Replication with a self-signed certificate

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Replication with a self-signed certificate

Samba - General mailing list
Hello,

I just configured a three-site DCs setup with Samba 4.6.0, and
replication worked great.
But then I added a custom cert to one of the DCs to authenticate
various apps against it. I used this wiki https://wiki.samba.org/index.
php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

Now I can authenticate my apps over LDAPS against my DC, but broke
replication.

How do I need to configure replication to work with a self-signed cert?

Thanks,
-Mike
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Replication with a self-signed certificate

Samba - General mailing list
On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote:

> Hello,
>
> I just configured a three-site DCs setup with Samba 4.6.0, and
> replication worked great.
> But then I added a custom cert to one of the DCs to authenticate
> various apps against it. I used this wiki https://wiki.samba.org/inde
> x.
> php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
>
> Now I can authenticate my apps over LDAPS against my DC, but broke
> replication.
>
> How do I need to configure replication to work with a self-signed
> cert?

The two are not related - replication is not over LDAP or LDAPS, but
instead it is done with DRSUAPI over DCE/RPC.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Replication with a self-signed certificate

Samba - General mailing list
On Sat, 2017-03-11 at 13:39 +1300, Andrew Bartlett via samba wrote:

> On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote:
> >
> > Hello,
> >
> > I just configured a three-site DCs setup with Samba 4.6.0, and
> > replication worked great.
> > But then I added a custom cert to one of the DCs to authenticate
> > various apps against it. I used this wiki https://wiki.samba.org/in
> > de
> > x.
> > php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
> >
> > Now I can authenticate my apps over LDAPS against my DC, but broke
> > replication.
> >
> > How do I need to configure replication to work with a self-signed
> > cert?
>
> The two are not related - replication is not over LDAP or LDAPS, but
> instead it is done with DRSUAPI over DCE/RPC.
>

I created a user and it got replicated, so replication works indeed.

I guess that only 'samba-tool drs showrepl' breaks:
Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED

Failed to connect to 'ldap://ch1-ad-v01.ad.corp.com' with backend
'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
ERROR(ldb): LDAP connection to ch1-ad-v01.ad.corp.com failed - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
  File "/usr/local/samba/lib64/python2.7/site-
packages/samba/netcmd/drs.py", line 50, in samdb_connect
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py",
line 57, in __init__    options=options)
  File "/usr/local/samba/lib64/python2.7/site-
packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py",
line 72, in connect    options=options)


Thanks,
-Mike


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Replication with a self-signed certificate

Samba - General mailing list
On Sat, 2017-03-11 at 14:54 -0600, Mircea Husz wrote:

> On Sat, 2017-03-11 at 13:39 +1300, Andrew Bartlett via samba wrote:
> > On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote:
> > >
> > > Hello,
> > >
> > > I just configured a three-site DCs setup with Samba 4.6.0, and
> > > replication worked great.
> > > But then I added a custom cert to one of the DCs to authenticate
> > > various apps against it. I used this wiki https://wiki.samba.org/
> > > in
> > > de
> > > x.
> > > php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
> > >
> > > Now I can authenticate my apps over LDAPS against my DC, but
> > > broke
> > > replication.
> > >
> > > How do I need to configure replication to work with a self-signed
> > > cert?
> >
> > The two are not related - replication is not over LDAP or LDAPS,
> > but
> > instead it is done with DRSUAPI over DCE/RPC.
> >
>
> I created a user and it got replicated, so replication works indeed.
>
> I guess that only 'samba-tool drs showrepl' breaks:
> Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - LDAP
> client internal error: NT_STATUS_CONNECTION_REFUSED

This indicates that you have blocked ldap with a firewall, or Samba
isn't (fully) running.  Perhaps the LDAP server shut itself down due to
having the wrong permissions on the key files?  

Check the logs.

Thanks,

Andrew Bartlett


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Replication with a self-signed certificate

Samba - General mailing list
On Mon, 2017-03-13 at 09:50 +1300, Andrew Bartlett via samba wrote:

> On Sat, 2017-03-11 at 14:54 -0600, Mircea Husz wrote:
> >
> > On Sat, 2017-03-11 at 13:39 +1300, Andrew Bartlett via samba wrote:
> > >
> > > On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote:
> > > >
> > > >
> > > > Hello,
> > > >
> > > > I just configured a three-site DCs setup with Samba 4.6.0, and
> > > > replication worked great.
> > > > But then I added a custom cert to one of the DCs to
> > > > authenticate
> > > > various apps against it. I used this wiki https://wiki.samba.or
> > > > g/
> > > > in
> > > > de
> > > > x.
> > > > php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
> > > >
> > > > Now I can authenticate my apps over LDAPS against my DC, but
> > > > broke
> > > > replication.
> > > >
> > > > How do I need to configure replication to work with a self-
> > > > signed
> > > > cert?
> > >
> > > The two are not related - replication is not over LDAP or LDAPS,
> > > but
> > > instead it is done with DRSUAPI over DCE/RPC.
> > >
> >
> > I created a user and it got replicated, so replication works
> > indeed.
> >
> > I guess that only 'samba-tool drs showrepl' breaks:
> > Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' -
> > LDAP
> > client internal error: NT_STATUS_CONNECTION_REFUSED
>
> This indicates that you have blocked ldap with a firewall, or Samba
> isn't (fully) running.  Perhaps the LDAP server shut itself down due
> to
> having the wrong permissions on the key files?  
>
> Check the logs.
>

That was it, the permission on the key was too wide.

Thank you.
-Mike


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba