Arjit Gupta
2017-Dec-04  09:40 UTC
[Samba] samba net ads join windows active directory with ldap ssl
Hi,
I have enabled ldap ssl on Windows 2008 server active directory and want to
join ads domain with net ads join command.
I am getting below error:-
net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error
I have done below steps:-
1. Configure secure ldap ssl on Active directory. Youtube link
<https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
2. Obtain client certificate.
     certutil -ca.cert client.crt
3. Copy client certificate to linux machine.
4. run  net ads join -U Administrator command
*My ldap .conf*
cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/client.crt
*My smb.conf *
[global]
ldap debug level = 1
ldap ssl = start tls
ldap ssl ads = yes
workgroup = CIFS
security = ads
realm = cifs.com
netbios name = ubuntu
encrypt passwords = yes
log file = /var/opt/samba/log.%m
debug level =0
max log size = 1000
syslog = 0
panic action = /var/opt/samba/panic-action %d
preserve case = yes
short preserve case = yes
dos filetime resolution = yes
read only = no
socket options = TCP_NODELAY
domain master = auto
local master = yes
preferred master = auto
domain logons = no
[homes]
   comment = Home Directories
   path = /home/%U
   browseable = no
   writable = no
   create mask = 0700
   directory mask = 0700
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no
*NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
active directory domain.
Arjit Kumar
Arjit Gupta
2017-Dec-05  01:08 UTC
[Samba] samba net ads join windows active directory with ldap ssl
Hi, Please help me identify what additional is to be done. On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote:> Hi, > > I have enabled ldap ssl on Windows 2008 server active directory and want > to join ads domain with net ads join command. > > I am getting below error:- > net ads join -U Administrator > ldap_url_parse_ext(ldap://localhost/) > ldap_init: trying /etc/ldap/ldap.conf > ldap_init: using /etc/ldap/ldap.conf > ldap_init: HOME env is /root > ldap_init: trying /root/ldaprc > ldap_init: trying /root/.ldaprc > ldap_init: trying ldaprc > ldap_init: LDAPCONF env is NULL > ldap_init: LDAPRC env is NULL > Enter Administrator's password: > Failed to issue the StartTLS instruction: Connect error > Failed to join domain: failed to connect to AD: Connect error > > I have done below steps:- > > 1. Configure secure ldap ssl on Active directory. Youtube link > <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed. > 2. Obtain client certificate. > certutil -ca.cert client.crt > 3. Copy client certificate to linux machine. > 4. run net ads join -U Administrator command > > > *My ldap .conf* > cat /etc/ldap/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example,dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > > # TLS certificates (needed for GnuTLS) > TLS_CACERT /etc/ssl/certs/client.crt > > *My smb.conf * > > [global] > ldap debug level = 1 > ldap ssl = start tls > ldap ssl ads = yes > workgroup = CIFS > security = ads > realm = cifs.com > netbios name = ubuntu > encrypt passwords = yes > log file = /var/opt/samba/log.%m > debug level =0 > max log size = 1000 > syslog = 0 > panic action = /var/opt/samba/panic-action %d > preserve case = yes > short preserve case = yes > dos filetime resolution = yes > read only = no > socket options = TCP_NODELAY > domain master = auto > local master = yes > preferred master = auto > domain logons = no > [homes] > comment = Home Directories > path = /home/%U > browseable = no > writable = no > create mask = 0700 > directory mask = 0700 > [tmp] > comment = Temporary file space > path = /tmp > read only = no > > *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join > active directory domain. > > Arjit Kumar > >
Arjit Gupta
2017-Dec-05  06:48 UTC
[Samba] samba net ads join windows active directory with ldap ssl
Hi, On checking it further. I observe below message from net ads command. LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate ( win.cifs.com). [LDAP] ldap_err2string Failed to issue the StartTLS instruction: Connect error I am able to fetch data successfully from ldapsearch command. It seems samba is connecting to ldap with IP but in client certificate domain name is mentioned. Please suggest how should i modify my smb.conf. Arjit Kumar 9650104435 On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:> Hi, > > Please help me identify what additional is to be done. > > On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote: > >> Hi, >> >> I have enabled ldap ssl on Windows 2008 server active directory and want >> to join ads domain with net ads join command. >> >> I am getting below error:- >> net ads join -U Administrator >> ldap_url_parse_ext(ldap://localhost/) >> ldap_init: trying /etc/ldap/ldap.conf >> ldap_init: using /etc/ldap/ldap.conf >> ldap_init: HOME env is /root >> ldap_init: trying /root/ldaprc >> ldap_init: trying /root/.ldaprc >> ldap_init: trying ldaprc >> ldap_init: LDAPCONF env is NULL >> ldap_init: LDAPRC env is NULL >> Enter Administrator's password: >> Failed to issue the StartTLS instruction: Connect error >> Failed to join domain: failed to connect to AD: Connect error >> >> I have done below steps:- >> >> 1. Configure secure ldap ssl on Active directory. Youtube link >> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed. >> 2. Obtain client certificate. >> certutil -ca.cert client.crt >> 3. Copy client certificate to linux machine. >> 4. run net ads join -U Administrator command >> >> >> *My ldap .conf* >> cat /etc/ldap/ldap.conf >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> #BASE dc=example,dc=com >> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 >> >> #SIZELIMIT 12 >> #TIMELIMIT 15 >> #DEREF never >> >> # TLS certificates (needed for GnuTLS) >> TLS_CACERT /etc/ssl/certs/client.crt >> >> *My smb.conf * >> >> [global] >> ldap debug level = 1 >> ldap ssl = start tls >> ldap ssl ads = yes >> workgroup = CIFS >> security = ads >> realm = cifs.com >> netbios name = ubuntu >> encrypt passwords = yes >> log file = /var/opt/samba/log.%m >> debug level =0 >> max log size = 1000 >> syslog = 0 >> panic action = /var/opt/samba/panic-action %d >> preserve case = yes >> short preserve case = yes >> dos filetime resolution = yes >> read only = no >> socket options = TCP_NODELAY >> domain master = auto >> local master = yes >> preferred master = auto >> domain logons = no >> [homes] >> comment = Home Directories >> path = /home/%U >> browseable = no >> writable = no >> create mask = 0700 >> directory mask = 0700 >> [tmp] >> comment = Temporary file space >> path = /tmp >> read only = no >> >> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join >> active directory domain. >> >> Arjit Kumar >> >>
Reasonably Related Threads
- samba net ads join windows active directory with ldap ssl
- Samba 4.7 and Editposix/Trusted Ldapsam extension support.
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows/ubuntu active directory with ldap ssl