Patch to add TLS support to libads
Jeremy Naylor
jnaylor at gmail.com
Mon Oct 25 22:08:13 GMT 2004
Can someone please tell me what I need to do to get this feature added?
Thanks!
-Jeremy
On Thu, 21 Oct 2004 12:47:17 -0400, Jeremy Naylor <jnaylor at gmail.com> wrote:
> Hello!
>
> In trying to get a linux machine to join a Win2k3 AD domain, I kept
> getting this error message when I ran "net join -U admin":
>
> [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183)
> ads_connect: Strong(er) authentication required
>
> After much googling and experimentation, I discovered that this was
> caused by having this set in the Security Policy on the DC:
>
> Domain Controller: LDAP server signing requirements = Require Signing
>
> Changing this to "None" got it working. I assume this is because the
> openldap code doesn't support signing? I couldn't find anything about
> that.
>
> I've attached a patch that enables TLS in the libads code. The
> "Require Signing" setting allows for SSL/TLS instead of signing..
> There needs to be a certificate installed on the domain controller for
> TLS to work, but that's better than signing anyway. You also need the
> CA certificate to verify the server cert, adding "TLS_CACERT
> /etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the
> CA cert and saving it in testca.cer) got that working.
>
> I've only tested this on Fedora Core 2 with a DC that has "Require
> Signing" set and has a certificate installed, but setting "ldap ssl =
> off" should disable it.
>
> Can someone let me know if there's anything else I need to do to get
> this feature integrated in the trunk?
>
> Thanks!
>
> -Jeremy
>
>
>
More information about the samba-technical
mailing list