1

I have an Ubuntu 14.04 AD DS member server which appears to be binding to AD no problem with the following command:

wbinfo -g

I want to move to using LDAPS now. I configured LDAPS on my 2012 R2 DC and can bind over LDAPS using ldp.exe.

What steps do I need to take on Ubuntu with Samba and Winbind to force it to use LDAPS now?

1 Answers1

0

Give a try to the smb.conf settings:

  • ldap ssl = start tls
  • ldap ssl ads = yes

unfortunately I never tried them myself.

I think you would not need to explicitely enforce encryption for winbindd. If you joined the domain and created a kerberos keytab, winbindd is able to connect to LDAP in AD DC with a SASL/GSSAPI authentication which is pretty secure. The keytab way is the one I tried and I thing it's more reliable (and it's pretty the plain vanilla configuration).

473183469
  • 1,350
  • 1
  • 12
  • 23
  • Thanks for the response. I added these in, and now when I run wbinfo -g I get the following errors: could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE Error looking up domain groups –  Jan 02 '18 at 19:33
  • Can you connect to 2012 R2 DC on ldaps from command line (e.g. ldapsearch)? Maybe you need CA (`tls cafile = /path/to/your/CA` in smb.conf). Again: I never tried that, please double check if both directives are needed. – 473183469 Jan 05 '18 at 10:23
  • `yes` is not an option for `ldap ssl`. Read the manual: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm45179678717584 – Michael Apr 13 '18 at 08:29
  • Oops @Michael you are right. Maybe should I delete my answer because it's not very hardly grounded. For now I just correct parameter. – 473183469 Apr 20 '18 at 07:38
  • 1
    Well, start_tls is really only STARTTLS. Other sources are telling you have to disable `ldap ssl` to get LDAPS working. I completely disabled LDAP in Samba and did authentication via sssd. Didn't get it working with Samba itself. – Michael Apr 20 '18 at 14:26