Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] LDAPS on DC
211 views
Skip to first unread message
Fred Smith
Apr 17, 2015, 12:28:28 AM4/17/15
to
I'm trying to confirm that LDAP traffic is encrypted on my Samba 4 DC. I
have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
but when I attempt to connect to the DC on port 636 or via ldaps:// or both
via ldapsearch (linux) and ldp (windows) I cannot connect.
Failed tests:
*ldapsearch -I -H ldaps://dc*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
*ldapsearch -I -H ldaps://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
*ldapsearch -I -H ldap://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Standard connection works:
*ldapsearch -I -H ldap://dc:389*
SASL/NTLM authentication started
SASL Interaction
Default: issupport
Please enter your authentication name: Administrator
Please enter your password:
SASL username: Administrator
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
text: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:611
# numResponses: 1
Confirmed ports are open and ports open and service is running:
*netstat -lpn*
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 823/sshd
tcp 0 0 0.0.0.0:88 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 127.0.0.1:953 0.0.0.0:*
LISTEN 6866/named
tcp 0 0 0.0.0.0:636 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN 15881/smbd
tcp 0 0 0.0.0.0:1024 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:3268 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:3269 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:135 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN 15881/smbd
tcp 0 0 0.0.0.0:464 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 10.10.2.50:53 0.0.0.0:*
LISTEN 6866/named
tcp 0 0 127.0.0.1:53 0.0.0.0:*
LISTEN 6866/named
*nmap dc*
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-17 12:24 ACST
Nmap scan report for dc (10.10.2.50)
Host is up (0.00099s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
My smb.conf:
# Global parameters
[global]
workgroup = EXAMPLE
realm = SAMDOM.EXAMPLE.ORG
netbios name = DC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
# Disable printing
printcap name = /dev/null
load printers = no
printing = bsd
# Enable ldaps
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[netlogon]
path = /usr/local/samba/var/locks/sysvol/
samdom.baptistcaresa.org.au/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
*samba-tool testparm -v*
...
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
but when I attempt to connect to the DC on port 636 or via ldaps:// or both
via ldapsearch (linux) and ldp (windows) I cannot connect.
Failed tests:
*ldapsearch -I -H ldaps://dc*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
*ldapsearch -I -H ldaps://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
*ldapsearch -I -H ldap://dc:636*
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Standard connection works:
*ldapsearch -I -H ldap://dc:389*
SASL/NTLM authentication started
SASL Interaction
Default: issupport
Please enter your authentication name: Administrator
Please enter your password:
SASL username: Administrator
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
text: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:611
# numResponses: 1
Confirmed ports are open and ports open and service is running:
*netstat -lpn*
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 823/sshd
tcp 0 0 0.0.0.0:88 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 127.0.0.1:953 0.0.0.0:*
LISTEN 6866/named
tcp 0 0 0.0.0.0:636 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN 15881/smbd
tcp 0 0 0.0.0.0:1024 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:3268 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:3269 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:135 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN 15881/smbd
tcp 0 0 0.0.0.0:464 0.0.0.0:*
LISTEN 15880/samba
tcp 0 0 10.10.2.50:53 0.0.0.0:*
LISTEN 6866/named
tcp 0 0 127.0.0.1:53 0.0.0.0:*
LISTEN 6866/named
*nmap dc*
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-17 12:24 ACST
Nmap scan report for dc (10.10.2.50)
Host is up (0.00099s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
My smb.conf:
# Global parameters
[global]
workgroup = EXAMPLE
realm = SAMDOM.EXAMPLE.ORG
netbios name = DC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
# Disable printing
printcap name = /dev/null
load printers = no
printing = bsd
# Enable ldaps
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[netlogon]
path = /usr/local/samba/var/locks/sysvol/
samdom.baptistcaresa.org.au/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
*samba-tool testparm -v*
...
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Luca Olivetti
Apr 17, 2015, 4:48:22 AM4/17/15
to
El 17/04/15 a les 06:26, Fred Smith ha escrit:
/etc/openldap/ldap.conf, in ubuntu /etc/ldap/ldap.conf).
Try to set "TLS_REQCERT allow" and comment out everything else.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> I'm trying to confirm that LDAP traffic is encrypted on my Samba 4 DC. I
> have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
> but when I attempt to connect to the DC on port 636 or via ldaps:// or both
> via ldapsearch (linux) and ldp (windows) I cannot connect.
>
> Failed tests:
>
> *ldapsearch -I -H ldaps://dc*
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
>
> *ldapsearch -I -H ldaps://dc:636*
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
>
> *ldapsearch -I -H ldap://dc:636*
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Check the ldap configuration file on the client (in mageia is
> have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
> but when I attempt to connect to the DC on port 636 or via ldaps:// or both
> via ldapsearch (linux) and ldp (windows) I cannot connect.
>
> Failed tests:
>
> *ldapsearch -I -H ldaps://dc*
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
>
> *ldapsearch -I -H ldaps://dc:636*
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
>
> *ldapsearch -I -H ldap://dc:636*
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
/etc/openldap/ldap.conf, in ubuntu /etc/ldap/ldap.conf).
Try to set "TLS_REQCERT allow" and comment out everything else.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Adam Tauno Williams
Apr 17, 2015, 6:42:50 AM4/17/15
to
On Fri, 2015-04-17 at 10:46 +0200, Luca Olivetti wrote:
> El 17/04/15 a les 06:26, Fred Smith ha escrit:
> > I'm trying to confirm that LDAP traffic is encrypted on my Samba 4 DC. I
> > have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
> > but when I attempt to connect to the DC on port 636 or via ldaps:// or both
> > via ldapsearch (linux) and ldp (windows) I cannot connect.
> > Failed tests:
> > *ldapsearch -I -H ldaps://dc*
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> > additional info: (unknown error code)
Does the OpenSSL test connect, and if so with what result?
> El 17/04/15 a les 06:26, Fred Smith ha escrit:
> > I'm trying to confirm that LDAP traffic is encrypted on my Samba 4 DC. I
> > have read and followed https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC
> > but when I attempt to connect to the DC on port 636 or via ldaps:// or both
> > via ldapsearch (linux) and ldp (windows) I cannot connect.
> > Failed tests:
> > *ldapsearch -I -H ldaps://dc*
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> > additional info: (unknown error code)
openssl s_client -showcerts -connect DC.EXAMPLE.COM:636
--
Adam Tauno Williams <mailto:awil...@whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
Fred Smith
Apr 20, 2015, 2:33:23 AM4/20/15
to
> Check the ldap configuration file on the client (in mageia is
> /etc/openldap/ldap.conf, in ubuntu /etc/ldap/ldap.conf).
> Try to set "TLS_REQCERT allow" and comment out everything else.
Thanks this seemed to do the trick on the linux host I was running
> /etc/openldap/ldap.conf, in ubuntu /etc/ldap/ldap.conf).
> Try to set "TLS_REQCERT allow" and comment out everything else.
ldapsearch on to perform the test connections to my samba 4 DC. I'm
using Ubuntu and my working ldap.conf is below as you suggested.
From file /etc/ldap/ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
I wonder if it's possible to get the Windows program ldp working in
the same way? It might be too old.
Fred Smith
Apr 20, 2015, 2:43:21 AM4/20/15
to
> Does the OpenSSL test connect, and if so with what result?
>
> openssl s_client -showcerts -connect DC.EXAMPLE.COM:636
That seems to work, output below.
>
> openssl s_client -showcerts -connect DC.EXAMPLE.COM:636
openssl s_client -showcerts -connect dc:636
CONNECTED(00000003)
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated
certificate, CN = DC.samdom.example.org
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated
certificate, CN = DC.samdom.example.org
verify return:1
---
Certificate chain
0 s:/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=DC.samdom.example.org
i:/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=DC.samdom.example.org
-----BEGIN CERTIFICATE-----
-removed-
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=DC.samdom.example.org
issuer=/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=DC.samdom.example.org
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=DC.samdom.example.org
/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=DC.samdom.example.org
---
SSL handshake has read 1662 bytes and written 547 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-SHA256
Session-ID: -removed-
Session-ID-ctx:
Master-Key: -removed-
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429510401
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
^C
0 new messages