samba - Sep 2018 - Authenticating against Samba 4 AD LDAP service

Also:

 -H ldap://10.100.0.4

should probably be ldaps://URI

You can potentially this in smb.conf, but that is definitely not
recommended.

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC


Kris Lou
klou at themusiclink.net

On Wed, Sep 5, 2018 at 2:10 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 05 Sep 2018 15:46:04 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > One of Samba 3 -> Samba 4 migration task I am solving is changing
> > authentication against new Samba 4 AD domain.
> >
> > Existing services use LDAP directory of Samba 3 to authenticate. The
> > simplest way to go would be just to replace LDAP credentials;
> > however, I don't quite understand which LDAP credentials to
use/how
> > to create them for Samba 4 AD.
> >
> > Sample command against Samba 4 LDAP service:
> >
> > # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password]
-H
> > ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub
"(objectclass=*)"
> > returns
> > ldap_bind: Strong(er) authentication required (8)
> >       additional info: BindSimple: Transport encryption required.
> >
> > I would appreciate a link to possible source of wisdom, or
> > explanations in here.
> >
> > Note: I can do searches using Kerberos authentication on Samba 4
> > installation, like this:
> >
> > # kinit administrator
> > # ldbsearch -H ldap://dc.ad-lan.com -k yes
'(objectclass=person)'
> >
> > but Kerberos is not an option for some existing services.
> >
> > Sincerely,
> > Konstantin
> >
>
> Try this:
> ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
> -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
>
> NOTE, you can (and probably should) replace '10.100.0.4' with the
DC's
> short hostname.
>
> However, are you sure you cannot use kerberos ?
> What are your existing services ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Kris Lou via samba писал 2018-09-06 02:12:
> Also:
> 
>  -H ldap://10.100.0.4
> 
> should probably be ldaps://URI
> 
> You can potentially this in smb.conf, but that is definitely not
> recommended.
> 
>
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
That's the strange part. I have set up using TLS certificate (Lets 
Encrypt) as recommended in guide. When I do

# ldbsearch -U Administrator --password='[password]' -H 
ldaps://dc.ad-lan.com:636

I get

TLS ../source4/lib/tls/tls_tstream.c:1609 - check failed for 
verify_peer[ca_only] and peer_name[dc.ad-lan.com] status 0x42 (invalid 
signer_not_found )
Failed to connect to ldap URL 'ldaps://dc.ad-lan.com:636' - LDAP client 
internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://dc.ad-lan.com:636' with backend
'ldaps':
LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldaps://dc.ad-lan.com:636 - LDAP client internal 
error: NT_STATUS_INVALID_PARAMETER

(if I set "tls verify peer" to stronger checks, I get the same error)

However, when I run

# openssl s_client -showcerts -connect dc.ad-lan.com:636

I receive no TLS certificate verification errors.

Note: when using ldap:// scheme, I get no errors, LDAP returns the 
specified tree.

Sincerely,
Konstantin
> On Wed, Sep 5, 2018 at 2:10 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On Wed, 05 Sep 2018 15:46:04 +0700
>> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> 
>> > Hello,
>> >
>> > One of Samba 3 -> Samba 4 migration task I am solving is
changing
>> > authentication against new Samba 4 AD domain.
>> >
>> > Existing services use LDAP directory of Samba 3 to authenticate.
The
>> > simplest way to go would be just to replace LDAP credentials;
>> > however, I don't quite understand which LDAP credentials to
use/how
>> > to create them for Samba 4 AD.
>> >
>> > Sample command against Samba 4 LDAP service:
>> >
>> > # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w
[password] -H
>> > ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub
"(objectclass=*)"
>> > returns
>> > ldap_bind: Strong(er) authentication required (8)
>> >       additional info: BindSimple: Transport encryption required.
>> >
>> > I would appreciate a link to possible source of wisdom, or
>> > explanations in here.
>> >
>> > Note: I can do searches using Kerberos authentication on Samba 4
>> > installation, like this:
>> >
>> > # kinit administrator
>> > # ldbsearch -H ldap://dc.ad-lan.com -k yes
'(objectclass=person)'
>> >
>> > but Kerberos is not an option for some existing services.
>> >
>> > Sincerely,
>> > Konstantin
>> >
>> 
>> Try this:
>> ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
>> -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
>> 
>> NOTE, you can (and probably should) replace '10.100.0.4' with
the DC's
>> short hostname.
>> 
>> However, are you sure you cannot use kerberos ?
>> What are your existing services ?

On Thu, 06 Sep 2018 13:13:11 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Kris Lou via samba писал 2018-09-06 02:12:
> > Also:
> > 
> >  -H ldap://10.100.0.4
> > 
> > should probably be ldaps://URI
> > 
> > You can potentially this in smb.conf, but that is definitely not
> > recommended.
> > 
> >
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
> 
> That's the strange part. I have set up using TLS certificate (Lets 
> Encrypt) as recommended in guide. When I do
> 
> # ldbsearch -U Administrator --password='[password]' -H 
> ldaps://dc.ad-lan.com:636
> 
You don't need the ':636' the 'ldaps' is sufficient.

Rowland