[Samba] LDAP SSL

Praveen Ghimire PGhimire at sundata.com.au
Thu Aug 9 02:07:40 UTC 2018 

Hi ,

I would really appreciate some suggestions re the following issue.

We have a LDAP based PDC and a member server.  We're use libnss_ldap to auth the users. The LDAP PDC is setup with self signed SSL , we're trying make sure the member server connects to the PDC using SSL.

Here is the PDC , smb.conf

[global]
workgroup = SUNTECH
netbios name = SERVER01
security = USER

local master = yes
  domain master = yes
  preferred master = yes
  domain logons = yes
  os level = 66
  passdb backend = ldapsam:ldap://server01.suntech
  ldap admin dn = cn=admin,dc=suntech
  ldap suffix = dc=suntech
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap backend = ldap
  ldap idmap suffix = ou=idmap
  idmap config *: backend = ldap
  idmap config *: range = 10000-19999
  idmap config *: ldap_url = ldap://server01.suntech
  idmap config *: ldap_base_dn = ou=idmap,dc=suntech
  idmap config *: ldap_user_dn = cn=admin,dc=suntech
  ldap delete dn = yes
  ldap password sync = yes
  ldap ssl = start tls


Here is the PDC, ldap.conf

BASE   dc=suntech
URI    ldap://server01.suntech
TLS_CACERT /etc/ldap/ca_certs.pem
#TLS_REQCERT demand

When running the ldapsearch from within the PDC we get the following
ldapwhoami -H ldap://server01.suntech -x -ZZ
anonymous

When running the full ldapsearch from within the PDC we get the following

ldapsearch -x -ZZ -h server01.suntech -b dc=suntech -s sub -D cn=admin,dc=suntech -w password 'sambadomainname=*'
# extended LDIF
#
# LDAPv3
# base <dc=suntech> with scope subtree
# filter: sambadomainname=*
# requesting: ALL
#

dn: sambaDomainName=suntech,dc=suntech
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: suntech
sambaSID: S-1-5-21-3936576374-1604348213-1812465911
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
gidNumber: 10034
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
uidNumber: 10002
sambaNextRid: 10038

# server02, suntech
dn: sambaDomainName=server02,dc=suntech
sambaDomainName: server02
sambaSID: S-1-5-21-2631908330-1812305667-41686038
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2


Now the member server's smb.conf
  [global]
  workgroup = SUNTECH
  netbios name = SERVER02
  security = user
  local master = no
  domain master = no
  preferred master = no
  domain logons = no
  passdb backend = ldapsam:ldap://server01.suntech
  ldap admin dn = cn=admin,dc=suntech
  ldap suffix = dc=suntech
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap backend = ldap
  ldap idmap suffix = ou=idmap
  idmap config * : ldap_url = ldap://server01.suntech
  idmap config * : ldap_base_dn = ou=idmap,dc=suntech
  idmap config * : ldap_user_dn = cn=admin,dc=suntech
  ldap delete dn = no
  ldap ssl = start tls


When running the ldapsearch we get
ldapsearch -x -ZZ -h server01.suntech -b dc=suntech -s sub -D cn=admin,dc=suntech -w password 'sambadomainname=*'
ldap_start_tls: Connect error (-11)
        additional info: (unknown error code)

But when we run the ldapsearch without the ZZ, we get the details

ldapsearch -xLLL -H ldap://server01.suntech -b dc=suntech -s sub -D cn=admin,dc=suntech -w password 'sambadomainname=*'

dn: sambaDomainName=suntech,dc=suntech
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: suntech
sambaSID: S-1-5-21-3936576374-1604348213-1812465911
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
gidNumber: 10034
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
uidNumber: 10002
sambaNextRid: 10038

# server02, suntech
dn: sambaDomainName=server02,dc=suntech
sambaDomainName: server02
sambaSID: S-1-5-21-2631908330-1812305667-41686038
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30


Any suggestions?


The one other thing we see is that Server02 (member server) shows up as  sambadomain. I went through the old samba list post and came up with the one which addresses the issues
https://lists.samba.org/archive/samba/2012-January/165972.html

According to the above, do we remove the passdb backend = ldapsam:ldap://server01.suntech from the member servers smb.conf, if so how do we auth the users?


Regards,

Praveen Ghimire

More information about the samba mailing list