samba - Dec 2017 - samba net ads join windows active directory with ldap ssl

Hi,

I have enabled ldap ssl on Windows 2008 server active directory and want to
join ads domain with net ads join command.

I am getting below error:-
net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error

I have done below steps:-

1. Configure secure ldap ssl on Active directory. Youtube link
<https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
2. Obtain client certificate.
     certutil -ca.cert client.crt
3. Copy client certificate to linux machine.
4. run  net ads join -U Administrator command


*My ldap .conf*
cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/client.crt

*My smb.conf *

[global]
ldap debug level = 1
ldap ssl = start tls
ldap ssl ads = yes
workgroup = CIFS
security = ads
realm = cifs.com
netbios name = ubuntu
encrypt passwords = yes
log file = /var/opt/samba/log.%m
debug level =0
max log size = 1000
syslog = 0
panic action = /var/opt/samba/panic-action %d
preserve case = yes
short preserve case = yes
dos filetime resolution = yes
read only = no
socket options = TCP_NODELAY
domain master = auto
local master = yes
preferred master = auto
domain logons = no
[homes]
   comment = Home Directories
   path = /home/%U
   browseable = no
   writable = no
   create mask = 0700
   directory mask = 0700
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no

*NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
active directory domain.

Arjit Kumar

Hi,

Please help me identify what additional is to be done.

On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com>
wrote:
> Hi,
>
> I have enabled ldap ssl on Windows 2008 server active directory and want
> to join ads domain with net ads join command.
>
> I am getting below error:-
> net ads join -U Administrator
> ldap_url_parse_ext(ldap://localhost/)
> ldap_init: trying /etc/ldap/ldap.conf
> ldap_init: using /etc/ldap/ldap.conf
> ldap_init: HOME env is /root
> ldap_init: trying /root/ldaprc
> ldap_init: trying /root/.ldaprc
> ldap_init: trying ldaprc
> ldap_init: LDAPCONF env is NULL
> ldap_init: LDAPRC env is NULL
> Enter Administrator's password:
> Failed to issue the StartTLS instruction: Connect error
> Failed to join domain: failed to connect to AD: Connect error
>
> I have done below steps:-
>
> 1. Configure secure ldap ssl on Active directory. Youtube link
> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
> 2. Obtain client certificate.
>      certutil -ca.cert client.crt
> 3. Copy client certificate to linux machine.
> 4. run  net ads join -U Administrator command
>
>
> *My ldap .conf*
> cat /etc/ldap/ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE   dc=example,dc=com
> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
>
> # TLS certificates (needed for GnuTLS)
> TLS_CACERT      /etc/ssl/certs/client.crt
>
> *My smb.conf *
>
> [global]
> ldap debug level = 1
> ldap ssl = start tls
> ldap ssl ads = yes
> workgroup = CIFS
> security = ads
> realm = cifs.com
> netbios name = ubuntu
> encrypt passwords = yes
> log file = /var/opt/samba/log.%m
> debug level =0
> max log size = 1000
> syslog = 0
> panic action = /var/opt/samba/panic-action %d
> preserve case = yes
> short preserve case = yes
> dos filetime resolution = yes
> read only = no
> socket options = TCP_NODELAY
> domain master = auto
> local master = yes
> preferred master = auto
> domain logons = no
> [homes]
>    comment = Home Directories
>    path = /home/%U
>    browseable = no
>    writable = no
>    create mask = 0700
>    directory mask = 0700
> [tmp]
>    comment = Temporary file space
>    path = /tmp
>    read only = no
>
> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
> active directory domain.
>
> Arjit Kumar
>
>

Hi,

On checking it further.
I observe below message from net ads command.

LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate (
win.cifs.com).
[LDAP] ldap_err2string
Failed to issue the StartTLS instruction: Connect error

I am able to fetch data successfully from ldapsearch command.

It seems samba is connecting to ldap with IP but in client certificate
domain name is mentioned.
Please suggest how should i modify my smb.conf.


Arjit Kumar
9650104435

On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com>
wrote:
> Hi,
>
> Please help me identify what additional is to be done.
>
> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at
gmail.com> wrote:
>
>> Hi,
>>
>> I have enabled ldap ssl on Windows 2008 server active directory and
want
>> to join ads domain with net ads join command.
>>
>> I am getting below error:-
>> net ads join -U Administrator
>> ldap_url_parse_ext(ldap://localhost/)
>> ldap_init: trying /etc/ldap/ldap.conf
>> ldap_init: using /etc/ldap/ldap.conf
>> ldap_init: HOME env is /root
>> ldap_init: trying /root/ldaprc
>> ldap_init: trying /root/.ldaprc
>> ldap_init: trying ldaprc
>> ldap_init: LDAPCONF env is NULL
>> ldap_init: LDAPRC env is NULL
>> Enter Administrator's password:
>> Failed to issue the StartTLS instruction: Connect error
>> Failed to join domain: failed to connect to AD: Connect error
>>
>> I have done below steps:-
>>
>> 1. Configure secure ldap ssl on Active directory. Youtube link
>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
>> 2. Obtain client certificate.
>>      certutil -ca.cert client.crt
>> 3. Copy client certificate to linux machine.
>> 4. run  net ads join -U Administrator command
>>
>>
>> *My ldap .conf*
>> cat /etc/ldap/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> #BASE   dc=example,dc=com
>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>
>> #SIZELIMIT      12
>> #TIMELIMIT      15
>> #DEREF          never
>>
>> # TLS certificates (needed for GnuTLS)
>> TLS_CACERT      /etc/ssl/certs/client.crt
>>
>> *My smb.conf *
>>
>> [global]
>> ldap debug level = 1
>> ldap ssl = start tls
>> ldap ssl ads = yes
>> workgroup = CIFS
>> security = ads
>> realm = cifs.com
>> netbios name = ubuntu
>> encrypt passwords = yes
>> log file = /var/opt/samba/log.%m
>> debug level =0
>> max log size = 1000
>> syslog = 0
>> panic action = /var/opt/samba/panic-action %d
>> preserve case = yes
>> short preserve case = yes
>> dos filetime resolution = yes
>> read only = no
>> socket options = TCP_NODELAY
>> domain master = auto
>> local master = yes
>> preferred master = auto
>> domain logons = no
>> [homes]
>>    comment = Home Directories
>>    path = /home/%U
>>    browseable = no
>>    writable = no
>>    create mask = 0700
>>    directory mask = 0700
>> [tmp]
>>    comment = Temporary file space
>>    path = /tmp
>>    read only = no
>>
>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
>> active directory domain.
>>
>> Arjit Kumar
>>
>>