Web lists-archives.com

Re: [Samba] Authenticating against Samba 4 AD LDAP service




Kris Lou via samba писал 2018-09-06 02:12:
Also:

 -H ldap://10.100.0.4

should probably be ldaps://URI

You can potentially this in smb.conf, but that is definitely not
recommended.

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

That's the strange part. I have set up using TLS certificate (Lets Encrypt) as recommended in guide. When I do

# ldbsearch -U Administrator --password='[password]' -H ldaps://dc.ad-lan.com:636

I get

TLS ../source4/lib/tls/tls_tstream.c:1609 - check failed for verify_peer[ca_only] and peer_name[dc.ad-lan.com] status 0x42 (invalid signer_not_found ) Failed to connect to ldap URL 'ldaps://dc.ad-lan.com:636' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldaps://dc.ad-lan.com:636' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to ldaps://dc.ad-lan.com:636 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

(if I set "tls verify peer" to stronger checks, I get the same error)

However, when I run

# openssl s_client -showcerts -connect dc.ad-lan.com:636

I receive no TLS certificate verification errors.

Note: when using ldap:// scheme, I get no errors, LDAP returns the specified tree.

Sincerely,
Konstantin

On Wed, Sep 5, 2018 at 2:10 AM, Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

On Wed, 05 Sep 2018 15:46:04 +0700
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
>
> One of Samba 3 -> Samba 4 migration task I am solving is changing
> authentication against new Samba 4 AD domain.
>
> Existing services use LDAP directory of Samba 3 to authenticate. The
> simplest way to go would be just to replace LDAP credentials;
> however, I don't quite understand which LDAP credentials to use/how
> to create them for Samba 4 AD.
>
> Sample command against Samba 4 LDAP service:
>
> # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password] -H
> ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
> returns
> ldap_bind: Strong(er) authentication required (8)
>       additional info: BindSimple: Transport encryption required.
>
> I would appreciate a link to possible source of wisdom, or
> explanations in here.
>
> Note: I can do searches using Kerberos authentication on Samba 4
> installation, like this:
>
> # kinit administrator
> # ldbsearch -H ldap://dc.ad-lan.com -k yes '(objectclass=person)'
>
> but Kerberos is not an option for some existing services.
>
> Sincerely,
> Konstantin
>

Try this:
ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
-b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"

NOTE, you can (and probably should) replace '10.100.0.4' with the DC's
short hostname.

However, are you sure you cannot use kerberos ?
What are your existing services ?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba