Hello Vinicius, I did it and this was the answer: ldapsearch -H "ldaps://devsamba.lucas.ufes.br:636" -w '*********' -D "cn=administrator,cn=users,dc=lucas,dc=ufes,dc=br" -x -b "dc=lucas,dc=ufes,dc=br" -d1 ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636) ldap_create ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP devsamba.lucas.ufes.br:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.20.152.23:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect errno: 111 ldap_close_socket: 3 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Can you extract any reason with that? add -d1 to your command, see what ldapsearch complains about. Em 03/02/2017 10:14, Lukz Ferris via samba escreveu:> Hello everyone, > > > I'm using Samba4 in my CentOS server, and it was just fine. I could always use ldap commands like 'ldapsearch' and 'ldapadd' and I had no problem. > > > But one day, I don't know why, I couldn't use more ldapsearch or ldapadd. They return this: > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > > I'm using the same command as always, like: > > ldapsearch -H "ldaps://devsamba.lucas.ufes.br:636" -w '*******' -D "cn=administrator,cn=users,dc=lucas,dc=ufes,dc=br" -x -b "dc=lucas,dc=ufes,dc=br" > > > My /etc/openldap/ldap.conf is: > > > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example,dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > > TLS_REQCERT never > TLS_CACERT /usr/local/samba/private/tls/cert.pem > > > > It worked until now... > > > I checked that samba-tools still works, but I need to use ldap commands too. Any idea why is this happening to ldap? > > > > > > > Lucas-- Vinicius Silva SOC Lucas
On Fri, 3 Feb 2017 14:27:36 +0000 Lukz Ferris via samba <samba at lists.samba.org> wrote:> Hello Vinicius, > > I did it and this was the answer: > > ldapsearch -H "ldaps://devsamba.lucas.ufes.br:636" -w '*********' -D > "cn=administrator,cn=users,dc=lucas,dc=ufes,dc=br" -x -b > "dc=lucas,dc=ufes,dc=br" -d1 > ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636) ldap_create > ldap_url_parse_ext(ldaps://devsamba.lucas.ufes.br:636/??base) > ldap_sasl_bind ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP devsamba.lucas.ufes.br:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 172.20.152.23:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > attempting to connect: > connect errno: 111 > ldap_close_socket: 3 > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > Can you extract any reason with that? >You shouldn't use 'ldaps' and ':636', in fact you shouldn't use ':636' at all. OK, mini-howto coming up ;-) The DC is dc1.samdom.example.com The AD domain DN is dc=samdom,dc=example,dc=com There is this line in the DC smb.conf: tls certfile = tls/cert.pem The reverse dns zone has been created and operational The client is devclient.samdom.example.com On the DC: Configure /etc/openldap/ldap.conf as follows: HOST dc1.samdom.example.com TLS_CACERT /usr/local/samba/private/tls/cert.pem TLS_REQCERT demand Add this line to smb.conf: ldap server require strong auth = allow_sasl_over_tls Now test with this command: ldapsearch -D "Administrator at samdom.example.com" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland Enter password when prompted If it is working, you will get the users AD object. Copy the AD Root certificate to the Linux box scp /usr/local/samba/private/tls/cert.pem root at devstation:/etc/ssl/certs/member1cert.pem Configure the /etc/openldap/ldap.conf file as follows: HOST dc1.samdom.example.com TLS_CACERT /etc/ssl/certs/member1cert.pem TLS_REQCERT never Test with the same command: ldapsearch -D "Administrator at samdom.example.com" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland You should get the same output as on the DC. The above works for me. Rowland