Bug 765 - [patch] net ads join fails when the Win2k3 LDAP server signing requirements policy is set to require signing
[patch] net ads join fails when the Win2k3 LDAP server signing requirements p...
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Build environment
3.0.11
Other All
: P2 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-11-12 11:27 UTC by Marc Kaplan
Modified: 2006-03-01 21:02 UTC (History)
3 users (show)

See Also:


Attachments
Patch to enable TLS support in libads (994 bytes, patch)
2004-12-01 12:01 UTC, Jeremy Naylor
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Kaplan 2003-11-12 11:27:14 UTC
> -----Original Message-----
> From: Marc Kaplan 
> Sent: Thursday, October 23, 2003 10:49 AM
> To: samba-technical@lists.samba.org
> Subject: net ads join fails when the Win2k3 LDAP server signing
> requirements policy is set to require signing
> 
> 
> List:
> 
> This may already be known, but when I set the Win2k3 policy:
> "Domain Controller: LDAP server signing requirements" to 
> "Require Signing", net ads join fails. Does anybody know 
> about this problem? I cannot find an entry in bugzilla for 
> it, and I will add one once I get confirmation that this 
> isn't a duplicate bug.
> 
> Here is the important snippet of the log at debug level 10 
> (full log is attached):
> [2003/10/23 01:44:59, 5] libads/ldap.c:ads_try_connect(56)
>   ads_try_connect: trying ldap server '10.33.0.41' port 389
> [2003/10/23 01:44:59, 3] libads/ldap.c:ads_connect(218)
>   Connected to LDAP server 10.33.0.41
> [2003/10/23 01:44:59, 3] libads/ldap.c:ads_server_info(1887)
>   got ldap server name jupiterdc@JUPITER.SOL.SOLARSYSTEM, 
> using bind path: dc=JUPITER,dc=SOL,dc=SOLARSYSTEM
> [2003/10/23 01:44:59, 4] libads/ldap.c:ads_server_info(1895)
>   time offset is 74 seconds
> [2003/10/23 01:44:59, 4] libads/sasl.c:ads_sasl_bind(416)
>   Found SASL mechanism GSS-SPNEGO
> [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
>   got OID=1 2 840 48018 1 2 2
> [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
>   got OID=1 2 840 113554 1 2 2
> [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
>   got OID=1 2 840 113554 1 2 2 3
> [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
>   got OID=1 3 6 1 4 1 311 2 2 10
> [2003/10/23 01:44:59, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
>   got principal=jupiterdc$@JUPITER.SOL.SOLARSYSTEM
> [2003/10/23 01:44:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(268)
>   krb5_cc_get_principal failed (No credentials cache found)
> [2003/10/23 01:44:59, 4] libsmb/clikrb5.c:ads_krb5_mk_req(284)
>   Advancing clock by 74 seconds to cope with clock skew
> [2003/10/23 01:44:59, 10] 
> libsmb/clikrb5.c:get_krb5_smb_session_key(385)
>   Got KRB5 session key of length 16
> [2003/10/23 01:44:59, 1] utils/net_ads.c:ads_startup(181)
>   ads_connect: Strong authentication required
> [2003/10/23 01:44:59, 2] utils/net.c:main(706)
>   return code = -1
> 
> Also, here's the info I've been able to find on this: 
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
hnet/prodtechnol/windowsserver2003/proddocs/standard/638.asp

Thanks,
			-Marc
Comment 1 Jeremy Naylor 2004-12-01 12:01:28 UTC
Created attachment 814 [details]
Patch to enable TLS support in libads

I've attached a patch that enables TLS in the libads code.  The
"Require Signing" setting allows for SSL/TLS instead of signing..
There needs to be a certificate installed on the domain controller for
TLS to work, but that's better than signing anyway.  You also need the
CA certificate to verify the server cert, adding "TLS_CACERT
/etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the
CA cert and saving it in testca.cer) got that working.

I've only tested this on Fedora Core 2 with a DC that has "Require
Signing" set and has a certificate installed, but setting "ldap ssl =
off" should disable it.
Comment 2 Gerald (Jerry) Carter 2006-02-23 10:10:41 UTC
Guenther has checked in a similar fix in the 3.0.21 series.
Comment 3 Jim McDonough 2006-03-01 20:59:59 UTC
*** Bug 3316 has been marked as a duplicate of this bug. ***
Comment 4 Jim McDonough 2006-03-01 21:02:19 UTC
*** Bug 3544 has been marked as a duplicate of this bug. ***