Arjit Gupta
2017-Dec-05 06:48 UTC
[Samba] samba net ads join windows active directory with ldap ssl
Hi, On checking it further. I observe below message from net ads command. LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate ( win.cifs.com). [LDAP] ldap_err2string Failed to issue the StartTLS instruction: Connect error I am able to fetch data successfully from ldapsearch command. It seems samba is connecting to ldap with IP but in client certificate domain name is mentioned. Please suggest how should i modify my smb.conf. Arjit Kumar 9650104435 On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:> Hi, > > Please help me identify what additional is to be done. > > On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote: > >> Hi, >> >> I have enabled ldap ssl on Windows 2008 server active directory and want >> to join ads domain with net ads join command. >> >> I am getting below error:- >> net ads join -U Administrator >> ldap_url_parse_ext(ldap://localhost/) >> ldap_init: trying /etc/ldap/ldap.conf >> ldap_init: using /etc/ldap/ldap.conf >> ldap_init: HOME env is /root >> ldap_init: trying /root/ldaprc >> ldap_init: trying /root/.ldaprc >> ldap_init: trying ldaprc >> ldap_init: LDAPCONF env is NULL >> ldap_init: LDAPRC env is NULL >> Enter Administrator's password: >> Failed to issue the StartTLS instruction: Connect error >> Failed to join domain: failed to connect to AD: Connect error >> >> I have done below steps:- >> >> 1. Configure secure ldap ssl on Active directory. Youtube link >> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed. >> 2. Obtain client certificate. >> certutil -ca.cert client.crt >> 3. Copy client certificate to linux machine. >> 4. run net ads join -U Administrator command >> >> >> *My ldap .conf* >> cat /etc/ldap/ldap.conf >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> #BASE dc=example,dc=com >> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 >> >> #SIZELIMIT 12 >> #TIMELIMIT 15 >> #DEREF never >> >> # TLS certificates (needed for GnuTLS) >> TLS_CACERT /etc/ssl/certs/client.crt >> >> *My smb.conf * >> >> [global] >> ldap debug level = 1 >> ldap ssl = start tls >> ldap ssl ads = yes >> workgroup = CIFS >> security = ads >> realm = cifs.com >> netbios name = ubuntu >> encrypt passwords = yes >> log file = /var/opt/samba/log.%m >> debug level =0 >> max log size = 1000 >> syslog = 0 >> panic action = /var/opt/samba/panic-action %d >> preserve case = yes >> short preserve case = yes >> dos filetime resolution = yes >> read only = no >> socket options = TCP_NODELAY >> domain master = auto >> local master = yes >> preferred master = auto >> domain logons = no >> [homes] >> comment = Home Directories >> path = /home/%U >> browseable = no >> writable = no >> create mask = 0700 >> directory mask = 0700 >> [tmp] >> comment = Temporary file space >> path = /tmp >> read only = no >> >> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join >> active directory domain. >> >> Arjit Kumar >> >>
Arjit Gupta
2017-Dec-07 04:48 UTC
[Samba] samba net ads join windows active directory with ldap ssl
Hi, Any one any suggestion how to make this work. This issue is reported in ubuntu bug 1576799 <https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all> earlier But the solution suggested of replacing ldap ssl ads = Yes to ldap server require strong auth = Yes leaves communication in plain format. Arjit Kumar 9650104435 On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:> Hi, > > On checking it further. > I observe below message from net ads command. > > LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate > (win.cifs.com). > [LDAP] ldap_err2string > Failed to issue the StartTLS instruction: Connect error > > I am able to fetch data successfully from ldapsearch command. > > It seems samba is connecting to ldap with IP but in client certificate > domain name is mentioned. > Please suggest how should i modify my smb.conf. > > > Arjit Kumar > 9650104435 > > On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com> > wrote: > >> Hi, >> >> Please help me identify what additional is to be done. >> >> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote: >> >>> Hi, >>> >>> I have enabled ldap ssl on Windows 2008 server active directory and want >>> to join ads domain with net ads join command. >>> >>> I am getting below error:- >>> net ads join -U Administrator >>> ldap_url_parse_ext(ldap://localhost/) >>> ldap_init: trying /etc/ldap/ldap.conf >>> ldap_init: using /etc/ldap/ldap.conf >>> ldap_init: HOME env is /root >>> ldap_init: trying /root/ldaprc >>> ldap_init: trying /root/.ldaprc >>> ldap_init: trying ldaprc >>> ldap_init: LDAPCONF env is NULL >>> ldap_init: LDAPRC env is NULL >>> Enter Administrator's password: >>> Failed to issue the StartTLS instruction: Connect error >>> Failed to join domain: failed to connect to AD: Connect error >>> >>> I have done below steps:- >>> >>> 1. Configure secure ldap ssl on Active directory. Youtube link >>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed. >>> 2. Obtain client certificate. >>> certutil -ca.cert client.crt >>> 3. Copy client certificate to linux machine. >>> 4. run net ads join -U Administrator command >>> >>> >>> *My ldap .conf* >>> cat /etc/ldap/ldap.conf >>> # >>> # LDAP Defaults >>> # >>> >>> # See ldap.conf(5) for details >>> # This file should be world readable but not world writable. >>> >>> #BASE dc=example,dc=com >>> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 >>> >>> #SIZELIMIT 12 >>> #TIMELIMIT 15 >>> #DEREF never >>> >>> # TLS certificates (needed for GnuTLS) >>> TLS_CACERT /etc/ssl/certs/client.crt >>> >>> *My smb.conf * >>> >>> [global] >>> ldap debug level = 1 >>> ldap ssl = start tls >>> ldap ssl ads = yes >>> workgroup = CIFS >>> security = ads >>> realm = cifs.com >>> netbios name = ubuntu >>> encrypt passwords = yes >>> log file = /var/opt/samba/log.%m >>> debug level =0 >>> max log size = 1000 >>> syslog = 0 >>> panic action = /var/opt/samba/panic-action %d >>> preserve case = yes >>> short preserve case = yes >>> dos filetime resolution = yes >>> read only = no >>> socket options = TCP_NODELAY >>> domain master = auto >>> local master = yes >>> preferred master = auto >>> domain logons = no >>> [homes] >>> comment = Home Directories >>> path = /home/%U >>> browseable = no >>> writable = no >>> create mask = 0700 >>> directory mask = 0700 >>> [tmp] >>> comment = Temporary file space >>> path = /tmp >>> read only = no >>> >>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join >>> active directory domain. >>> >>> Arjit Kumar >>> >>> >
Andreas Hasenack
2017-Dec-14 13:14 UTC
[Samba] samba net ads join windows active directory with ldap ssl
Related to https://bugzilla.samba.org/show_bug.cgi?id=13124 On Thu, Dec 7, 2017 at 2:48 AM, Arjit Gupta via samba <samba at lists.samba.org> wrote:> Hi, > > Any one any suggestion how to make this work. > This issue is reported in ubuntu bug 1576799 > <https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all > > > earlier > But the solution suggested of replacing ldap ssl ads = Yes to ldap server > require strong auth = Yes leaves communication in plain format. > > Arjit Kumar > 9650104435 > > On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com> > wrote: > > > Hi, > > > > On checking it further. > > I observe below message from net ads command. > > > > LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate > > (win.cifs.com). > > [LDAP] ldap_err2string > > Failed to issue the StartTLS instruction: Connect error > > > > I am able to fetch data successfully from ldapsearch command. > > > > It seems samba is connecting to ldap with IP but in client certificate > > domain name is mentioned. > > Please suggest how should i modify my smb.conf. > > > > > > Arjit Kumar > > 9650104435 > > > > On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com> > > wrote: > > > >> Hi, > >> > >> Please help me identify what additional is to be done. > >> > >> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote: > >> > >>> Hi, > >>> > >>> I have enabled ldap ssl on Windows 2008 server active directory and > want > >>> to join ads domain with net ads join command. > >>> > >>> I am getting below error:- > >>> net ads join -U Administrator > >>> ldap_url_parse_ext(ldap://localhost/) > >>> ldap_init: trying /etc/ldap/ldap.conf > >>> ldap_init: using /etc/ldap/ldap.conf > >>> ldap_init: HOME env is /root > >>> ldap_init: trying /root/ldaprc > >>> ldap_init: trying /root/.ldaprc > >>> ldap_init: trying ldaprc > >>> ldap_init: LDAPCONF env is NULL > >>> ldap_init: LDAPRC env is NULL > >>> Enter Administrator's password: > >>> Failed to issue the StartTLS instruction: Connect error > >>> Failed to join domain: failed to connect to AD: Connect error > >>> > >>> I have done below steps:- > >>> > >>> 1. Configure secure ldap ssl on Active directory. Youtube link > >>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed. > >>> 2. Obtain client certificate. > >>> certutil -ca.cert client.crt > >>> 3. Copy client certificate to linux machine. > >>> 4. run net ads join -U Administrator command > >>> > >>> > >>> *My ldap .conf* > >>> cat /etc/ldap/ldap.conf > >>> # > >>> # LDAP Defaults > >>> # > >>> > >>> # See ldap.conf(5) for details > >>> # This file should be world readable but not world writable. > >>> > >>> #BASE dc=example,dc=com > >>> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > >>> > >>> #SIZELIMIT 12 > >>> #TIMELIMIT 15 > >>> #DEREF never > >>> > >>> # TLS certificates (needed for GnuTLS) > >>> TLS_CACERT /etc/ssl/certs/client.crt > >>> > >>> *My smb.conf * > >>> > >>> [global] > >>> ldap debug level = 1 > >>> ldap ssl = start tls > >>> ldap ssl ads = yes > >>> workgroup = CIFS > >>> security = ads > >>> realm = cifs.com > >>> netbios name = ubuntu > >>> encrypt passwords = yes > >>> log file = /var/opt/samba/log.%m > >>> debug level =0 > >>> max log size = 1000 > >>> syslog = 0 > >>> panic action = /var/opt/samba/panic-action %d > >>> preserve case = yes > >>> short preserve case = yes > >>> dos filetime resolution = yes > >>> read only = no > >>> socket options = TCP_NODELAY > >>> domain master = auto > >>> local master = yes > >>> preferred master = auto > >>> domain logons = no > >>> [homes] > >>> comment = Home Directories > >>> path = /home/%U > >>> browseable = no > >>> writable = no > >>> create mask = 0700 > >>> directory mask = 0700 > >>> [tmp] > >>> comment = Temporary file space > >>> path = /tmp > >>> read only = no > >>> > >>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join > >>> active directory domain. > >>> > >>> Arjit Kumar > >>> > >>> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Seemingly Similar Threads
- samba net ads join windows/ubuntu active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- Samba 4.7 and Editposix/Trusted Ldapsam extension support.