Howto install NethServer as Samba AD domain controller v0.2

2 posts were split to a new topic: Migrate from LDAP to AD

On the other hand I have a concern to define my AD as a Public FQDN such as my.domain.com and I would recommend more something like my.domain.local, unless the IP of your AD is really exposed to the Internet. More so with Windows, but I had a lot of issue in the pass with this kind of configuration.

@michelandre

This is probably a specific case (such as with ESX and ESXi) because with Proxmox I don’t have to do anything.

The best practice for fqdn of your active directory is using a not externaly used subdomain of your external domain. Names ending on .local or .lan are not recommended (according to MS Technet)
Here a clear explanation: https://www.varonis.com/blog/active-directory-domain-naming-best-practices/

Naming conventions for users and computers in AD: https://support.microsoft.com/en-gb/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

5 Likes

for my instance I change the bash script to:

#!/bin/bash
cp -f /etc/letsencrypt/live/(your site here)/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f /etc/letsencrypt/live/(your site here)/cert.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
1 Like

If you want to force overwrite you may need to use \cp instead of cp -f like

\cp /etc/letsencrypt/live/(your site here)/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem

1 Like

I wanted to revisit and update this solution as I began to have problems with my nsdc and an “peer cert untrusted or revoked” error as well as give some guidance on troubleshooting.

First, the error: to get the error I had to run ldapsearch from the environment that was attempting to connect to the AD server with the -d 1 parameter.
ldapsearch -x -H ldaps://nsdc-HOST.DOMAIN.TLD:636 -b "dc=DOMAIN,dc=TLD" -D ldapservice@DOMAIN.TLD -w SECRETPASSWORD -v -d 1

Then using these commandlette which I stole from:
https://www.ibm.com/support/pages/how-test-ca-certificate-and-ldap-connection-over-ssltls

openssl s_client -showcerts -verify 5 -connect nsdc-HOST.DOMAIN.TLD:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="nsdc-cert"a".pem"; print >out}'
and
for cert in *.pem; do openssl verify -show_chain $cert ; done
I was able to see that the server that lost the ability to authinticate over ldap wasn’t able to validate the NSDC certificate.

The solution was for me to change the source of the cert.perm in the /etc/e-smith/events/certificate-update/nsdc-cert we built following this guide to match below:

#!/bin/bash
cp -f /etc/letsencrypt/live/(your site here)/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f /etc/letsencrypt/live/(your site here)/fullchain.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem

Then I stopped and started the NSDC service via the GUI. I hope this helps the next sentient being that is stuck. :slight_smile:

2 Likes