[Samba] LDAP problem

Rowland Penny rpenny at samba.org
Fri Feb 3 15:32:42 UTC 2017 

On Fri, 3 Feb 2017 14:27:36 +0000
Lukz Ferris via samba <samba at lists.samba.org> wrote:

> Hello Vinicius,
> 
> I did it and this was the answer:
> 
> ldapsearch -H "ldaps://devsamba.lucas.ufes.br:636" -w '*********' -D
> "cn=administrator,cn=users,dc=lucas,dc=ufes,dc=br" -x -b
> "dc=lucas,dc=ufes,dc=br" -d1
> ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636) ldap_create
> ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636/??base)
> ldap_sasl_bind ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP devsamba.lucas.ufes.br:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 172.20.152.23:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect errno: 111
> ldap_close_socket: 3
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> 
> Can you extract any reason with that?
> 

You shouldn't use 'ldaps' and ':636', in fact you shouldn't use ':636'
at all.

OK, mini-howto coming up ;-)

The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The client is devclient.samdom.example.com

On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls

Now test with this command:

ldapsearch -D "Administrator at samdom.example.com" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

Enter password when prompted
If it is working, you will get the users AD object.
  
Copy the AD Root certificate to the Linux box 

scp /usr/local/samba/private/tls/cert.pem root at devstation:/etc/ssl/certs/member1cert.pem

Configure the /etc/openldap/ldap.conf file as follows:

HOST dc1.samdom.example.com
TLS_CACERT /etc/ssl/certs/member1cert.pem
TLS_REQCERT never

Test with the same command:

ldapsearch -D "Administrator at samdom.example.com" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

You should get the same output as on the DC.

The above works for me.

Rowland

More information about the samba mailing list