On 08/05/2023 17:27, matti.kaupenjohann via samba wrote:> Hi,
>
> after successful setting up my test domain I wanted to step forward and
> wanted to check for users on my testserver in the domain. At the moment
> the server is also a domain member and authentication on the system
> works fine. Now I wanted to check for the domain via ldap with:
>
> ```
> ldapsearch -x -b "dc=testdomain,dc=lan" -H ldap://10.99.0.2 -D
> "cn=Administrator,dc=testdomain,dc=lan" -W
That wouldn't have worked, even if it would have worked :-)
It is missing 'cn=Users'
> ```
>
> I got the the password prompt, but it failed with:
>
> ```
> ldap_bind: Strong(er) authentication required (8) additional info:
> BindSimple: Transport encryption required.
> ```
>
> Ok I do understand the issue and wanted to test again with LDAPS, so
> followed the introduction for an untrusted self-signed certificate.
> After restarting the samba service I noticed that something went wrong.
> After analyzing I figured out, that ubuntu uses /var/lib/samba instead
> of /usr/local/samba.
>
> Switching kind of worked and the samba service launched again
> successful. But instead of getting the "OK" after issueing the
verify
> command I got an:
>
> ```
> error /var/lib/samba/private/tls/testdomain.lan-ldaps-cert.pem:
> verification failed
> ```
>
> I tested on the client and the remote verification looked fine. So I
> updated my ldapsearch command to:
>
> ```
> ldapsearch -x -b "dc=testdomain,dc=lan" -H
ldaps://dc01.testdomain.lan
> -D "cn=Administrator,dc=testdomain,dc=lan" -W
> ```
>
> which resulted in
>
> ```
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> ```
>
> Is the attempt about SIMPLE bind correct or should I approach this
> differntly?
>
>
Use kerberos, it works
kinit as Administrator
sudo kinit administrator
Now try this:
ldapsearch -b "dc=testdomain,dc=lan" -H ldap://YOUR_DC_SHORT_HOSTNAME
-Y
GSSAPI
Rowland