[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to add windows workstation in Wheezy?



Hi Petter, hi all,

On Di 06 Aug 2013 07:46:18 CEST Petter Reinholdtsen wrote:

[Arne Sørli]
Yes. I got further, but the log now complains about SSL certificate
and I still get the error message "The user name could not be found"
on the XP PC when trying to join the domain. Log entry:

[2013/08/05 23:11:10.615249,  0]
rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client STATIC21
Use of qw(...) as parentheses is deprecated at
/usr/share/perl5/smbldap_tools.pm line 1423, <DATA> line 558.
Could not start_tls: SSL connect attempt failed with unknown error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed at /usr/share/perl5/smbldap_tools.pm line 365.

Hm, I guess this mean that the script somehow isn't using the
/etc/ldap/ssl/ldap-server-pubkey.pem certificate to verify the SSL
connection, or it do not try to connect to ldap.intern but some other
name like localhost.  Mike, do you know more about this setup?

On my wheezy test rig, the issue resolves with this patch on smbldap-tools/smbldap.conf:

"""
--- etc/smbldap-tools/smbldap.conf      (Revision 81944)
+++ etc/smbldap-tools/smbldap.conf      (Arbeitskopie)
@@ -68,21 +68,20 @@
 # Slave LDAP server
 # Ex: slaveLDAP=127.0.0.1
 # If not defined, parameter is set to "127.0.0.1"
-#slaveLDAP="ldap.intern"
+slaveLDAP="ldap.intern"

 # Slave LDAP port
 # If not defined, parameter is set to "389"
-#slavePort="389"
+slavePort="389"

 # Master LDAP server: needed for write operations
 # Ex: masterLDAP=127.0.0.1
 # If not defined, parameter is set to "127.0.0.1"
-#masterLDAP="ldap.intern"
+masterLDAP="ldap.intern"

 # Master LDAP port
 # If not defined, parameter is set to "389"
-#masterPort="389"
-#masterPort="389"
+masterPort="389"

 # Use TLS for LDAP
 # If set to 1, this option will use start_tls for connection
"""

It seems that Net::LDAP's start_tls got more picky on TLS. By looking at smbldap-tools from squeeze, we used localhost for connecting (hard-coded default in smbldap_tools.pm package), so far. (I always thought that smbldap_tools.pm scans smb.conf for the hostname and port to connect to, but it does not; it scans for several other options, but not for the LDAP uri or something like this).

So, setting the masterLDAP (and slaveLDAP) and the *Port parameters in smbldap.conf fixes the TLS/SSL failure on connect.

Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Attachment: pgpvI6lYmr6T8.pgp
Description: Digitale PGP-Unterschrift


Reply to: