samba - Dec 2017 - samba net ads join windows active directory with ldap ssl

Hi,

On checking it further.
I observe below message from net ads command.

LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate (
win.cifs.com).
[LDAP] ldap_err2string
Failed to issue the StartTLS instruction: Connect error

I am able to fetch data successfully from ldapsearch command.

It seems samba is connecting to ldap with IP but in client certificate
domain name is mentioned.
Please suggest how should i modify my smb.conf.


Arjit Kumar
9650104435

On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com>
wrote:
> Hi,
>
> Please help me identify what additional is to be done.
>
> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at
gmail.com> wrote:
>
>> Hi,
>>
>> I have enabled ldap ssl on Windows 2008 server active directory and
want
>> to join ads domain with net ads join command.
>>
>> I am getting below error:-
>> net ads join -U Administrator
>> ldap_url_parse_ext(ldap://localhost/)
>> ldap_init: trying /etc/ldap/ldap.conf
>> ldap_init: using /etc/ldap/ldap.conf
>> ldap_init: HOME env is /root
>> ldap_init: trying /root/ldaprc
>> ldap_init: trying /root/.ldaprc
>> ldap_init: trying ldaprc
>> ldap_init: LDAPCONF env is NULL
>> ldap_init: LDAPRC env is NULL
>> Enter Administrator's password:
>> Failed to issue the StartTLS instruction: Connect error
>> Failed to join domain: failed to connect to AD: Connect error
>>
>> I have done below steps:-
>>
>> 1. Configure secure ldap ssl on Active directory. Youtube link
>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
>> 2. Obtain client certificate.
>>      certutil -ca.cert client.crt
>> 3. Copy client certificate to linux machine.
>> 4. run  net ads join -U Administrator command
>>
>>
>> *My ldap .conf*
>> cat /etc/ldap/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> #BASE   dc=example,dc=com
>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>
>> #SIZELIMIT      12
>> #TIMELIMIT      15
>> #DEREF          never
>>
>> # TLS certificates (needed for GnuTLS)
>> TLS_CACERT      /etc/ssl/certs/client.crt
>>
>> *My smb.conf *
>>
>> [global]
>> ldap debug level = 1
>> ldap ssl = start tls
>> ldap ssl ads = yes
>> workgroup = CIFS
>> security = ads
>> realm = cifs.com
>> netbios name = ubuntu
>> encrypt passwords = yes
>> log file = /var/opt/samba/log.%m
>> debug level =0
>> max log size = 1000
>> syslog = 0
>> panic action = /var/opt/samba/panic-action %d
>> preserve case = yes
>> short preserve case = yes
>> dos filetime resolution = yes
>> read only = no
>> socket options = TCP_NODELAY
>> domain master = auto
>> local master = yes
>> preferred master = auto
>> domain logons = no
>> [homes]
>>    comment = Home Directories
>>    path = /home/%U
>>    browseable = no
>>    writable = no
>>    create mask = 0700
>>    directory mask = 0700
>> [tmp]
>>    comment = Temporary file space
>>    path = /tmp
>>    read only = no
>>
>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
>> active directory domain.
>>
>> Arjit Kumar
>>
>>

Hi,

Any one any suggestion how to make this work.
This issue is reported in ubuntu bug 1576799
<https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all>
 earlier
But the solution suggested of replacing ldap ssl ads = Yes to ldap server
require strong auth = Yes leaves communication in plain format.

Arjit Kumar
9650104435

On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com>
wrote:
> Hi,
>
> On checking it further.
> I observe below message from net ads command.
>
> LDAP] TLS: hostname (*X.X.X.X*) does not match common name in certificate
> (win.cifs.com).
> [LDAP] ldap_err2string
> Failed to issue the StartTLS instruction: Connect error
>
> I am able to fetch data successfully from ldapsearch command.
>
> It seems samba is connecting to ldap with IP but in client certificate
> domain name is mentioned.
> Please suggest how should i modify my smb.conf.
>
>
> Arjit Kumar
> 9650104435
>
> On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at
gmail.com>
> wrote:
>
>> Hi,
>>
>> Please help me identify what additional is to be done.
>>
>> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at
gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have enabled ldap ssl on Windows 2008 server active directory and
want
>>> to join ads domain with net ads join command.
>>>
>>> I am getting below error:-
>>> net ads join -U Administrator
>>> ldap_url_parse_ext(ldap://localhost/)
>>> ldap_init: trying /etc/ldap/ldap.conf
>>> ldap_init: using /etc/ldap/ldap.conf
>>> ldap_init: HOME env is /root
>>> ldap_init: trying /root/ldaprc
>>> ldap_init: trying /root/.ldaprc
>>> ldap_init: trying ldaprc
>>> ldap_init: LDAPCONF env is NULL
>>> ldap_init: LDAPRC env is NULL
>>> Enter Administrator's password:
>>> Failed to issue the StartTLS instruction: Connect error
>>> Failed to join domain: failed to connect to AD: Connect error
>>>
>>> I have done below steps:-
>>>
>>> 1. Configure secure ldap ssl on Active directory. Youtube link
>>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i
refereed.
>>> 2. Obtain client certificate.
>>>      certutil -ca.cert client.crt
>>> 3. Copy client certificate to linux machine.
>>> 4. run  net ads join -U Administrator command
>>>
>>>
>>> *My ldap .conf*
>>> cat /etc/ldap/ldap.conf
>>> #
>>> # LDAP Defaults
>>> #
>>>
>>> # See ldap.conf(5) for details
>>> # This file should be world readable but not world writable.
>>>
>>> #BASE   dc=example,dc=com
>>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>>
>>> #SIZELIMIT      12
>>> #TIMELIMIT      15
>>> #DEREF          never
>>>
>>> # TLS certificates (needed for GnuTLS)
>>> TLS_CACERT      /etc/ssl/certs/client.crt
>>>
>>> *My smb.conf *
>>>
>>> [global]
>>> ldap debug level = 1
>>> ldap ssl = start tls
>>> ldap ssl ads = yes
>>> workgroup = CIFS
>>> security = ads
>>> realm = cifs.com
>>> netbios name = ubuntu
>>> encrypt passwords = yes
>>> log file = /var/opt/samba/log.%m
>>> debug level =0
>>> max log size = 1000
>>> syslog = 0
>>> panic action = /var/opt/samba/panic-action %d
>>> preserve case = yes
>>> short preserve case = yes
>>> dos filetime resolution = yes
>>> read only = no
>>> socket options = TCP_NODELAY
>>> domain master = auto
>>> local master = yes
>>> preferred master = auto
>>> domain logons = no
>>> [homes]
>>>    comment = Home Directories
>>>    path = /home/%U
>>>    browseable = no
>>>    writable = no
>>>    create mask = 0700
>>>    directory mask = 0700
>>> [tmp]
>>>    comment = Temporary file space
>>>    path = /tmp
>>>    read only = no
>>>
>>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to
join
>>> active directory domain.
>>>
>>> Arjit Kumar
>>>
>>>
>

Related to https://bugzilla.samba.org/show_bug.cgi?id=13124

On Thu, Dec 7, 2017 at 2:48 AM, Arjit Gupta via samba <samba at
lists.samba.org
> wrote:
> Hi,
>
> Any one any suggestion how to make this work.
> This issue is reported in ubuntu bug 1576799
>
<https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all
> >
>  earlier
> But the solution suggested of replacing ldap ssl ads = Yes to ldap server
> require strong auth = Yes leaves communication in plain format.
>
> Arjit Kumar
> 9650104435
>
> On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at
gmail.com>
> wrote:
>
> > Hi,
> >
> > On checking it further.
> > I observe below message from net ads command.
> >
> > LDAP] TLS: hostname (*X.X.X.X*) does not match common name in
certificate
> > (win.cifs.com).
> > [LDAP] ldap_err2string
> > Failed to issue the StartTLS instruction: Connect error
> >
> > I am able to fetch data successfully from ldapsearch command.
> >
> > It seems samba is connecting to ldap with IP but in client certificate
> > domain name is mentioned.
> > Please suggest how should i modify my smb.conf.
> >
> >
> > Arjit Kumar
> > 9650104435
> >
> > On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at
gmail.com>
> > wrote:
> >
> >> Hi,
> >>
> >> Please help me identify what additional is to be done.
> >>
> >> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at
gmail.com> wrote:
> >>
> >>> Hi,
> >>>
> >>> I have enabled ldap ssl on Windows 2008 server active
directory and
> want
> >>> to join ads domain with net ads join command.
> >>>
> >>> I am getting below error:-
> >>> net ads join -U Administrator
> >>> ldap_url_parse_ext(ldap://localhost/)
> >>> ldap_init: trying /etc/ldap/ldap.conf
> >>> ldap_init: using /etc/ldap/ldap.conf
> >>> ldap_init: HOME env is /root
> >>> ldap_init: trying /root/ldaprc
> >>> ldap_init: trying /root/.ldaprc
> >>> ldap_init: trying ldaprc
> >>> ldap_init: LDAPCONF env is NULL
> >>> ldap_init: LDAPRC env is NULL
> >>> Enter Administrator's password:
> >>> Failed to issue the StartTLS instruction: Connect error
> >>> Failed to join domain: failed to connect to AD: Connect error
> >>>
> >>> I have done below steps:-
> >>>
> >>> 1. Configure secure ldap ssl on Active directory. Youtube link
> >>> <https://www.youtube.com/watch?v=JFPa_uY8NhY> which i
refereed.
> >>> 2. Obtain client certificate.
> >>>      certutil -ca.cert client.crt
> >>> 3. Copy client certificate to linux machine.
> >>> 4. run  net ads join -U Administrator command
> >>>
> >>>
> >>> *My ldap .conf*
> >>> cat /etc/ldap/ldap.conf
> >>> #
> >>> # LDAP Defaults
> >>> #
> >>>
> >>> # See ldap.conf(5) for details
> >>> # This file should be world readable but not world writable.
> >>>
> >>> #BASE   dc=example,dc=com
> >>> #URI    ldap://ldap.example.com
ldap://ldap-master.example.com:666
> >>>
> >>> #SIZELIMIT      12
> >>> #TIMELIMIT      15
> >>> #DEREF          never
> >>>
> >>> # TLS certificates (needed for GnuTLS)
> >>> TLS_CACERT      /etc/ssl/certs/client.crt
> >>>
> >>> *My smb.conf *
> >>>
> >>> [global]
> >>> ldap debug level = 1
> >>> ldap ssl = start tls
> >>> ldap ssl ads = yes
> >>> workgroup = CIFS
> >>> security = ads
> >>> realm = cifs.com
> >>> netbios name = ubuntu
> >>> encrypt passwords = yes
> >>> log file = /var/opt/samba/log.%m
> >>> debug level =0
> >>> max log size = 1000
> >>> syslog = 0
> >>> panic action = /var/opt/samba/panic-action %d
> >>> preserve case = yes
> >>> short preserve case = yes
> >>> dos filetime resolution = yes
> >>> read only = no
> >>> socket options = TCP_NODELAY
> >>> domain master = auto
> >>> local master = yes
> >>> preferred master = auto
> >>> domain logons = no
> >>> [homes]
> >>>    comment = Home Directories
> >>>    path = /home/%U
> >>>    browseable = no
> >>>    writable = no
> >>>    create mask = 0700
> >>>    directory mask = 0700
> >>> [tmp]
> >>>    comment = Temporary file space
> >>>    path = /tmp
> >>>    read only = no
> >>>
> >>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able
to join
> >>> active directory domain.
> >>>
> >>> Arjit Kumar
> >>>
> >>>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>