I've encountered exact same issue as in this thread below, but I cannot
figure out what the solution is
https://lists.samba.org/archive/samba/2015-February/189012.html
In short, my Samba 4.1.22 used to be a member of the domain, with these
ldap ssl settings in the config:
ldap ssl = start tls
ldap ssl ads = Yes
I've updated it to 4.3.8, and it now cannot talk to the domain, it shows
this error if "ldap ssl ads = Yes".
> Failed to issue the StartTLS instruction: Connect error
> Join to domain is not valid: NT code 0xfffffff5
if I change it No, it works again, but I feel like I'm losing encryption of
the authentication handshake to AD.
That thread had this snippet from Andrew:
> You have tripped up that we have two different, independent LDAP paths
> in Samba. We have one using GNUTLS, which is used by the AD DC and the
> ldb tools, and another using OpenSSL, or whatever your libldap was
> linked to. You are looking for that second path, and it is configured
> however (presumably) OpenLDAP's ldap client libs are configured.
>
> However, you may wish to just try a Samba 4.2 pre-release, where we
> turned on a different form of encrypted LDAP (based on Kerberos or
> NTLMSSP) by default. If that works for you, the final 4.2 should not be
> too far off, or just change the same smb.conf options mentioned in the
> WHATSNEW.
>
> Andrew Bartlett
I've read WHATSNEW for 4.2, but I didn't quite understand what changes I
need to make. Maybe I'm overthinking it and ldap ssl ads is not necessary
if ldap server require strong auth already there?
My system: Ubuntu server 14.04 x64, member of Windows AD (2012 I believe).
SSL and AD related values from my testparm:
$ testparm -s -v | egrep -i '(tls|ldap|ssl|ads)'
Server role: ROLE_DOMAIN_MEMBER
cldap port = 389
client ldap sasl wrapping = sign
ldap connection timeout = 2
ldap debug level = 0
ldap debug threshold = 10
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap page size = 1024
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = Yes
ldap ssl ads = Yes
ldap ssl = start tls
ldap timeout = 15
security = ADS
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate, dns
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
--
-Alex