> -----Original Message----- > From: Marc Kaplan > Sent: Thursday, October 23, 2003 10:49 AM > To: samba-technical@lists.samba.org > Subject: net ads join fails when the Win2k3 LDAP server signing > requirements policy is set to require signing > > > List: > > This may already be known, but when I set the Win2k3 policy: > "Domain Controller: LDAP server signing requirements" to > "Require Signing", net ads join fails. Does anybody know > about this problem? I cannot find an entry in bugzilla for > it, and I will add one once I get confirmation that this > isn't a duplicate bug. > > Here is the important snippet of the log at debug level 10 > (full log is attached): > [2003/10/23 01:44:59, 5] libads/ldap.c:ads_try_connect(56) > ads_try_connect: trying ldap server '10.33.0.41' port 389 > [2003/10/23 01:44:59, 3] libads/ldap.c:ads_connect(218) > Connected to LDAP server 10.33.0.41 > [2003/10/23 01:44:59, 3] libads/ldap.c:ads_server_info(1887) > got ldap server name jupiterdc@JUPITER.SOL.SOLARSYSTEM, > using bind path: dc=JUPITER,dc=SOL,dc=SOLARSYSTEM > [2003/10/23 01:44:59, 4] libads/ldap.c:ads_server_info(1895) > time offset is 74 seconds > [2003/10/23 01:44:59, 4] libads/sasl.c:ads_sasl_bind(416) > Found SASL mechanism GSS-SPNEGO > [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184) > got OID=1 2 840 48018 1 2 2 > [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184) > got OID=1 2 840 113554 1 2 2 > [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184) > got OID=1 2 840 113554 1 2 2 3 > [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184) > got OID=1 3 6 1 4 1 311 2 2 10 > [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(191) > got principal=jupiterdc$@JUPITER.SOL.SOLARSYSTEM > [2003/10/23 01:44:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(268) > krb5_cc_get_principal failed (No credentials cache found) > [2003/10/23 01:44:59, 4] libsmb/clikrb5.c:ads_krb5_mk_req(284) > Advancing clock by 74 seconds to cope with clock skew > [2003/10/23 01:44:59, 10] > libsmb/clikrb5.c:get_krb5_smb_session_key(385) > Got KRB5 session key of length 16 > [2003/10/23 01:44:59, 1] utils/net_ads.c:ads_startup(181) > ads_connect: Strong authentication required > [2003/10/23 01:44:59, 2] utils/net.c:main(706) > return code = -1 > > Also, here's the info I've been able to find on this: > http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/prodtechnol/windowsserver2003/proddocs/standard/638.asp Thanks, -Marc
Created attachment 814 [details] Patch to enable TLS support in libads I've attached a patch that enables TLS in the libads code. The "Require Signing" setting allows for SSL/TLS instead of signing.. There needs to be a certificate installed on the domain controller for TLS to work, but that's better than signing anyway. You also need the CA certificate to verify the server cert, adding "TLS_CACERT /etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the CA cert and saving it in testca.cer) got that working. I've only tested this on Fedora Core 2 with a DC that has "Require Signing" set and has a certificate installed, but setting "ldap ssl = off" should disable it.
Guenther has checked in a similar fix in the 3.0.21 series.
*** Bug 3316 has been marked as a duplicate of this bug. ***
*** Bug 3544 has been marked as a duplicate of this bug. ***