On Sat, 2017-03-11 at 13:39 +1300, Andrew Bartlett via samba wrote:> On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote: > > > > Hello, > > > > I just configured a three-site DCs setup with Samba 4.6.0, and > > replication worked great. > > But then I added a custom cert to one of the DCs to authenticate > > various apps against it. I used this wiki https://wiki.samba.org/in > > de > > x. > > php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC > > > > Now I can authenticate my apps over LDAPS against my DC, but broke > > replication. > > > > How do I need to configure replication to work with a self-signed > > cert? > > The two are not related - replication is not over LDAP or LDAPS, but > instead it is done with DRSUAPI over DCE/RPC. >I created a user and it got replicated, so replication works indeed. I guess that only 'samba-tool drs showrepl' breaks: Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED Failed to connect to 'ldap://ch1-ad-v01.ad.corp.com' with backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED ERROR(ldb): LDAP connection to ch1-ad-v01.ad.corp.com failed - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED File "/usr/local/samba/lib64/python2.7/site- packages/samba/netcmd/drs.py", line 50, in samdb_connect credentials=ctx.creds, lp=ctx.lp) File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__ options=options) File "/usr/local/samba/lib64/python2.7/site- packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect options=options) Thanks, -Mike
On Sat, 2017-03-11 at 14:54 -0600, Mircea Husz wrote:> On Sat, 2017-03-11 at 13:39 +1300, Andrew Bartlett via samba wrote: > > On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote: > > > > > > Hello, > > > > > > I just configured a three-site DCs setup with Samba 4.6.0, and > > > replication worked great. > > > But then I added a custom cert to one of the DCs to authenticate > > > various apps against it. I used this wiki https://wiki.samba.org/ > > > in > > > de > > > x. > > > php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC > > > > > > Now I can authenticate my apps over LDAPS against my DC, but > > > broke > > > replication. > > > > > > How do I need to configure replication to work with a self-signed > > > cert? > > > > The two are not related - replication is not over LDAP or LDAPS, > > but > > instead it is done with DRSUAPI over DCE/RPC. > > > > I created a user and it got replicated, so replication works indeed. > > I guess that only 'samba-tool drs showrepl' breaks: > Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - LDAP > client internal error: NT_STATUS_CONNECTION_REFUSEDThis indicates that you have blocked ldap with a firewall, or Samba isn't (fully) running. Perhaps the LDAP server shut itself down due to having the wrong permissions on the key files? Check the logs. Thanks, Andrew Bartlett
On Mon, 2017-03-13 at 09:50 +1300, Andrew Bartlett via samba wrote:> On Sat, 2017-03-11 at 14:54 -0600, Mircea Husz wrote: > > > > On Sat, 2017-03-11 at 13:39 +1300, Andrew Bartlett via samba wrote: > > > > > > On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote: > > > > > > > > > > > > Hello, > > > > > > > > I just configured a three-site DCs setup with Samba 4.6.0, and > > > > replication worked great. > > > > But then I added a custom cert to one of the DCs to > > > > authenticate > > > > various apps against it. I used this wiki https://wiki.samba.or > > > > g/ > > > > in > > > > de > > > > x. > > > > php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC > > > > > > > > Now I can authenticate my apps over LDAPS against my DC, but > > > > broke > > > > replication. > > > > > > > > How do I need to configure replication to work with a self- > > > > signed > > > > cert? > > > > > > The two are not related - replication is not over LDAP or LDAPS, > > > but > > > instead it is done with DRSUAPI over DCE/RPC. > > > > > > > I created a user and it got replicated, so replication works > > indeed. > > > > I guess that only 'samba-tool drs showrepl' breaks: > > Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - > > LDAP > > client internal error: NT_STATUS_CONNECTION_REFUSED > > This indicates that you have blocked ldap with a firewall, or Samba > isn't (fully) running. Perhaps the LDAP server shut itself down due > to > having the wrong permissions on the key files? > > Check the logs. >That was it, the permission on the key was too wide. Thank you. -Mike