[Samba] LDAPS & Windows Domain Controller
rpenny at samba.org
Thu Oct 29 22:22:10 UTC 2020
On 29/10/2020 22:15, Zebrose, Cordell via samba wrote:
> I have a Samba file server attempting to join an Active Directory domain using "$net ads join". The Domain Controller is running Windows Server 2019. I'd like to force samba to use port 636 (LDAPS) when making the LDAP connection. I've tried several settings in the smb.conf file, but when I check the LDAP packets, samba is still using port 389. The join domain call is successful, it's just using the wrong port. I've tried:
> - "ldap ssl ads = yes"
> - "client ldap sasl wrapping = seal"
> - "ldap ssl = no"
> - Setting the URI in the ldap.conf file with "URI ldaps://test.domain.com"
> - Passing the domain controller ip address with ":636" to try an force port 636
> I've looked through the LDAPS documentation on samba.org<http://samba.org/> but it's usually referencing using the Samba server as a Domain Controller, not as a Domain Member. Most of the related questions that I've found refer to using Samba as the AD DC and they usually involve messing around with the tls* attributes and/or having more changes in the ldap.conf. I'm not sure how much of that is required when Samba is a Domain Member.
> I'm just trying to understand what parameters are important when attempting to have samba join a domain using LDAPS. It's also very likely that the issue is related to my Domain Controllers, I've only verified that they are accepting connections on port 636 using the LDP.exe tool. see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771022(v=ws.11)
Just use kerberos, believe it or not, it is more secure.
More information about the samba