[Samba] LDAP problem
Rowland Penny
rpenny at samba.org
Fri Feb 3 15:32:42 UTC 2017
On Fri, 3 Feb 2017 14:27:36 +0000
Lukz Ferris via samba <samba at lists.samba.org> wrote:
> Hello Vinicius,
>
> I did it and this was the answer:
>
> ldapsearch -H "ldaps://devsamba.lucas.ufes.br:636" -w '*********' -D
> "cn=administrator,cn=users,dc=lucas,dc=ufes,dc=br" -x -b
> "dc=lucas,dc=ufes,dc=br" -d1
> ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636) ldap_create
> ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636/??base)
> ldap_sasl_bind ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP devsamba.lucas.ufes.br:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 172.20.152.23:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect errno: 111
> ldap_close_socket: 3
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>
> Can you extract any reason with that?
>
You shouldn't use 'ldaps' and ':636', in fact you shouldn't use ':636'
at all.
OK, mini-howto coming up ;-)
The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The client is devclient.samdom.example.com
On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand
Add this line to smb.conf:
ldap server require strong auth = allow_sasl_over_tls
Now test with this command:
ldapsearch -D "Administrator at samdom.example.com" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland
Enter password when prompted
If it is working, you will get the users AD object.
Copy the AD Root certificate to the Linux box
scp /usr/local/samba/private/tls/cert.pem root at devstation:/etc/ssl/certs/member1cert.pem
Configure the /etc/openldap/ldap.conf file as follows:
HOST dc1.samdom.example.com
TLS_CACERT /etc/ssl/certs/member1cert.pem
TLS_REQCERT never
Test with the same command:
ldapsearch -D "Administrator at samdom.example.com" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland
You should get the same output as on the DC.
The above works for me.
Rowland
More information about the samba
mailing list