[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction

Mon, 11 Dec 2017 05:05:12 -0800 

Hi Team,

I have modified my /etc/ldap/ldap.conf
cat /etc/ldap/ldap.conf

#TLS_REQCERT     HARD
TLS_REQCERT     ALLOW
TLS_CACERT      /etc/ssl/certs/msadmaster.pem

After above changes net ads is succesfull with ssl/tls 
I have verified at Windows AD DC end that TLS is being used for communication 
with the help of wireshark.
Though i am not sure what is impact of changing TLS_REQCERT to ALLOW from HARD 
if certificates is being used.

Now i have configured ubuntu as AD DC and try to join another ubuntu
machine as member server but i am getting below error.

[LDAP] res_errno: 8, res_error: <SASL:[GSS-SPNEGO]: Sign or Seal are 
required.>, res_matched: <>
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Strong(er) 
authentication required


ubuntu AD DC smb.conf 

[global]
        workgroup = TECHMINT
        realm = TECHMINT.LAN
        netbios name = ADC1
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash

[netlogon]
        path = /var/lib/samba/sysvol/techmint.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

smb.conf for ads member server

[global]
       security = ADS
       workgroup = TECHMINT
       realm = TECHMINT.LAN

       log file = /var/opt/samba/%m.log
       log level = 1

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
       username map = /etc/opt/samba/user.map
#       ldap ssl = start tls
#       ldap ssl ads = yes
       ldap debug level = 1
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1576799

Title:
  Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
  instruction

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to