[Samba] LDAP bind to AD fails

[Stefan G. Weichinger]

Am 26.09.19 um 19:02 schrieb Kris Lou via samba:
> 1) You definitely need to have the CA specified for pfSense to use the
> custom certificate.
> 2) The hostname/IP of the specified DC also needs to match the CN on the
> certificate.
> 
> If you want to auth against multiple DC's, then either pfSense needs to
> have some distribution among multiple LDAP providers (I don't think this is
> possible), or your LDAP provider then needs to distribute among multiple
> sources.  So then, you have at least 2 issues:  figuring out how the
> round-robin to sources works, and also making sure that each source can
> properly authenticate (from a single LDAP provider).
> 
> Regarding the certificates, each Samba server (if you self-sign) has its
> own cert (unique CN) and CA.  So, that means that you can't specify a
> single CA for the LDAP provider to reference against all of your Samba
> Servers -- unless you replace the self-signed certs within Samba with
> something else like a wildcard or multi-domain certificate.
> 
> I cheat and use a third-party multi-domain cert on all of my DCs, so the CA
> is on the Global Root CA List.  But the trade-offs are that I have to worry
> about certificate renewals and the like.
> 
> Lastly, pfSense mostly uses DNS to determine which server to use for
> lookups, but there's a slight difference between "domain override"
> forwarding (where it looks up *.ads.samdom.com and forwards these queries
> somewhere) and looking up the domain itself (looking up ads.samdom.com).
> In my case, I don't want queries to be forwarded to a remote DC across a
> VPN, so I use Host Overrides to specify my DC's and queries are
> round-robined between them.  I don't think that Sites will work with pure
> DNS lookups.  This is also with DNSMasq, and not Unbound.

Thanks! I will check back with the admin there if the connections have
been stable since then ... and also make sure to not accidentally ask
the 2nd DC while there is the CA.pem of the 1st in place.