Discussion:
[Samba] Replication with a self-signed certificate
(too old to reply)
Mircea Husz via samba
2017-03-10 22:20:02 UTC
Permalink
Hello,

I just configured a three-site DCs setup with Samba 4.6.0, and
replication worked great.
But then I added a custom cert to one of the DCs to authenticate
various apps against it. I used this wiki https://wiki.samba.org/index.
php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

Now I can authenticate my apps over LDAPS against my DC, but broke
replication.

How do I need to configure replication to work with a self-signed cert?

Thanks,
-Mike
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett via samba
2017-03-11 00:50:02 UTC
Permalink
Post by Mircea Husz via samba
Hello,
I just configured a three-site DCs setup with Samba 4.6.0, and
replication worked great.
But then I added a custom cert to one of the DCs to authenticate
various apps against it. I used this wiki https://wiki.samba.org/inde
x.
php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Now I can authenticate my apps over LDAPS against my DC, but broke
replication.
How do I need to configure replication to work with a self-signed cert?
The two are not related - replication is not over LDAP or LDAPS, but
instead it is done with DRSUAPI over DCE/RPC.

Thanks,

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mircea Husz via samba
2017-03-11 21:00:01 UTC
Permalink
Post by Andrew Bartlett via samba
Post by Mircea Husz via samba
Hello,
I just configured a three-site DCs setup with Samba 4.6.0, and
replication worked great.
But then I added a custom cert to one of the DCs to authenticate
various apps against it. I used this wiki https://wiki.samba.org/in
de
x.
php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Now I can authenticate my apps over LDAPS against my DC, but broke
replication.
How do I need to configure replication to work with a self-signed cert?
The two are not related - replication is not over LDAP or LDAPS, but
instead it is done with DRSUAPI over DCE/RPC.
I created a user and it got replicated, so replication works indeed.

I guess that only 'samba-tool drs showrepl' breaks:
Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED

Failed to connect to 'ldap://ch1-ad-v01.ad.corp.com' with backend
'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
ERROR(ldb): LDAP connection to ch1-ad-v01.ad.corp.com failed - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
  File "/usr/local/samba/lib64/python2.7/site-
packages/samba/netcmd/drs.py", line 50, in samdb_connect
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py",
line 57, in __init__    options=options)
  File "/usr/local/samba/lib64/python2.7/site-
packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py",
line 72, in connect    options=options)


Thanks,
-Mike
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett via samba
2017-03-12 21:00:02 UTC
Permalink
Post by Mircea Husz via samba
Post by Andrew Bartlett via samba
Post by Mircea Husz via samba
Hello,
I just configured a three-site DCs setup with Samba 4.6.0, and
replication worked great.
But then I added a custom cert to one of the DCs to authenticate
various apps against it. I used this wiki https://wiki.samba.org/
in
de
x.
php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Now I can authenticate my apps over LDAPS against my DC, but broke
replication.
How do I need to configure replication to work with a self-signed cert?
The two are not related - replication is not over LDAP or LDAPS, but
instead it is done with DRSUAPI over DCE/RPC.
I created a user and it got replicated, so replication works indeed.
Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
This indicates that you have blocked ldap with a firewall, or Samba
isn't (fully) running. Perhaps the LDAP server shut itself down due to
having the wrong permissions on the key files?  

Check the logs.

Thanks,

Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mircea Husz via samba
2017-03-13 13:30:02 UTC
Permalink
Post by Andrew Bartlett via samba
Post by Mircea Husz via samba
Post by Andrew Bartlett via samba
Post by Mircea Husz via samba
Hello,
I just configured a three-site DCs setup with Samba 4.6.0, and
replication worked great.
But then I added a custom cert to one of the DCs to
authenticate
various apps against it. I used this wiki https://wiki.samba.or
g/
in
de
x.
php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Now I can authenticate my apps over LDAPS against my DC, but broke
replication.
How do I need to configure replication to work with a self-
signed
cert?
The two are not related - replication is not over LDAP or LDAPS, but
instead it is done with DRSUAPI over DCE/RPC.
I created a user and it got replicated, so replication works
indeed.
Failed to connect to ldap URL 'ldap://ch1-ad-v01.ad.corp.com' - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
This indicates that you have blocked ldap with a firewall, or Samba
isn't (fully) running.  Perhaps the LDAP server shut itself down due
to
having the wrong permissions on the key files?  
Check the logs.
That was it, the permission on the key was too wide.

Thank you.
-Mike
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...