I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf
#TLS_REQCERT HARD
TLS_REQCERT ALLOW
TLS_CACERT /etc/ssl/certs/msadmaster.pem
After above changes net ads is succesfull with ssl/tls
I have verified at Windows AD DC end that TLS is being used for communication with the help of wireshark.
Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD if certificates is being used.
Now i have configured ubuntu as AD DC and try to join another ubuntu machine as member server but i am getting below error.
[LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) authentication required
ubuntu AD DC smb.conf
[global]
workgroup = TECHMINT
realm = TECHMINT.LAN
netbios name = ADC1
server role = active directory domain controller
dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
[netlogon]
path = /var/lib/samba/sysvol/techmint.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 3000-7999
username map = /etc/opt/samba/user.map
# ldap ssl = start tls
# ldap ssl ads = yes
ldap debug level = 1
[tmp]
comment = Temporary file space
path = /tmp
read only = no
Hi Team,
I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf
#TLS_REQCERT HARD certs/msadmaste r.pem
TLS_REQCERT ALLOW
TLS_CACERT /etc/ssl/
After above changes net ads is succesfull with ssl/tls
I have verified at Windows AD DC end that TLS is being used for communication with the help of wireshark.
Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD if certificates is being used.
Now i have configured ubuntu as AD DC and try to join another ubuntu machine as member server but i am getting below error.
[LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are required.>, res_matched: <> spnego_ gensec_ bind(KRB5) failed: Strong(er) authentication required
kinit succeeded but ads_sasl_
ubuntu AD DC smb.conf
[global]
idmap_ ldb:use rfc2307 = yes
workgroup = TECHMINT
realm = TECHMINT.LAN
netbios name = ADC1
server role = active directory domain controller
dns forwarder = 8.8.8.8
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
[netlogon] samba/sysvol/ techmint. lan/scripts
path = /var/lib/
read only = No
[sysvol] samba/sysvol
path = /var/lib/
read only = No
smb.conf for ads member server
[global]
security = ADS
workgroup = TECHMINT
realm = TECHMINT.LAN
log file = /var/opt/ samba/% m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts samba/user. map
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 3000-7999
username map = /etc/opt/
# ldap ssl = start tls
# ldap ssl ads = yes
ldap debug level = 1
[tmp]
comment = Temporary file space
path = /tmp
read only = no