[Samba] LDAPS is not working

Rowland Penny rpenny at samba.org
Wed Aug 8 09:13:19 UTC 2018 

On Wed, 8 Aug 2018 10:31:50 +0200
basti mueller via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> after a successfully migrating my NT4 with OpenLDAP to a Samba4
> AD...I got a problem.
> 
> Like in the sambawiki tutorial
> (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC)
> I tried to configure LDAPS. I used the auto-configured certs. They
> are located in "/var/lib/samba/private/tls".
> 
> My smb.conf:
> # Global parameters
> [global]
>         netbios name = PDC
>         realm = COMPANY.COM
>         workgroup = COMPANY
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         template shell = /bin/bash
>         template homedir= /home/%U
>         dns forwarder = 8.8.8.8
>         min protocol = SMB2
>         tls enabled  = yes
>         tls keyfile  = /var/lib/samba/private/tls/key.pem
>         tls certfile = /var/lib/samba/private/tls/cert.pem
>         tls cafile   = /var/lib/samba/private/tls/ca.pem
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind cache time = 10
>         winbind use default domain = yes
>         logging = syslog at 1 /var/log/samba/log.%m
> 
> I've tested it with the following command and got the following
> error...
> 
> root at server:/var/lib/samba/private/tls# ldbsearch -H
> ldaps://127.0.0.1 '(cn=admin)' objectClass -Uadmin TLS failed to
> missing crlfile  - with 'tls verify peer = as_strict_as_possible'
> Failed to connect to ldap URL 'ldaps://127.0.0.1' - LDAP client
> internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to
> 'ldaps://127.0.0.1' with backend 'ldaps': LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to
> ldaps://127.0.0.1 - LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER_MIX
> 
> How can I solve this error?
> Thanks!
> 

Sorry, but you cannot, it is disabled by default, use kerberos instead.

If you insist on using tls, you can get ldapsearch to work, but this
requires further configuration and isn't as secure as kerberos.

As a passing comment, if you are using the default Samba certs, you do
not need the tls lines in smb.conf, also 'winbind use default domain =
yes' does nothing on a DC.

Rowland

More information about the samba mailing list