[Samba] SSL Certificate
Rowland Penny
rpenny at samba.org
Sun Jan 15 14:09:31 UTC 2017
On Sun, 15 Jan 2017 12:04:07 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> On 11/01/2017 17:14, Carlos A. P. Cunha wrote:
> > ldapsearch -U USER -h ldaps://localhost -p636 -w PASS -b
> > dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)'
> > givenName -LLL -n -N -Z
> > ldap_start_tls: Connect error (-11)
> > additional info: (unknown error code)
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> > additional info: (unknown error code)
> >
> >
> > What would be wrong?
>
> You are trying to do two mutually-exclusive things at the same time.
>
> (1) An ldaps:// URL means that TLS is negotiated as soon as the TCP
> connection is established, before any LDAP operation takes place.
> This happens on port 636.
>
> (2) The -Z flag means "use the STARTTLS extension to the LDAP
> protocol to request TLS". You only ever use this on port 389. The
> normal LDAP connection is established, *then* the STARTTLS message is
> sent, *then* TLS is negotiated.
>
>
> The difference between ldaps (636) and ldap (389) is the same as the
> different between https (443) and http (80).
>
> To check if your Samba is listening on port 636, use:
>
> netstat -natp | grep :636
>
> and look for LISTEN
>
> HTH,
>
> Brian.
>
>
OK, try this:
The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The username is 'rowland'
This is all done on the DC.
Configure the /etc/openldap/ldap.conf file as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand
Add this line to smb.conf:
ldap server require strong auth = allow_sasl_over_tls
restart Samba
Now test with this command:
ldapsearch -D "rowland at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H
ldaps://dc1.samdom.example.com -W sAMAccountName=rowland
and/or this command:
ldapsearch -D "rowland at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H ldap://dc1.samdom.example.com
-Z -W sAMAccountName=rowland
Rowland
More information about the samba
mailing list