Samba certificates

activedirectory
v7
nextcloud

(Hitmoky Hitter) #1

System version: NethServer release 7.4.1708 (Final)
Kernel release: 3.10.0-693.21.1.el7.x86_64

Module: Active Directory

Hey support! ^^

I’d like to connect an external NextCloud server to the NethServer it’s Active Directory LDAP listener but I got the message that a more secure connection should used.

I can seem to connect with Apache Directory Studio to both ldap (389) and ldaps (636). But when I try to connect NextCloud with ldap, it doesn’t seem to make the connection and produces the following error messages:

  • Warning: user_ldap Configuration Error (prefix ): login filter does not contain %uid place holder.
  • Warning: user_ldap Configuration Error (prefix ): Not a single Base DN given.

When I do the same with ldaps, these errors get produced:

  • Error: ldap_bind(): Unable to bind to server: Can’t contact LDAP server at /var/www/html/apps/user_ldap/lib/LDAP.php#293
  • Error: ldap_bind(): Unable to bind to server: Can’t contact LDAP server at /var/www/html/apps/user_ldap/lib/LDAP.php#293

I checked with openssl what the certificates are saying, perhaps there is a problem with presenting a valid tls certificate. What I found was a certificate made by Samba itself. So this might explain why NextCloud can’t make a successful connection to the ldap listener on the ldaps port.

I added the following lines in /var/lib/machines/nsdc/etc/samba/smb.conf.includes but this does not seem to have changed much.

tls enabled = yes
tls keyfile = /etc/ssl/vixada/certs/monfig.ldb-beheer.lan.key
tls certfile = /etc/ssl/vixada/certs/monfig.ldb-beheer.lan.crt
tls cafile = /etc/ssl/vixada/certs/monfig.ldb-beheer.lan.ca.crt

What are the things I need to do, so I can complete my task of connection an external NextCloud server to a NethServer with the result of being able to login to NextCloud with the ldap user accounts?

Kind regards,
Jens Kuipers


Active Directory does not allow dns queries from computers on lan network
(Markus Neuberger) #2

Hi @Hitmoky_Hitter,

I never tried, but there is a nice howto about setting valid letsencrypt certs for the samba dc:

Scroll down to

The next step will make sure that java and other more strict apps can connect to the AD and use it:

Here are some Nextcloud LDAP settings from my local install:

Server tab:

Users tab:
grafik

Login attributes tab:
grafik

Groups tab:
grafik


(Hitmoky Hitter) #3

Thanks for the reply and sorry for the late reply!

I followed that tutorial multiple times, now again with a fresh install. I checked the certificate on port 636 at nsdc-{HOST}.{DOMAIN}.tld. And it matches the certificate that has been produced.

But when I’m trying to configurate the ldaps connection the following messages show up in the logging page of NextCloud.

|Warning|Configuration Error (prefix ): login filter does not contain %uid place holder.
|Warning|Configuration Error (prefix ): either no password is given for the user agent or a password is given, but not an LDAP agent.
|Warning|Configuration Error (prefix ): No LDAP Login Filter given!

Did I perhaps miss something all this time?


(Markus Neuberger) #4

Did you enter this LDAP query entry under “Login Attributes” tab in ldap settings in Nextcloud ?
(&(&(|(objectclass=person)))(|(sAMAccountName=%uid)(userPrincipalName=%uid)))

grafik


(Hitmoky Hitter) #5

Forgive me, I had to wait for a week since LetsEncrypt claimed that I had send in 20 requests already. Anyhow, I can’t even get to that part. NextCloud is not able to connect to either port 389 or port 636 at ad.{domain}.{tld}


(Markus Neuberger) #6

Can you resolve ad.domain.tld from your external nextcloud instance? Does it use Nethserver as DNS?

nslookup ad.domain.tld

Is the external Nextcloud on a Nethserver?


(Hitmoky Hitter) #7

Yes, the NextCloud server is on the local network that I created in Nethserver so it uses the DNS from Nethserver.

root@nc.{domain}.{tld}
Server:    127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:      ad.{domain}.{tld}
Address:   10.0.0.3

(Hitmoky Hitter) #8

However, I just did find out that the Windows computers within the local network of Nethserver can’t seem to get any hold on DNS resolution.

c:\Windows\System32>nslookup ad.ldb-beheer.nl
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.0.0.1

DNS request timed out. 
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

(Markus Neuberger) #9

DNS:

Is 10.0.0.1 your Nethserver? Is Nethserver the DHCP Server for your clients so they will get the right config automatically? Do you have another DHCP (maybe from a router or other server) running as they may conflict?

Nextcloud:

Do you see connection errors in the external nextcloud.log?

I tried it with a Nethserver with Nextcloud installed, joined to another Nethserver and it works without problems.

Here are some docs for Nextcloud LDAP:

https://docs.nextcloud.com/server/13/admin_manual/configuration_user/user_auth_ldap.html


(Hitmoky Hitter) #10

I installed NextCloud through Snap on Ubuntu Server, with the reason being that NextCloud should be on another server to minimize the network usage of the Nethserver that is running as router + domain controller.

The only errors that I can find are some AppArmor denies and the ones stated before.

Warning	user_ldap	Configuration Error (prefix ): login filter does not contain %uid place holder.	
Warning	user_ldap	Configuration Error (prefix ): No LDAP Login Filter given!

I am unaware of any nextcloud.log


(Markus Neuberger) #11

In Nethserver selinux is disabled, maybe apparmor makes similar problems?

I don’t use snaps but here are some infos about files (and logfiles):


(Hitmoky Hitter) #12

Thanks for the link, I checked the nextcloud.log but they are basically more detailed messages as the ones I have given in the previous reply but with the same information.

Any how, I shall first setup a virtual machines with Nethserver and NextCloud as you have done so that we can have comparable setups. As for the NextCloud as snap instance, I shall try to allow AppArmor to some directories that NextCloud uses. Perhaps that shall give some other result.

I’ll give a report afterwards. Thanks ^^


(Hitmoky Hitter) #13

I have successfully configured a Nethserver NextCloud server to the main Nethserver instance.

So I went to disable AppArmor in the Ubuntu NextCloud Snap installation, this made not change. This made me curious to try some other configurations with two more virtual machines.

  • Ubuntu Server with Docker running NextCloud;
  • Ubuntu Server with a manually installed and configured NextCloud instance.

Both of these configurations did not work. So it must be my main Nethserver. To be more specific, you were talking about DNS.

To summarize:
Nethserver NextCloud to Nethserver as Public Domain Controller is now working, however Windows computers on the local Nethserver network are not able to do successful nslookups and only have access through Google Chrome. (which makes sense since it’s using Google’s public DNS 8.8.8.8) The Ubuntu instances were all able to do nslookups but on them the different NextCloud configurations are not able to find ldaps://ad.{domain}.{tld}

Nethserver configuration:
I followed the tutorial that you supplied me but with two NICs, one as red dhcp and the other acting as green static 10.0.0.1, the later has DHCP enabled.

Is something obvious going on that I am not noticing here?


(Markus Neuberger) #14

You may change the DNS the windows clients are using to your Nethservers IP 10.0.0.1 so they can resolve your AD domain.

The logfiles of the Nextcloud snaps should be in /var/snap/nextcloud/common/. With them we may find the error.

What about just using Nethservers Nextcloud implementation instead of the Ubuntu snaps?


(Hitmoky Hitter) #15

Well that is the thing; ipconfig /all in cmd on Windows shows that the dns server is 10.0.0.1.

At /var/snap/nextcloud/common/nextcloud/data/nextcloud.log I noticed this message:

Connection to LDAP server could not be established

Isn’t it kind of bad practice to use a Nethserver as PDC, and another Nethserver to act as a NextCloud server while any Linux distribution would do that same trick?


(Markus Neuberger) #16

Try to use the AD container as DNS server as described in the howto above:

The DNS server we will be distributing to the clients NEEDS to be the AD container on 10.0.2.6. This also means that the DNS page of the NethServer server manager, WILL NOT BE USED!
This page will feed the local DNS server on 10.0.2.5, and this will create issues for AD users.

Nethserver solves a lot of configuration troubles as you can see. So using it as as separate Gateway, Domain Controller and Appserver for instance is a good practise IMO.
Could you connect your Nextcloud snap to an Ubuntu AD before? Maybe you can make it work with customizing an old working config…


(Hitmoky Hitter) #17

I changed the dns to 10.0.0.3, which is the address of the AD container. This does not seem to change a thing.

Well, you are right, as I am noticing throughout my experience. Although I do want to make a final attempt to get it working.

Unfortunately I do not have access to a computer on the Nethserver it’s local network so I have to call it a day and proceed tomorrow. In any case, thanks a billion, you have helped me out throughout the day and I appreciate that. Apart from the local devices their dns problems you have solved my problems with AD. I’ll mark the reply of Nethserver AD -> Nethserver Nextcloud as what has solved my question. ^.^

Thanks!