Disable encryption on ad queries

Leni · April 25, 2023, 10:09am

NethServer Version: 7.9.2009

Module: nethserver-dc

Is it possible todeactivate the encryption of queries towards the dc for testing? And if so - how?

mrmarkuz · April 25, 2023, 10:28am

Yes, it’s possible:

Leni · April 25, 2023, 12:40pm

I am not sure if I did it correctly. Created the folders, and added an smb.conf with the two +/- lines and finally executed the expand template. On the first try the nsdc did not come up. See:

But the host server was very busy at that time. Retried later and nsdc seems to starting successfully.
https://dpaste.com/DAVDBATZ5

Now hot can I check if encryption is effectively deactivated thus I configured it correctly?

mrmarkuz · April 25, 2023, 1:01pm

In the wiki there are ldapsearch commands for Samba, IIRC using it without -Z disables encryption.

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#list_all_entries_with_the_administrator_bind

Leni · April 25, 2023, 1:09pm

I come from trying the following from console of nethserver:

ldapsearch -x -b “dc=domain,dc=tld” -H ldap(or ldaps - tried both)://ipadress -D “cn=Administrator,dc=domain,dc=tld” -W

Which asks for password and then prints out:
invalid credentials when using ldaps:// or stronger authentication required when typing -H ldap://

Thanks for the link, I’ll have a look and comeback.

Leni · April 25, 2023, 1:15pm

ldapsearch -Z -x -D CN=Administrator,CN=Users,DC=domain,DC=tld -w adminpassword -b CN=Users,DC=domain,DC=tld -h ipadress working, but doing the same without -Z replies:

ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.

Does this mean that I was not successfull in configuring disabling auth?

What I am trying to accomplish is, that proxmox is able to query the users from neth ad domain.
The error message in proxmox when doing a dry-run is:
stopped Bindsimple: Transport encryption required at /usr/share/perl5/PVE/LDAP.pm line 55.

mrmarkuz · April 25, 2023, 1:22pm

Yes, it seems like auth is still enabled.

It should work like this:

you could try to edit the [global] section of /var/lib/machines/nsdc/etc/samba/smb.conf and add the following directive:

ldap server require strong auth = no

Then restart the nsdc Samba instance:

systemctl reload nsdc

Leni · April 25, 2023, 1:26pm

Will do, in the meantime here is what I did: created a file at
/etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/smb.conf

with the following in it:

-echo “ldap server require strong auth = no” > 20notls
+echo “ldap server require strong auth = no” > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls

And then executed the expand and restart of nsdc, maybe that was wrong?

This two lines also appear now in /var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls file

Edit to add, that adding the directive directly workedt, but this will be overwritten, on a possible update of nsdc, right?

Nevermind - as I now was able to test and with the link you sent me for ldapsearch, it worked without auth.

After that I enabled the encryption again, as in proxmox you can enable it but tell it to not verify the certificate, so the queries work now, thanks a lot

mrmarkuz · April 25, 2023, 1:42pm

No, it should work too but you don’t need the custom template.
It’s enough to edit /var/lib/machines/nsdc/etc/samba/smb.conf as it is not templated.