tls
I have verified at Windows AD DC end that TLS is being used for
communication with the help of wireshark.
Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from
HARD if certificates is being used.

Now i have configured ubuntu as AD DC and try to join another ubuntu
machine as member server but i am getting below error.

[LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are
required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er)
authentication required

On checking further i realized that ldap server require strong auth = yes
allows simple bind over tls but sasl is being used.
I am not sure how to specify which ldap bind is to be used.

I am stuck over this for a week now and will thankful for any help.
Please let me know if any further information is required.

Arjit Kumar
9650104435

On Thu, Dec 7, 2017 at 10:18 AM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:

> Hi,
>
> Any one any suggestion how to make this work.
> This issue is reported in ubuntu bug 1576799
> <https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all>
>  earlier
> But the solution suggested of replacing ldap ssl ads = Yes to ldap server
> require strong auth = Yes leaves communication in plain format.
>
> Arjit Kumar
> 9650104435
>
> On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com>
> wrote:
>
>> Hi,
>>
>> On checking it further.
>> I observe below message from net ads command.
>>
>> LDAP] TLS: hostname (*X.X.X.X*) does not match common name in
>> certificate (win.cifs.com).
>> [LDAP] ldap_err2string
>> Failed to issue the StartTLS instruction: Connect error
>>
>> I am able to fetch data successfully from ldapsearch command.
>>
>> It seems samba is connecting to ldap with IP but in client certificate
>> domain name is mentioned.
>> Please suggest how should i modify my smb.conf.
>>
>>
>> Arjit Kumar
>> 9650104435
>>
>> On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Please help me identify what additional is to be done.
>>>
>>> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have enabled ldap ssl on Windows 2008 server active directory and
>>>> want to join ads domain with net ads join command.
>>>>
>>>> I am getting below error:-
>>>> net ads join -U Administrator
>>>> ldap_url_parse_ext(ldap://localhost/)
>>>> ldap_init: trying /etc/ldap/ldap.conf
>>>> ldap_init: using /etc/ldap/ldap.conf
>>>> ldap_init: HOME env is /root
>>>> ldap_init: trying /root/ldaprc
>>>> ldap_init: trying /root/.ldaprc
>>>> ldap_init: trying ldaprc
>>>> ldap_init: LDAPCONF env is NULL
>>>> ldap_init: LDAPRC env is NULL
>>>> Enter Administrator's password:
>>>> Failed to issue the StartTLS instruction: Connect error
>>>> Failed to join domain: failed to connect to AD: Connect error
>>>>
>>>> I have done below steps:-
>>>>
>>>> 1. Configure secure ldap ssl on Active directory. Youtube link
>>>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
>>>> 2. Obtain client certificate.
>>>>      certutil -ca.cert client.crt
>>>> 3. Copy client certificate to linux machine.
>>>> 4. run  net ads join -U Administrator command
>>>>
>>>>
>>>> *My ldap .conf*
>>>> cat /etc/ldap/ldap.conf
>>>> #
>>>> # LDAP Defaults
>>>> #
>>>>
>>>> # See ldap.conf(5) for details
>>>> # This file should be world readable but not world writable.
>>>>
>>>> #BASE   dc=example,dc=com
>>>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>>>
>>>> #SIZELIMIT      12
>>>> #TIMELIMIT      15
>>>> #DEREF          never
>>>>
>>>> # TLS certificates (needed for GnuTLS)
>>>> TLS_CACERT      /etc/ssl/certs/client.crt
>>>>
>>>> *My smb.conf *
>>>>
>>>> [global]
>>>> ldap debug level = 1
>>>> ldap ssl = start tls
>>>> ldap ssl ads = yes
>>>> workgroup = CIFS
>>>> security = ads
>>>> realm = cifs.com
>>>> netbios name = ubuntu
>>>> encrypt passwords = yes
>>>> log file = /var/opt/samba/log.%m
>>>> debug level =0
>>>> max log size = 1000
>>>> syslog = 0
>>>> panic action = /var/opt/samba/panic-action %d
>>>> preserve case = yes
>>>> short preserve case = yes
>>>> dos filetime resolution = yes
>>>> read only = no
>>>> socket options = TCP_NODELAY
>>>> domain master = auto
>>>> local master = yes
>>>> preferred master = auto
>>>> domain logons = no
>>>> [homes]
>>>>    comment = Home Directories
>>>>    path = /home/%U
>>>>    browseable = no
>>>>    writable = no
>>>>    create mask = 0700
>>>>    directory mask = 0700
>>>> [tmp]
>>>>    comment = Temporary file space
>>>>    path = /tmp
>>>>    read only = no
>>>>
>>>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
>>>> active directory domain.
>>>>
>>>> Arjit Kumar
>>>>
>>>>
>>
>


More information about the samba mailing list