when I try to use ldapsearch it errors out with - Invalid credentials # ldapsearch -x -W -D 'cn=administrator,dc=smallcatbrain,dc=com' -b 'dc=smallcatbrain,dc=com' -Z -LLL Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ------- I am able to authenticate with kinit: # kinit administrator ------- I also tried to authenticate with Apache Directory Studio. Error while opening connection - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] java.lang.Exception: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
I now understand why Apache Studio does not login to ldaps:// There is a parameter in smb4.conf -- tls verify peer = It defaults to tls verify peer = as_strict_as_possible This will reject a wildcard certificate. For testing I changed to: tls verify peer = no_check Apache Studio will now connect with: dc1 port 636 ldaps:// simple authentication | administrator | password --- And Apache Directory Studio will connect with: dc1 port 389 use StartTLS simple authentication | administrator | password --------------------------- I think there is some other problem lurking with ldap. I notice this command fails: # samba-tool forest directory_service dsheuristics 0000002 -H ldaps://localhost --simple-bind-dn='administrator@smallcatbrain.com' Failed to connect to ldap URL 'ldaps://localhost' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldaps://localhost' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/forest.py", line 108, in run credentials=creds, lp=lp) File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__ options=options) File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect options=options)
I think this is another problem with ldap. Unable to join a domain. root@dc2:~ # samba-tool domain join smallcatbrain DC -k yes -U"SMALLCATBRAIN.COM\administrator" --option=' dns forwarder=192.168.2.1' --option='idmap_ldb:use rfc2307=yes' --option="vfs objects=zfsacl dfs_samba4 acl_xattr" INFO 2021-01-04 17:20:07,613 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'smallcatbrain' INFO 2021-01-04 17:20:07,647 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC dc1.smallcatbrain.com Failed to connect to ldap URL 'ldap://dc1.smallcatbrain.com' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://dc1.smallcatbrain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 668, in run backend_store_size=backend_store_size) File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 1539, in join_DC backend_store_size=backend_store_size) File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 112, in __init__ credentials=ctx.creds, lp=ctx.lp) File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__ options=options) File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect options=options)