[Samba] samba net ads join windows active directory with ldap ssl

Andreas Hasenack andreas at canonical.com
Thu Dec 14 13:14:18 UTC 2017


Related to https://bugzilla.samba.org/show_bug.cgi?id=13124

On Thu, Dec 7, 2017 at 2:48 AM, Arjit Gupta via samba <samba at lists.samba.org
> wrote:

> Hi,
>
> Any one any suggestion how to make this work.
> This issue is reported in ubuntu bug 1576799
> <https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all
> >
>  earlier
> But the solution suggested of replacing ldap ssl ads = Yes to ldap server
> require strong auth = Yes leaves communication in plain format.
>
> Arjit Kumar
> 9650104435
>
> On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com>
> wrote:
>
> > Hi,
> >
> > On checking it further.
> > I observe below message from net ads command.
> >
> > LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate
> > (win.cifs.com).
> > [LDAP] ldap_err2string
> > Failed to issue the StartTLS instruction: Connect error
> >
> > I am able to fetch data successfully from ldapsearch command.
> >
> > It seems samba is connecting to ldap with IP but in client certificate
> > domain name is mentioned.
> > Please suggest how should i modify my smb.conf.
> >
> >
> > Arjit Kumar
> > 9650104435
> >
> > On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com>
> > wrote:
> >
> >> Hi,
> >>
> >> Please help me identify what additional is to be done.
> >>
> >> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote:
> >>
> >>> Hi,
> >>>
> >>> I have enabled ldap ssl on Windows 2008 server active directory and
> want
> >>> to join ads domain with net ads join command.
> >>>
> >>> I am getting below error:-
> >>> net ads join -U Administrator
> >>> ldap_url_parse_ext(ldap://localhost/)
> >>> ldap_init: trying /etc/ldap/ldap.conf
> >>> ldap_init: using /etc/ldap/ldap.conf
> >>> ldap_init: HOME env is /root
> >>> ldap_init: trying /root/ldaprc
> >>> ldap_init: trying /root/.ldaprc
> >>> ldap_init: trying ldaprc
> >>> ldap_init: LDAPCONF env is NULL
> >>> ldap_init: LDAPRC env is NULL
> >>> Enter Administrator's password:
> >>> Failed to issue the StartTLS instruction: Connect error
> >>> Failed to join domain: failed to connect to AD: Connect error
> >>>
> >>> I have done below steps:-
> >>>
> >>> 1. Configure secure ldap ssl on Active directory. Youtube link
> >>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
> >>> 2. Obtain client certificate.
> >>>      certutil -ca.cert client.crt
> >>> 3. Copy client certificate to linux machine.
> >>> 4. run  net ads join -U Administrator command
> >>>
> >>>
> >>> *My ldap .conf*
> >>> cat /etc/ldap/ldap.conf
> >>> #
> >>> # LDAP Defaults
> >>> #
> >>>
> >>> # See ldap.conf(5) for details
> >>> # This file should be world readable but not world writable.
> >>>
> >>> #BASE   dc=example,dc=com
> >>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
> >>>
> >>> #SIZELIMIT      12
> >>> #TIMELIMIT      15
> >>> #DEREF          never
> >>>
> >>> # TLS certificates (needed for GnuTLS)
> >>> TLS_CACERT      /etc/ssl/certs/client.crt
> >>>
> >>> *My smb.conf *
> >>>
> >>> [global]
> >>> ldap debug level = 1
> >>> ldap ssl = start tls
> >>> ldap ssl ads = yes
> >>> workgroup = CIFS
> >>> security = ads
> >>> realm = cifs.com
> >>> netbios name = ubuntu
> >>> encrypt passwords = yes
> >>> log file = /var/opt/samba/log.%m
> >>> debug level =0
> >>> max log size = 1000
> >>> syslog = 0
> >>> panic action = /var/opt/samba/panic-action %d
> >>> preserve case = yes
> >>> short preserve case = yes
> >>> dos filetime resolution = yes
> >>> read only = no
> >>> socket options = TCP_NODELAY
> >>> domain master = auto
> >>> local master = yes
> >>> preferred master = auto
> >>> domain logons = no
> >>> [homes]
> >>>    comment = Home Directories
> >>>    path = /home/%U
> >>>    browseable = no
> >>>    writable = no
> >>>    create mask = 0700
> >>>    directory mask = 0700
> >>> [tmp]
> >>>    comment = Temporary file space
> >>>    path = /tmp
> >>>    read only = no
> >>>
> >>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
> >>> active directory domain.
> >>>
> >>> Arjit Kumar
> >>>
> >>>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list