I’ve been spinning my wheels trying to get LDAPS authentication working to a WIndows Active Directory (I never got it working in 12.1, gave up and turned off SSL). I’m determined to get this working properly now but despeite following a bunch of howtos it’s still not working.
I’ve created a Self Signed cert on the AD side and imported it (not sure exactly where the guide I followed is at this point) but gnutls-cli does say the cert is good and trusted:
gnutls-cli -p 636 dc01.tripp.org -d 1 --print-cert
Processed 138 CA certificate(s).
Resolving ‘dc01.tripp.org’…
Connecting to ‘10.1.1.100:636’…
|<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 512 bits and this may allow decryption of the session data
- Peer’s certificate is trusted
- The hostname in the certificate matches ‘dc01.tripp.org’.
- Successfully sent 0 certificate(s) to server.
- Session ID: FA:1A:00:00:D3:06:C2:6A:7D:D2:35:4A:65:57:DC:0C:F4:9A:3F:DB:6E:FE:58:CF:AD:1D:71:B0:8F:A3:49:13
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject
C=US,ST=NY,L=NY,O=tripp,OU=ad,CN=dc01.tripp.org', issuer
DC=org,DC=tripp,CN=tripp-DC01-CA’, RSA key 1024 bits, signed using RSA-SHA1, activated2012-09-29 20:31:04 UTC', expires
2014-09-29 20:31:04 UTC’, SHA-1 fingerprint `20e903642452c11c4eb702beacdfc9fee155de0e’
Public Key Id:
087465ae2b2391ebe8e701114a46719d9b2da2e8
Public key’s random art:
±- RSA 1024]----+
|.*…o o.o |
|+ o. + o |
|… . + . |
| .o = + |
|…+ . + S |
|…o . |
|. o.o . |
| E o.o |
|o.+. |
±----------------+
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgIKYf44/wAAAAAACDANBgkqhkiG9w0BAQUFADBEMRMwEQYK
CZImiZPyLGQBGRYDb3JnMRUwEwYKCZImiZPyLGQBGRYFdHJpcHAxFjAUBgNVBAMT
DXRyaXBwLURDMDEtQ0EwHhcNMTIwOTI5MjAzMTA0WhcNMTQwOTI5MjAzMTA0WjBd
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQK
EwV0cmlwcDELMAkGA1UECxMCYWQxFzAVBgNVBAMTDmRjMDEudHJpcHAub3JnMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTViTnnZMwGFFfb3BEekm3Te9ni02k
EpY1dVIesgTFFXi0qR8P/rhmJ2BARz17m2qnyRZFbuwhi0Mm/V6auqpfvAtSHqh7
MtHla3HV4d7AiZ1/Qi+vIVOTCM2oXrX0x1W/Md9TAI+l9omu7pCkePZH4tUpCOOH
/I2RnbkKLXqUlwIDAQABo4ICjzCCAoswDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4G
CCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFl
AwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE
FIagcuZ5mCgpacYEH20hMAxLdLlVMB8GA1UdIwQYMBaAFLnz3a5UCKla/wrrIywi
4kL+XpQ+MIHGBgNVHR8Egb4wgbswgbiggbWggbKGga9sZGFwOi8vL0NOPXRyaXBw
LURDMDEtQ0EsQ049REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10cmlwcCxEQz1vcmc/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp
c3RyaWJ1dGlvblBvaW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKG
gZ1sZGFwOi8vL0NOPXRyaXBwLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9dHJp
cHAsREM9b3JnP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp
Y2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBl
AHIwDQYJKoZIhvcNAQEFBQADggEBAJoyAXfR+J3fiO+taYUBinGhANvvYaVxBNjX
zTwtBmykacXO0P0adpP1CO6LUS6y996CDTCGy2o7QRd1GO5cvmyIuyNXdygvM5iK
r/ENjw03KwMCLouQX1vaX9XUOFfernKZVLJgzbwaepAwyTPMXkVzH6B6b8HqpZ+d
A7WLBcgNd85ilnzUZUhxn3w+gP+ljNIDxheW4fkXB+zfiTDNQ0+OkEE9K51JjNFQ
Pbq2D6uxQcRol2xLeRh15bPV6ohsJMO/auxhCxcrjm7EwcLGSr9B+uc2AY6EfIFt
Ct3UugpIRjWUsYHW7fIfZI0gpMLgE3zIk8OJXwEeWl31x8F0AAo=
-----END CERTIFICATE-----
-
Version: TLS1.0
-
Key Exchange: RSA
-
Cipher: AES-128-CBC
-
MAC: SHA1
-
Compression: NULL
-
Handshake was completed
-
Simple Client Mode:
The checks here: https://wiki.samba.org/index.php/Samba_&_Active_Directory
net ads testjoin Test
wbinfo -u
wbinfo -g
pass
except:
wbinfo -a
Which errors out with
Could not authenticate user nik@tripp.org with challenge/response
although I did try various combinations (username, username@tripp and the one above)
I am also failing to autheticate when trying to access my shares. Domain users are also not able to login to conolse (i haven’t rebooted so i still have some root console sessions opened as I’ve fubarred that before and been unable to change config files)
Below is my smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2012-08-08
[global]
netbios name = BLACKBOX
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = TRIPP
os level = 20
winbind enum groups = yes
socket address = 10.1.1.100
password server = *
preferred master = no
winbind separator = +
winbind use default domain = Yes
winbind nested groups = Yes
max log size = 50
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = TRIPP.ORG
security = ADS
wins server = 10.1.1.2
wins proxy = no
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
usershare allow guests = No
winbind offline logon = yes
winbind refresh tickets = yes
passdb backend = ldapsam:ldap://dc01.tripp.org
wins support = No
idmap backend = ldap:ldap://dc01.tripp.org
ldap group suffix = ou=Groups,ou=Shirotans
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap suffix = #dc=tripp,dc=org
ldap user suffix = ou=Users,ou=Shirotans
ldap admin dn = administrator@tripp
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
## Share disabled by YaST
# [netlogon]
[storage]
inherit acls = No
path = /mnt/storage
read only = No
admin users = nik, aministrator@tripp.org
browseable = Yes
nt acl support = Yes
valid users = %S, %D%w%S
my ldap.conf
i’ve tried various options for TLS_REQCERT
uri ldaps://dc01.tripp.org
base dc=tripp,dc=org
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/adcert.pem
TLS_REQCERT allow
my /etc/openldap.conf (different guides ask you to edit one or the other …)
uri ldaps://dc01.tripp.org
base dc=tripp,dc=org
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/adcert.pem
TLS_REQCERT allow
nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis
passwd: compat winbind sss
shadow: compat winbind
group: compat winbind sss
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: db files
netmasks: files
netgroup: files
publickey: nisplus
bootparams: files
automount: files
aliases: files
Any ideas or other info I should include?