search for: tls_reqcert

Hai Andrew, > -----Oorspronkelijk bericht----- > Van: Andrew Bartlett [mailto:abartlet at samba.org] > Verzonden: woensdag 28 augustus 2019 10:19 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: TLS_REQCERT and Samba AD DC > > On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote: > > > > What is in /etc/ldap/ldap.conf > > Does it have : TLS_REQCERT allow ? > > If not add it. > > I would just like to clarify that no aspect of the Samba AD DC uses...

...problem here is that Samba's python libraries are trying to find the DNS record they just added over RPC, but can't using LDAP. They do this to fix the ownership of the records, as otherwise they will be owed by the administrator, not the DC. What is in /etc/ldap/ldap.conf Does it have : TLS_REQCERT allow ? If not add it. Then one small thing.. /etc/hosts , rowland also mentioned it. Remove the # from the localhost line, enable it, its the default keep it there. I also notice you removed the IPv6 parts, that is not wrong, but for future things, is suggest leave it in. I dont have seen p...

...There is this line in the DC smb.conf: tls certfile = tls/cert.pem The reverse dns zone has been created and operational The client is devclient.samdom.example.com On the DC: Configure /etc/openldap/ldap.conf as follows: HOST dc1.samdom.example.com TLS_CACERT /usr/local/samba/private/tls/cert.pem TLS_REQCERT demand Add this line to smb.conf: ldap server require strong auth = allow_sasl_over_tls Now test with this command: ldapsearch -D "Administrator at samdom.example.com" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland Ente...

...ca-certificates mkdir -p /usr/local/share/ca-certificates/samba-ad-dc ln -s /var/lib/samba/private/tls/cert.pem /usr/local/share/ca-certificates/samba-ad-dc/samba.crt update-ca-certificates /etc/ldap/ldap.conf BASE dc=some,dc=dom,dc=tld URI ldaps://dc1.some.dom.tld ldaps://dc2.some.dom.tld TLS_REQCERT allow # Optional, depending on need add: #BIND_DN = CN=ldapBindUser,OU=Service-Accounts,DC=some,DC=dom,DC=tld #BIND_PW = SomePasshere Something like that. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Guillaume...

Distro : Debian 9 log samba and smb as attachments Le mar. 6 ao?t 2019 ? 09:33, Rowland penny via samba <samba at lists.samba.org> a ?crit : > On 06/08/2019 07:54, Guillaume Couvreur via samba wrote: > > Hello, here are the google logs. > > > > *[2019-08-05 17:04:31,544+0200] [SwingWorker-pool-1-thread-2] [ERROR] > > [plugin.ldap.AbstractLdapHandler] Failed to

...at gmail.com] > Verzonden: woensdag 28 augustus 2019 15:57 > Aan: L.P.H. van Belle; sambalist > Onderwerp: Re: [Samba] Problems joining station in domain > > > Hi, > > >What is in /etc/ldap/ldap.conf > >Does it have : TLS_REQCERT allow ? > >If not add it. > Do I add this to all DC's? > > Yes, but as Andrew did say, we could/should use an other setting these > days. > He confirmed its still a bug in the DNS partitioning. > What i hoped it to try to "upgrade" you internal...

I dont know LTB or what it exact is, but Add in /etc/ldap/ldap.conf TLS_REQCERT allow Setup your own "rootCA" like this. ( if not done, apt-get install ca-certificates ) mkdir -p /usr/local/share/ca-certificates/chrono mv /etc/ssl/ca_chrono-dom.lan.pem /usr/local/share/ca-certificates/chrono update-ca-certificates ! MUST BE /usr/local/share/ca-certificates else i...

...> # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example,dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > > TLS_REQCERT never > TLS_CACERT /usr/local/samba/private/tls/cert.pem > > > > It worked until now... > > > I checked that samba-tools still works, but I need to use ldap commands too. Any idea why is this happening to ldap? > > > > > > > Lucas -- Vinicius...

Sorry, am not used to a list that has real sender addresses? Samba is configured with internal DNS. # /etc/krb5.conf [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true # /etc/ldap/ldap.conf? TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT allow # /etc/resolv.conf domain samdom.example.com search samdom.example.com nameserver 10.88.80.88 # windows dc ./samba-collect-debug-info.sh kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials Wrong password, exiting now....

...PSK identity hint: None Start Time: 1395130353 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- In this forum: http://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php it says that I should set TLS_REQCERT to never but that is for openLDAP. How do I do this in samba 4? Thanks for your help. Shem Pasamba

Hi, I have modified my /etc/ldap/ldap.conf cat /etc/ldap/ldap.conf #TLS_REQCERT HARD TLS_REQCERT ALLOW TLS_CACERT /etc/ssl/certs/msadmaster.pem After above changes net ads is succesfull with ssl/tls I have verified at Windows AD DC end that TLS is being used for communication with the help of wireshark. Though i am not sure what is impact of changing TLS_REQCERT...

...AC.pem, juste rename in AC.crt (update-ca-certificates > recognizes only crt files, man update-ca-certificates) > Thank you Louis. > > Le 11/05/2016 10:45, L.P.H. van Belle a écrit : >> I dont know LTB or what it exact is, but >> >> Add in /etc/ldap/ldap.conf >> TLS_REQCERT allow >> >> Setup your own "rootCA" like this. >> ( if not done, apt-get install ca-certificates ) >> >> mkdir -p /usr/local/share/ca-certificates/chrono >> mv /etc/ssl/ca_chrono-dom.lan.pem >> /usr/local/share/ca-certificates/chrono >> upd...

I'm trying to confirm that LDAP traffic is encrypted on my Samba 4 DC. I have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC but when I attempt to connect to the DC on port 636 or via ldaps:// or both via ldapsearch (linux) and ldp (windows) I cannot connect. Failed tests: *ldapsearch -I -H ldaps://dc* ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

...mis-configured something? Is there any thing I can try to debug this problem? I've included the configuration files for samba and ldap. I've hid the actual hostname and DIT. Thanks! /etc/openldap/ldap.conf ********************** URI ldaps://yyyy.com <- BASE dc=xxxx,dc=xxxx,dc=com TLS_REQCERT demand TLS_CACERT /etc/openldap/ca.crt TLS_CERT /etc/openldap/server.crt TLS_KEY /etc/openldap/server.key /etc/openldap/slap.conf ****************** include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgpers...

..._______________________________ Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] Verzonden: woensdag 28 augustus 2019 15:57 Aan: L.P.H. van Belle; sambalist Onderwerp: Re: [Samba] Problems joining station in domain Hi, >What is in /etc/ldap/ldap.conf >Does it have : TLS_REQCERT allow ? >If not add it. Do I add this to all DC's? Yes, but as Andrew did say, we could/should use an other setting these days. He confirmed its still a bug in the DNS partitioning. What i hoped it to try to "upgrade" you internal DNS to bind9_dlz And with doing that, a...

...=dev,dc=gamersalliance,dc=net,dc=au, error: -1 (Can't contact LDAP server) (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)) I have set in smbldap-tools.conf to verify="allow", as well as in ldap.conf to TLS_REQCERT = allow, so i dont understand why this is happening. All of my systems are pointed to the same cacert file so i doubt that it is confusing certificates. Are there any other options i should be considering? Thanks William

...onden: woensdag 28 augustus 2019 15:57 >> Aan: L.P.H. van Belle; sambalist >> Onderwerp: Re: [Samba] Problems joining station in domain >> >> >> Hi, >> >> >What is in /etc/ldap/ldap.conf >> >Does it have : TLS_REQCERT allow ? >> >If not add it. >> Do I add this to all DC's? >> >> Yes, but as Andrew did say, we could/should use an other setting these >> days. >> He confirmed its still a bug in the DNS partitioning. >> What i hoped it to try to &quot...

I think we are mixing 2 things now. You corrected DC, thats good.   And the debian server member is the member?   Did you add in /etc/ldap/ldap.conf TLS_REQCERT allow   Now, this part i didnt test, but should work since losts of users are missing the correct TLS settings/certificates.   This is a DEBIAN ( or Ubuntu ) setup.   apt-get install ca-certificates   echo “TLS_REQCERT allow” > /etc/ldap/ldap.conf   Locate you SAMBA CA root. ln -s...

...? --useshadow --enableldaptls --enablecache? --passalgo=sha512 --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" --ldapbasedn=dc=my,dc=base,dc=dn Then in a post install script I download the server and ca certificates and stops nslcd that I do not use: echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf cd /etc/openldap/cacerts/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0 cd /etc/openldap/certs/ && wget http://xxx.xxx.xxx.xxx/Softwares7...

...n Belle via samba: > I think we are mixing 2 things now. > > You corrected DC, thats good. > > > > And the debian server member is the member? No: debian = DC gentoo = former NT4-PDC, upcoming member server / fileserver > > Did you add in /etc/ldap/ldap.conf > > TLS_REQCERT allow on the member? Did that right now. > apt-get install ca-certificates > echo “TLS_REQCERT allow” > /etc/ldap/ldap.conf > > > > Locate you SAMBA CA root. > > ln -s path_to_samba_TLS-CA-ROOT /usr/local/share/ca-certificates/samba-ca.crt will dig that up on gentoo no...