I have 2 Ubuntu linux 14.04 servers with Samba4 on them. One is the AD master, the other is the AD backup.
Before the Samba 3.8.4 update, my Postfix+Dovecot servers were able to do user lookups and authentication lookups. Now they cannot.
postfix says
warning: dict_ldap_connect: Unable to bind to server [redacted] (Strong(er) authentication required)
dovecot says
auth: Error: LDAP: ldap_start_tls_s() failed: Can't contact LDAP server
TLS is enabled on the Dovecot configuration. It seems to be an issue with the self-signed certificate in the Samba AD setup.
ldapserch ... -Z gives
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
ldap_result: Can't contact LDAP server (-1)
openssl s_client -connect [ip and port of AD server] -showcerts actually hands me the cert as expected.
...
Server certificate
subject=/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=DC-01.[redacted]
issuer=/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=DC-01.[redacted]
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=DC-01.[redacted]
/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=DC-01.[redacted]
....
Verify return code: 18 (self signed certificate)
....
Looking at : https://access.redhat.com/articles/2243351 I tried :
tls verify peer = no_check
ldap server require strong auth = no
This successfully allows plain-text LDAP loookups on port 389. (edit from previous)
Ubuntu 14.04 cert parts are in : https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_%28LDAPS%29_on_a_Samba_AD_DC
I've tried importing the CA .pem file from the DC to the mail server, but it doesn't seem to correct dovecot or postfix'es TLS LDAP connection problems.
0 Answers