winbindd: Switching to LDAPS

Support for security such as Firewalls and securing linux
Post Reply
dreael
Posts: 3
Joined: 2018/08/14 16:24:36

winbindd: Switching to LDAPS

Post by dreael » 2020/03/17 17:36:17

Hello CentOS users

Currently I am using a Samba installation which is domain member in a regular ActiveDirectory (all domain controllers are Microsoft servers). Configuration has been done with authconfig-tui which generated the needed section insinde the /etc/samba/smb.conf file.

Questions:

1.) When I check the TLS certificate using a

Code: Select all

openssl s_client -connect dc01.intra.example.com:636
I get a message

Code: Select all

verify error:num=20:unable to get local issuer certificate
which means that I have to add a root certificat first. How to do this?

2.) According to Google / man pages it looks like that a

Code: Select all

idmap config * : ldap_url = ldaps://dc01.intra.example.com:636/
line in /etc/samba/smb.conf should do the job. But the issue is: How to ensure that winbindd will use dc02.intra.example.com in case when dc01 is temporarily down?

Currently there is no idmap config * : ldap_url line and the man page tells me that ldap://localhost/ is the default value.

Since winbindd correctly connects to the real domain controller and not to itself (localhost), I ask me if

Code: Select all

idmap config * : ldap_url = ldaps://localhost:636/
or

Code: Select all

idmap config * : ldap_url = ldaps://localhost/
would be the right way for that.

Thanks for any answer for this topic.

hunter86_bg
Posts: 2018
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: winbindd: Switching to LDAPS

Post by hunter86_bg » 2020/04/14 20:37:28

Have you tried to put your CA certs in: /etc/pki/ca-trust/source/anchors/ and then use the update-ca-trust ?

An examlle can be found here

Post Reply

Return to “CentOS 7 - Security Support”