samba - Feb 2017 - LDAP problem

Hello Rowland,


You shouldn't use 'ldaps' and ':636', in fact you
shouldn't use ':636'
at all.

OK, mini-howto coming up ;-)

The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The client is devclient.samdom.example.com

On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls

Now test with this command:

ldapsearch -D "Administrator at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H
ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

Enter password when prompted
If it is working, you will get the users AD object.

Copy the AD Root certificate to the Linux box

scp /usr/local/samba/private/tls/cert.pem root at
devstation:/etc/ssl/certs/member1cert.pem

Configure the /etc/openldap/ldap.conf file as follows:

HOST dc1.samdom.example.com
TLS_CACERT /etc/ssl/certs/member1cert.pem
TLS_REQCERT never

Test with the same command:

ldapsearch -D "Administrator at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H
ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

You should get the same output as on the DC.

The above works for me.

Rowland







I tried the first part:


On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand
[OK]

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls
[OK]

Now test with this command:

ldapsearch -D "Administrator at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H
ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

[I got the same thing ]


ldapsearch -D "administrator at lucas.ufes.br" -b
"cn=users,cn=lucas,dc=ufes,dc=br" -H ldaps://devsamba.lucas.ufes.br -w
's3nh4.s3rv3r' sAMAccountName=administrator
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)




Thank you for the help. I don't know if it is a server machine's
problem. Probably I'll backup and restore it or just set the server from the
beginning...



Lucas

On Mon, 13 Feb 2017 10:15:06 +0000
Lukz Ferris via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
> 
> 
 
I take it your ldap.conf now looks like this:

HOST devsamba.lucas.ufes.br
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

and the path to 'cert.pem' is correct for your installation
 
> 
> ldapsearch -D "administrator at lucas.ufes.br" -b
> "cn=users,cn=lucas,dc=ufes,dc=br" -H
ldaps://devsamba.lucas.ufes.br
> -w 's3nh4.s3rv3r' sAMAccountName=administrator
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
All I can say is that it works for me, both on the DC and a domain
member.
> 
> 
> 
> Thank you for the help. I don't know if it is a server machine's
> problem. Probably I'll backup and restore it or just set the server
> from the beginning...
> 
Is something else getting in the way ? a firewall or selinux etc.

Rowland