On Tue, 9 Jan 2018 11:08:19 -0800
Timothy Gwynne via samba <[hidden email]> wrote:
> I have an Ubuntu 14.04 member server which runs winbind, krb5, and
> samba. Without encryption, I am able to use winbind to get all the
> info I neeed. i.e.
> winbind -g works
> winbind -u works
I am very sure it doesn't ;-)
I think you mean 'wbinfo' instead
> I am trying to now get LDAPS working, but when I run a command nothing
> winbind -g does nothing (no errors)
> winbind -u does nothing (no errors).
> On the Windows DC, I can see TLS traffic happening between the
> Windows DC and Ubuntu machine, but of course it does not seem to be
> fully working.
> here is smb.conf:
> workgroup = TIMDOMAIN
> realm = TIMDOMAIN.LOCAL
> netbios name = UBUNTUWEE
> server string = %h server (Samba %v, Ubuntu)
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> security = ADS
> ldap ssl = start tls
> ldap ssl ads = yes
> domain master = no
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind enum groups = yes
> winbind enum users = yes
> winbind use default domain = yes
> usershare allow guests = yes
> I've tried this config without ldap ssl = start tls and just ldap ssl
> ads and the traffic seems to be the exact same.
> Here is ldap.conf:
> TLS_CACERT /etc/ssl/certs/ca.cer
> ca.cer contains my CA root certificate in Base-64 X509 format.
I am trying to understand just what you are trying to achieve, you do
not normally use ldap for authentication, that is what winbind is for.
In reply to this post by Samba - General mailing list
On 2018-01-09 at 11:08 -0800 Timothy Gwynne via samba sent off:
according to https://bugzilla.samba.org/show_bug.cgi?id=13124#c5 ldap ssl ads
does not work reliably anymore, you might try the mentioned "client ldap sasl
wrapping = plain" setting. You will make the setup not more secure in the end
though. But the ldap ssl ads parameter might soon go away anyway.
> On 2018-01-09 at 11:08 -0800 Timothy Gwynne via samba sent off:
> > ...
> according to https://bugzilla.samba.org/show_bug.cgi?id=13124#c5 ldap ssl
> does not work reliably anymore, you might try the mentioned "client ldap
> wrapping = plain" setting. You will make the setup not more secure in the
> though. But the ldap ssl ads parameter might soon go away anyway.