[Samba] LDAP SSL
Praveen Ghimire
PGhimire at sundata.com.au
Thu Aug 9 02:07:40 UTC 2018
Hi ,
I would really appreciate some suggestions re the following issue.
We have a LDAP based PDC and a member server. We're use libnss_ldap to auth the users. The LDAP PDC is setup with self signed SSL , we're trying make sure the member server connects to the PDC using SSL.
Here is the PDC , smb.conf
[global]
workgroup = SUNTECH
netbios name = SERVER01
security = USER
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
os level = 66
passdb backend = ldapsam:ldap://server01.suntech
ldap admin dn = cn=admin,dc=suntech
ldap suffix = dc=suntech
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap backend = ldap
ldap idmap suffix = ou=idmap
idmap config *: backend = ldap
idmap config *: range = 10000-19999
idmap config *: ldap_url = ldap://server01.suntech
idmap config *: ldap_base_dn = ou=idmap,dc=suntech
idmap config *: ldap_user_dn = cn=admin,dc=suntech
ldap delete dn = yes
ldap password sync = yes
ldap ssl = start tls
Here is the PDC, ldap.conf
BASE dc=suntech
URI ldap://server01.suntech
TLS_CACERT /etc/ldap/ca_certs.pem
#TLS_REQCERT demand
When running the ldapsearch from within the PDC we get the following
ldapwhoami -H ldap://server01.suntech -x -ZZ
anonymous
When running the full ldapsearch from within the PDC we get the following
ldapsearch -x -ZZ -h server01.suntech -b dc=suntech -s sub -D cn=admin,dc=suntech -w password 'sambadomainname=*'
# extended LDIF
#
# LDAPv3
# base <dc=suntech> with scope subtree
# filter: sambadomainname=*
# requesting: ALL
#
dn: sambaDomainName=suntech,dc=suntech
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: suntech
sambaSID: S-1-5-21-3936576374-1604348213-1812465911
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
gidNumber: 10034
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
uidNumber: 10002
sambaNextRid: 10038
# server02, suntech
dn: sambaDomainName=server02,dc=suntech
sambaDomainName: server02
sambaSID: S-1-5-21-2631908330-1812305667-41686038
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
Now the member server's smb.conf
[global]
workgroup = SUNTECH
netbios name = SERVER02
security = user
local master = no
domain master = no
preferred master = no
domain logons = no
passdb backend = ldapsam:ldap://server01.suntech
ldap admin dn = cn=admin,dc=suntech
ldap suffix = dc=suntech
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap backend = ldap
ldap idmap suffix = ou=idmap
idmap config * : ldap_url = ldap://server01.suntech
idmap config * : ldap_base_dn = ou=idmap,dc=suntech
idmap config * : ldap_user_dn = cn=admin,dc=suntech
ldap delete dn = no
ldap ssl = start tls
When running the ldapsearch we get
ldapsearch -x -ZZ -h server01.suntech -b dc=suntech -s sub -D cn=admin,dc=suntech -w password 'sambadomainname=*'
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
But when we run the ldapsearch without the ZZ, we get the details
ldapsearch -xLLL -H ldap://server01.suntech -b dc=suntech -s sub -D cn=admin,dc=suntech -w password 'sambadomainname=*'
dn: sambaDomainName=suntech,dc=suntech
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: suntech
sambaSID: S-1-5-21-3936576374-1604348213-1812465911
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
gidNumber: 10034
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
uidNumber: 10002
sambaNextRid: 10038
# server02, suntech
dn: sambaDomainName=server02,dc=suntech
sambaDomainName: server02
sambaSID: S-1-5-21-2631908330-1812305667-41686038
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
Any suggestions?
The one other thing we see is that Server02 (member server) shows up as sambadomain. I went through the old samba list post and came up with the one which addresses the issues
https://lists.samba.org/archive/samba/2012-January/165972.html
According to the above, do we remove the passdb backend = ldapsam:ldap://server01.suntech from the member servers smb.conf, if so how do we auth the users?
Regards,
Praveen Ghimire
More information about the samba
mailing list