NethServer Version: 7.9.2009
Module: nethserver-dc
Is it possible todeactivate the encryption of queries towards the dc for testing? And if so - how?
NethServer Version: 7.9.2009
Module: nethserver-dc
Is it possible todeactivate the encryption of queries towards the dc for testing? And if so - how?
Yes, it’s possible:
I am not sure if I did it correctly. Created the folders, and added an smb.conf with the two +/- lines and finally executed the expand template. On the first try the nsdc did not come up. See:
But the host server was very busy at that time. Retried later and nsdc seems to starting successfully.
https://dpaste.com/DAVDBATZ5
Now hot can I check if encryption is effectively deactivated thus I configured it correctly?
In the wiki there are ldapsearch commands for Samba, IIRC using it without -Z
disables encryption.
I come from trying the following from console of nethserver:
ldapsearch -x -b “dc=domain,dc=tld” -H ldap(or ldaps - tried both)://ipadress -D “cn=Administrator,dc=domain,dc=tld” -W
Which asks for password and then prints out:
invalid credentials when using ldaps:// or stronger authentication required when typing -H ldap://
Thanks for the link, I’ll have a look and comeback.
ldapsearch -Z -x -D CN=Administrator,CN=Users,DC=domain,DC=tld -w adminpassword -b CN=Users,DC=domain,DC=tld -h ipadress working, but doing the same without -Z replies:
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
Does this mean that I was not successfull in configuring disabling auth?
What I am trying to accomplish is, that proxmox is able to query the users from neth ad domain.
The error message in proxmox when doing a dry-run is:
stopped Bindsimple: Transport encryption required at /usr/share/perl5/PVE/LDAP.pm line 55.
Yes, it seems like auth is still enabled.
It should work like this:
you could try to edit the
[global]
section of/var/lib/machines/nsdc/etc/samba/smb.conf
and add the following directive:
ldap server require strong auth = no
Then restart the nsdc Samba instance:
systemctl reload nsdc
Will do, in the meantime here is what I did: created a file at
/etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/smb.conf
with the following in it:
-echo “ldap server require strong auth = no” > 20notls
+echo “ldap server require strong auth = no” > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls
And then executed the expand and restart of nsdc, maybe that was wrong?
This two lines also appear now in /var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls file
Edit to add, that adding the directive directly workedt, but this will be overwritten, on a possible update of nsdc, right?
Nevermind - as I now was able to test and with the link you sent me for ldapsearch, it worked without auth.
After that I enabled the encryption again, as in proxmox you can enable it but tell it to not verify the certificate, so the queries work now, thanks a lot
No, it should work too but you don’t need the custom template.
It’s enough to edit /var/lib/machines/nsdc/etc/samba/smb.conf
as it is not templated.