Re: [Samba] LDAPS is not working
- Date: Wed, 8 Aug 2018 10:13:19 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] LDAPS is not working
On Wed, 8 Aug 2018 10:31:50 +0200
basti mueller via samba <samba@xxxxxxxxxxxxxxx> wrote:
> after a successfully migrating my NT4 with OpenLDAP to a Samba4
> AD...I got a problem.
> Like in the sambawiki tutorial
> I tried to configure LDAPS. I used the auto-configured certs. They
> are located in "/var/lib/samba/private/tls".
> My smb.conf:
> # Global parameters
> netbios name = PDC
> realm = COMPANY.COM
> workgroup = COMPANY
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash
> template homedir= /home/%U
> dns forwarder = 126.96.36.199
> min protocol = SMB2
> tls enabled = yes
> tls keyfile = /var/lib/samba/private/tls/key.pem
> tls certfile = /var/lib/samba/private/tls/cert.pem
> tls cafile = /var/lib/samba/private/tls/ca.pem
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 10
> winbind use default domain = yes
> logging = syslog@1 /var/log/samba/log.%m
> I've tested it with the following command and got the following
> root@server:/var/lib/samba/private/tls# ldbsearch -H
> ldaps://127.0.0.1 '(cn=admin)' objectClass -Uadmin TLS failed to
> missing crlfile - with 'tls verify peer = as_strict_as_possible'
> Failed to connect to ldap URL 'ldaps://127.0.0.1' - LDAP client
> internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to
> 'ldaps://127.0.0.1' with backend 'ldaps': LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to
> ldaps://127.0.0.1 - LDAP client internal error:
> How can I solve this error?
Sorry, but you cannot, it is disabled by default, use kerberos instead.
If you insist on using tls, you can get ldapsearch to work, but this
requires further configuration and isn't as secure as kerberos.
As a passing comment, if you are using the default Samba certs, you do
not need the tls lines in smb.conf, also 'winbind use default domain =
yes' does nothing on a DC.
To unsubscribe from this list go to the following URL and read the