HPE Community
Operating System - HP-UX
1825795 Members
2130 Online
109687 Solutions
New Discussion

LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

 
SOLVED
Go to solution
Robert Campbell_6
Advisor

‎05-10-2004 09:50 PM

‎05-10-2004 09:50 PM

LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

Hi,

I have an AD directory domain, and I've been told with the technology preview of CIFS it is possible to make a HP-UX a 'member server'. To do this, I need to use 'Encrypted passwords' in the smb.conf file.

I have installed Kerberos and LDAP so that the AD domain can be queried.

I get the following error in the log. files: Secure connection not supported by LDAP client libraries.

Anyone know an answer to this?
0 Kudos
Reply
7 REPLIES 7
Lee Hundley
Valued Contributor

‎05-11-2004 04:58 AM

‎05-11-2004 04:58 AM

Re: LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

Looks like its trying to establish a SSL/TLS connection to the AD server, see if this can be disabled and go from there. Furthermore, which LDAP server are you using? Are you positive it supports TLS/SSL? You may need to recompile it against your local openssl libraries or turn on some options via './configure' while building.
It is my firm belief that it is a mistake to hold any firm beliefs
0 Kudos
Reply
Robert Campbell_6
Advisor

‎05-13-2004 02:36 AM

‎05-13-2004 02:36 AM

Re: LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

The ldap server we are using is part of the AD server (W2003) so there might be some issues with the ./configure command ;-)

It should be failrly simple. Maybe I am missing something abvious? Maybe it's not even possible the way HP says?

Robert Campbell
0 Kudos
Reply
Lee Hundley
Valued Contributor

‎05-13-2004 04:40 AM - last edited on ‎09-16-2024 02:19 AM by

‎05-13-2004 04:40 AM - last edited on ‎09-16-2024 02:19 AM by

Re: LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

Right...what was I thinking. Well, what that error means, is that your LDAP client wasn't built against any SSL libraries at all. Looks like you'd need access to source code or a good patch from HP to make this work. You may want to look into the 3.x series of samba, its supports AD connections quite well.
It is my firm belief that it is a mistake to hold any firm beliefs
0 Kudos
Reply
Robert Campbell_6
Advisor

‎05-13-2004 07:36 AM

‎05-13-2004 07:36 AM

Re: LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

The problem is we want to use this in a production system, so we'd like to go with something that is recognised by HP, so at least we get some support.

The technology preview should allow you to use 2.2.8b in an AD environment, with kerberos as the ldap secure negotiator, but it does just not seen to work.

You're saying that LDAP uses SSL rather than kerberos? That would mean LDAP is missing several libraries for the SSL part of it.

I'll try installing the HP 'certified' ver of the SSH server/client (which includes the SSL libraries).

I'll report back on my findings ;-)

Robert
0 Kudos
Reply
Lee Hundley
Valued Contributor

‎05-13-2004 08:01 AM

‎05-13-2004 08:01 AM

Re: LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

2.2.8 has limited AD support, you can't authenticate via AD, or access shares on the AD server itself in my experience. It does support authentication via LDAP backend using Unix style (RFC 2037) entries plus samba's own LDAP schema, I've implemented this in the past using OpenLDAP 2.2.x. HP May have backported some of the 3.x code to their own release, so this may still be possible.

LDAP can be configured to use kerb or SSL, or probably both if you really wanted, but it appears as though your LDAP client is attempting to establish an SSL connection. I can post my 2.2.8 (non-AD LDAP) and my 3.x (LDAP in a Win2k3 AD environment) smb.conf files if that would help you out any
It is my firm belief that it is a mistake to hold any firm beliefs
Reply
Robert Campbell_6
Advisor

‎05-16-2004 09:28 PM

‎05-16-2004 09:28 PM

Re: LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

Lee,

the idea was to use an AD server just to authenticate the client's access to the shares on a Hp-UX server.

As far as I understand it, the smb.conf settings of importance are the settings for the authentication model (DOMAIN as opposed to USER or SHARE) and the encrypted password setting (which is where mine goes wrong). But you are saying that it all works with OpenLDAP? Is this because this is compiled with the SSL/Kerberos libraries built in?

I'd prefer not to compile things, as I have found it does not always work without a headache. Is there a series of packages to install to solve the encrypted authentication problem?

Thanks for the tips so far, I thought it might be in that area, but it's good to see my 'theories' confirmed! Thanks very much indeed!

Rob
0 Kudos
Reply
Lee Hundley
Valued Contributor

‎05-17-2004 04:49 AM

‎05-17-2004 04:49 AM

Solution

Re: LDAP/CIFS/Kerberos? Problems with AD and LDAP encryption.

Ok, you're 100% right on the auth model. To auth against a true AD server, you must have Samba 3, as its the only version that supprts the DOMAIN auth model. If you just wanted a Generic LDAP backend auth for centralization, you can use USER auth in samba 2.2, then specify an LDAP server which holds the accounts.

I suppose it would be possible to use a AD backend in samba 2.2, but you would have to feed AD's LDAP server the samba schema. Either way, samba must be built against OpenLDAP, OpenSSL, and Kerb. Most of this support must be enabled at compile time.

Unless HP or someone has a Samba 3.x binary thats compiled with all the options you need turned on, you may be stuck with compiling your own.
It is my firm belief that it is a mistake to hold any firm beliefs
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.