Arjit Gupta
2017-Dec-11 12:31 UTC
[Samba] samba net ads join windows/ubuntu active directory with ldap ssl
Hi, I have modified my /etc/ldap/ldap.conf cat /etc/ldap/ldap.conf #TLS_REQCERT HARD TLS_REQCERT ALLOW TLS_CACERT /etc/ssl/certs/msadmaster.pem After above changes net ads is succesfull with ssl/tls I have verified at Windows AD DC end that TLS is being used for communication with the help of wireshark. Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD if certificates is being used. Now i have configured ubuntu as AD DC and try to join another ubuntu machine as member server but i am getting below error. [LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are required.>, res_matched: <> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required On checking further i realized that ldap server require strong auth = yes allows simple bind over tls but sasl is being used. I am not sure how to specify which ldap bind is to be used. I am stuck over this for a week now and will thankful for any help. Please let me know if any further information is required. Arjit Kumar 9650104435 On Thu, Dec 7, 2017 at 10:18 AM, Arjit Gupta <arjitk.gupta at gmail.com> wrote:> Hi, > > Any one any suggestion how to make this work. > This issue is reported in ubuntu bug 1576799 > <bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799?comments=all> > earlier > But the solution suggested of replacing ldap ssl ads = Yes to ldap server > require strong auth = Yes leaves communication in plain format. > > Arjit Kumar > 9650104435 > > On Tue, Dec 5, 2017 at 12:18 PM, Arjit Gupta <arjitk.gupta at gmail.com> > wrote: > >> Hi, >> >> On checking it further. >> I observe below message from net ads command. >> >> LDAP] TLS: hostname (*X.X.X.X*) does not match common name in >> certificate (win.cifs.com). >> [LDAP] ldap_err2string >> Failed to issue the StartTLS instruction: Connect error >> >> I am able to fetch data successfully from ldapsearch command. >> >> It seems samba is connecting to ldap with IP but in client certificate >> domain name is mentioned. >> Please suggest how should i modify my smb.conf. >> >> >> Arjit Kumar >> 9650104435 >> >> On Tue, Dec 5, 2017 at 6:38 AM, Arjit Gupta <arjitk.gupta at gmail.com> >> wrote: >> >>> Hi, >>> >>> Please help me identify what additional is to be done. >>> >>> On 4 Dec 2017 15:10, "Arjit Gupta" <arjitk.gupta at gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I have enabled ldap ssl on Windows 2008 server active directory and >>>> want to join ads domain with net ads join command. >>>> >>>> I am getting below error:- >>>> net ads join -U Administrator >>>> ldap_url_parse_ext(ldap://localhost) >>>> ldap_init: trying /etc/ldap/ldap.conf >>>> ldap_init: using /etc/ldap/ldap.conf >>>> ldap_init: HOME env is /root >>>> ldap_init: trying /root/ldaprc >>>> ldap_init: trying /root/.ldaprc >>>> ldap_init: trying ldaprc >>>> ldap_init: LDAPCONF env is NULL >>>> ldap_init: LDAPRC env is NULL >>>> Enter Administrator's password: >>>> Failed to issue the StartTLS instruction: Connect error >>>> Failed to join domain: failed to connect to AD: Connect error >>>> >>>> I have done below steps:- >>>> >>>> 1. Configure secure ldap ssl on Active directory. Youtube link >>>> <youtube.com/watch?v=JFPa_uY8NhY> which i refereed. >>>> 2. Obtain client certificate. >>>> certutil -ca.cert client.crt >>>> 3. Copy client certificate to linux machine. >>>> 4. run net ads join -U Administrator command >>>> >>>> >>>> *My ldap .conf* >>>> cat /etc/ldap/ldap.conf >>>> # >>>> # LDAP Defaults >>>> # >>>> >>>> # See ldap.conf(5) for details >>>> # This file should be world readable but not world writable. >>>> >>>> #BASE dc=example,dc=com >>>> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 >>>> >>>> #SIZELIMIT 12 >>>> #TIMELIMIT 15 >>>> #DEREF never >>>> >>>> # TLS certificates (needed for GnuTLS) >>>> TLS_CACERT /etc/ssl/certs/client.crt >>>> >>>> *My smb.conf * >>>> >>>> [global] >>>> ldap debug level = 1 >>>> ldap ssl = start tls >>>> ldap ssl ads = yes >>>> workgroup = CIFS >>>> security = ads >>>> realm = cifs.com >>>> netbios name = ubuntu >>>> encrypt passwords = yes >>>> log file = /var/opt/samba/log.%m >>>> debug level =0 >>>> max log size = 1000 >>>> syslog = 0 >>>> panic action = /var/opt/samba/panic-action %d >>>> preserve case = yes >>>> short preserve case = yes >>>> dos filetime resolution = yes >>>> read only = no >>>> socket options = TCP_NODELAY >>>> domain master = auto >>>> local master = yes >>>> preferred master = auto >>>> domain logons = no >>>> [homes] >>>> comment = Home Directories >>>> path = /home/%U >>>> browseable = no >>>> writable = no >>>> create mask = 0700 >>>> directory mask = 0700 >>>> [tmp] >>>> comment = Temporary file space >>>> path = /tmp >>>> read only = no >>>> >>>> *NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join >>>> active directory domain. >>>> >>>> Arjit Kumar >>>> >>>> >> >
Apparently Analagous Threads
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD - ISSUE - The RPC server is unavailable