[Samba] Setup LDAPS or other solution for ldap

[Rowland Penny]

On 08/05/2023 17:27, matti.kaupenjohann via samba wrote:
> Hi,
> 
> after successful setting up my test domain I wanted to step forward and 
> wanted to check for users on my testserver in the domain. At the moment 
> the server is also a domain member and authentication on the system 
> works fine. Now I wanted to check for the domain via ldap with:
> 
> ```
> ldapsearch -x -b "dc=testdomain,dc=lan" -H ldap://10.99.0.2 -D 
> "cn=Administrator,dc=testdomain,dc=lan" -W

That wouldn't have worked, even if it would have worked :-)
It is missing 'cn=Users'

> ```
> 
> I got the the password prompt, but it failed with:
> 
> ```
> ldap_bind: Strong(er) authentication required (8) additional info: 
> BindSimple: Transport encryption required.
> ```
> 
> Ok I do understand the issue and wanted to test again with LDAPS, so 
> followed the introduction for an untrusted self-signed certificate. 
> After restarting the samba service I noticed that something went wrong. 
> After analyzing I figured out, that ubuntu uses /var/lib/samba instead 
> of /usr/local/samba.
> 
> Switching kind of worked and the samba service launched again 
> successful. But instead of getting the "OK" after issueing the verify 
> command I got an:
> 
> ```
> error /var/lib/samba/private/tls/testdomain.lan-ldaps-cert.pem: 
> verification failed
> ```
> 
> I tested on the client and the remote verification looked fine. So I 
> updated my ldapsearch command to:
> 
> ```
> ldapsearch -x -b "dc=testdomain,dc=lan" -H ldaps://dc01.testdomain.lan 
> -D "cn=Administrator,dc=testdomain,dc=lan" -W
> ```
> 
> which resulted in
> 
> ```
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> ```
> 
> Is the attempt about SIMPLE bind correct or should I approach this 
> differntly?
> 
> 

Use kerberos, it works

kinit as Administrator

sudo kinit administrator

Now try this:

ldapsearch -b "dc=testdomain,dc=lan" -H ldap://YOUR_DC_SHORT_HOSTNAME -Y 
GSSAPI

Rowland