Web lists-archives.com

[Samba] samba net ads join windows active directory with ldap ssl


I have enabled ldap ssl on Windows 2008 server active directory and want to
join ads domain with net ads join command.

I am getting below error:-
net ads join -U Administrator
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
Failed to issue the StartTLS instruction: Connect error
Failed to join domain: failed to connect to AD: Connect error

I have done below steps:-

1. Configure secure ldap ssl on Active directory. Youtube link
<https://www.youtube.com/watch?v=JFPa_uY8NhY> which i refereed.
2. Obtain client certificate.
     certutil -ca.cert client.crt
3. Copy client certificate to linux machine.
4. run  net ads join -U Administrator command

*My ldap .conf*
cat /etc/ldap/ldap.conf
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/client.crt

*My smb.conf *

ldap debug level = 1
ldap ssl = start tls
ldap ssl ads = yes
workgroup = CIFS
security = ads
realm = cifs.com
netbios name = ubuntu
encrypt passwords = yes
log file = /var/opt/samba/log.%m
debug level =0
max log size = 1000
syslog = 0
panic action = /var/opt/samba/panic-action %d
preserve case = yes
short preserve case = yes
dos filetime resolution = yes
read only = no
socket options = TCP_NODELAY
domain master = auto
local master = yes
preferred master = auto
domain logons = no
   comment = Home Directories
   path = /home/%U
   browseable = no
   writable = no
   create mask = 0700
   directory mask = 0700
   comment = Temporary file space
   path = /tmp
   read only = no

*NOTE:- *before enabling ldap ssl and ldap ssl ads i was able to join
active directory domain.

Arjit Kumar
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba