Re: How to add windows workstation in Wheezy?

To: debian-edu@lists.debian.org
Subject: Re: How to add windows workstation in Wheezy?
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Tue, 06 Aug 2013 12:19:42 +0200
Message-id: <[🔎] 20130806121942.905949xzwg2furi6@mail.das-netzwerkteam.de>
In-reply-to: <[🔎] 20130806054618.GI29141@ulrik.uio.no>
References: <[🔎] E1V6SdH-0001SV-PR@microbel.pvv.ntnu.no> <[🔎] 20130806054618.GI29141@ulrik.uio.no>

Hi Petter, hi all,

On Di 06 Aug 2013 07:46:18 CEST Petter Reinholdtsen wrote:

[Arne Sørli]

Yes. I got further, but the log now complains about SSL certificate
and I still get the error message "The user name could not be found"
on the XP PC when trying to join the domain. Log entry:

[2013/08/05 23:11:10.615249,  0]
rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client STATIC21
Use of qw(...) as parentheses is deprecated at
/usr/share/perl5/smbldap_tools.pm line 1423, <DATA> line 558.
Could not start_tls: SSL connect attempt failed with unknown error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed at /usr/share/perl5/smbldap_tools.pm line 365.


Hm, I guess this mean that the script somehow isn't using the
/etc/ldap/ssl/ldap-server-pubkey.pem certificate to verify the SSL
connection, or it do not try to connect to ldap.intern but some other
name like localhost.  Mike, do you know more about this setup?

On my wheezy test rig, the issue resolves with this patch onsmbldap-tools/smbldap.conf:


"""
--- etc/smbldap-tools/smbldap.conf      (Revision 81944)
+++ etc/smbldap-tools/smbldap.conf      (Arbeitskopie)
@@ -68,21 +68,20 @@
 # Slave LDAP server
 # Ex: slaveLDAP=127.0.0.1
 # If not defined, parameter is set to "127.0.0.1"
-#slaveLDAP="ldap.intern"
+slaveLDAP="ldap.intern"

 # Slave LDAP port
 # If not defined, parameter is set to "389"
-#slavePort="389"
+slavePort="389"

 # Master LDAP server: needed for write operations
 # Ex: masterLDAP=127.0.0.1
 # If not defined, parameter is set to "127.0.0.1"
-#masterLDAP="ldap.intern"
+masterLDAP="ldap.intern"

 # Master LDAP port
 # If not defined, parameter is set to "389"
-#masterPort="389"
-#masterPort="389"
+masterPort="389"

 # Use TLS for LDAP
 # If set to 1, this option will use start_tls for connection
"""

It seems that Net::LDAP's start_tls got more picky on TLS. By lookingat smbldap-tools from squeeze, we used localhost for connecting(hard-coded default in smbldap_tools.pm package), so far. (I alwaysthought that smbldap_tools.pm scans smb.conf for the hostname and portto connect to, but it does not; it scans for several other options,but not for the LDAP uri or something like this).

So, setting the masterLDAP (and slaveLDAP) and the *Port parameters insmbldap.conf fixes the TLS/SSL failure on connect.


Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Attachment: pgpyqRYTcoFmI.pgp
Description: Digitale PGP-Unterschrift

Reply to:

References:
- Re: How to add windows workstation in Wheezy?
  - From: Arne Sørli <arneso@pvv.ntnu.no>
- Re: How to add windows workstation in Wheezy?
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: Bug#718858: Add NETDOWN=no to /etc/default/halt on DLWs / TCs
Next by Date: Bug#718865: Update and minimize /etc/samba/smbldap-machineadd-gosa
Previous by thread: Re: How to add windows workstation in Wheezy?
Next by thread: Re: How to add windows workstation in Wheezy?
Index(es):
- Date
- Thread