samba - Aug 2018 - LDAPS is not working

Hi,

after a successfully migrating my NT4 with OpenLDAP to a Samba4 AD...I got a
problem.

Like in the sambawiki tutorial
(https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC)
I tried to configure LDAPS. I used the auto-configured certs. They are located
in "/var/lib/samba/private/tls".

My smb.conf:
# Global parameters
[global]
        netbios name = PDC
        realm = COMPANY.COM
        workgroup = COMPANY
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        template homedir= /home/%U
        dns forwarder = 8.8.8.8
        min protocol = SMB2
        tls enabled  = yes
        tls keyfile  = /var/lib/samba/private/tls/key.pem
        tls certfile = /var/lib/samba/private/tls/cert.pem
        tls cafile   = /var/lib/samba/private/tls/ca.pem
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 10
        winbind use default domain = yes
        logging = syslog at 1 /var/log/samba/log.%m

I've tested it with the following command and got the following error...

root at server:/var/lib/samba/private/tls# ldbsearch -H ldaps://127.0.0.1
'(cn=admin)' objectClass -Uadmin
TLS failed to missing crlfile  - with 'tls verify peer =
as_strict_as_possible'
Failed to connect to ldap URL 'ldaps://127.0.0.1' - LDAP client internal
error: NT_STATUS_INVALID_PARAMETER_MIX
Failed to connect to 'ldaps://127.0.0.1' with backend 'ldaps':
LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX
Failed to connect to ldaps://127.0.0.1 - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER_MIX

How can I solve this error?
Thanks!

On Wed, 8 Aug 2018 10:31:50 +0200
basti mueller via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> after a successfully migrating my NT4 with OpenLDAP to a Samba4
> AD...I got a problem.
> 
> Like in the sambawiki tutorial
>
(https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC)
> I tried to configure LDAPS. I used the auto-configured certs. They
> are located in "/var/lib/samba/private/tls".
> 
> My smb.conf:
> # Global parameters
> [global]
>         netbios name = PDC
>         realm = COMPANY.COM
>         workgroup = COMPANY
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         template shell = /bin/bash
>         template homedir= /home/%U
>         dns forwarder = 8.8.8.8
>         min protocol = SMB2
>         tls enabled  = yes
>         tls keyfile  = /var/lib/samba/private/tls/key.pem
>         tls certfile = /var/lib/samba/private/tls/cert.pem
>         tls cafile   = /var/lib/samba/private/tls/ca.pem
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind cache time = 10
>         winbind use default domain = yes
>         logging = syslog at 1 /var/log/samba/log.%m
> 
> I've tested it with the following command and got the following
> error...
> 
> root at server:/var/lib/samba/private/tls# ldbsearch -H
> ldaps://127.0.0.1 '(cn=admin)' objectClass -Uadmin TLS failed to
> missing crlfile  - with 'tls verify peer = as_strict_as_possible'
> Failed to connect to ldap URL 'ldaps://127.0.0.1' - LDAP client
> internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to
> 'ldaps://127.0.0.1' with backend 'ldaps': LDAP client
internal error:
> NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to
> ldaps://127.0.0.1 - LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER_MIX
> 
> How can I solve this error?
> Thanks!
> 
Sorry, but you cannot, it is disabled by default, use kerberos instead.

If you insist on using tls, you can get ldapsearch to work, but this
requires further configuration and isn't as secure as kerberos.

As a passing comment, if you are using the default Samba certs, you do
not need the tls lines in smb.conf, also 'winbind use default domain
yes' does nothing on a DC.

Rowland

On Wed, 2018-08-08 at 10:31 +0200, basti mueller via samba
wrote:
> Hi,
> 
> after a successfully migrating my NT4 with OpenLDAP to a Samba4 AD...I got
a problem.
> 
> Like in the sambawiki tutorial
(https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC)
I tried to configure LDAPS. I used the auto-configured certs. They are located
in "/var/lib/samba/private/tls".
> root at server:/var/lib/samba/private/tls# ldbsearch -H ldaps://127.0.0.1
'(cn=admin)' objectClass -Uadmin
> TLS failed to missing crlfile  - with 'tls verify peer =
as_strict_as_possible'
> Failed to connect to ldap URL 'ldaps://127.0.0.1' - LDAP client
internal error: NT_STATUS_INVALID_PARAMETER_MIX
> Failed to connect to 'ldaps://127.0.0.1' with backend
'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX
> Failed to connect to ldaps://127.0.0.1 - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER_MIX
To validate a TLS certificate it needs to connect to the same name as
in the certificate, not the IP (127.0.0.1 in this case). 

I hope this clarifies things,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba