[Samba] LDAP SSL

Praveen Ghimire PGhimire at sundata.com.au
Fri Aug 10 02:21:43 UTC 2018 

Hi Rowland,

Fair comment. This is not a new domain and we are migrating to AD.

The box in question runs Samba 3.6 (PDC and a physical box) and as such we are not able to directly migrate it.  We are adding a Samba 4 box (a VM) , to which will become the new PDC . This box will then be used to migrate to AD. The Samba 3 box will converted as a file server. 

The confusion in smb.conf is possibly because of the above. We can remove the connection to LDAP via smb.conf if that helps?

We couldn't use winbind because of the bug whereby winbind doesn't enumerate users in a Unix domain member. Hence we had to use libnss_ldap



Regards,

Praveen Ghimire



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Thursday, 9 August 2018 5:56 PM
To: samba at lists.samba.org
Subject: Re: [Samba] LDAP SSL

On Thu, 9 Aug 2018 02:07:40 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> Hi ,
> 
> I would really appreciate some suggestions re the following issue.
> 
> We have a LDAP based PDC and a member server.  

Ah, no you haven't ;-)
You have a PDC and something that looks like a cross between a BDC and
a standalone server.

A BDC because it is connecting to the ldap on the PDC.
A standalone server because of 'security = user' and 'domain logons =
no'


>We're use libnss_ldap
> to auth the users. The LDAP PDC is setup with self signed SSL , we're
> trying make sure the member server connects to the PDC using SSL.

As you shouldn't be trying to do this, it isn't really a problem ;-)

Is this a new domain ?
If so, have you missed all the warnings about setting up new NT4-style
domains ?
You would be much better off setting up an AD domain.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

More information about the samba mailing list