Trying to connect TrueNAS-Scale to NS8-AD, Letsencrypt fails to obtain certificate

EddieA · August 19, 2024, 7:55pm

Hi,

I’m trying to get TrueNAS-Scale to use the NS8 AD. My initial attempt at connection, once I worked out what the correct Bind DN parameter was (Hint, it’s not what you show on the Configuration page)

This failed with:

middlewared.service_exception.ValidationErrors: [EINVAL] ldap_update: [STRONG_AUTH_REQUIRED]: Strong(er) authentication required: BindSimple: Transport encryption required.

So looking at the addition parameters available, it looked like I had to turn on TLS for the connection, so I tried to generate a certificate for the CN used by the AD. This failed with:

{“context”:{“action”:“set-certificate”,“data”:{“fqdn”:“NSDC-NETHSERVER.bogolinux.net”,“sync”:true},“extra”:{“description”:“Processing”,“eventId”:“24172678-dc7a-4a4d-a2b9-af59f9907fe0”,“logs”:{“instance”:“traefik1”,“path”:“?searchQuery=&context=module&selectedAppId=traefik1&followLogs=false&startDate=2024-08-19&startTime=10%3A37&autoStartSearch=true”},“title”:“Request certificate for NSDC-NETHSERVER.bogolinux.net”},“id”:“73d2ae8f-6bc1-429b-89ac-e372fe79fa94”,“parent”:“”,“queue”:“module/traefik1/tasks”,“timestamp”:“2024-08-19T17:37:34.267038547Z”,“user”:“admin”},“status”:“aborted”,“progress”:99,“subTasks”:,“validated”:true,“result”:{“error”:“”,“exit_code”:2,“file”:“task/module/traefik1/73d2ae8f-6bc1-429b-89ac-e372fe79fa94”,“output”:{“obtained”:false}}}

Looking through the traefik1 logs I couldn’t see anything obvious that was wrong and it was only at the 99% stage of the process that it appeared to fail.

I’ve got the DNS entries set up both internally and externally set up correctly to find the server, so not sure why one request would work, but not another.

Cheers.

EddieA · August 20, 2024, 1:26am

After running this again, and resisting the temptation to follow the progress under notifications (Hint: Redirect the UI traefik logs to a separate log than the rest of the traefik traffic (LOL) to make problem determination easier) I found this at what appears to be the point of failure:

[1:traefik1:agent@traefik1] task/module/traefik1/747140ad-7524-4511-b78c-2f53c54f0c8e: action “set-certificate” status is “aborted” (2) at step 21waitsync

What other log should I be looking in for clues as the traefik log is almost 100% HTTP results with the odd line from an agent showing when a task/module starts or ends, but nothing from what that task/module is doing.

Cheers.

Andy_Wismer · August 20, 2024, 3:50am

Hi @EddieA

I still have to make my AD in NS8 a certificate.

I do recall from NS/ using the “official” ad.domain.tld as an alias for NS/ LE, used a script to automate copying the certs to the AD container in NS7 and restart the service. This worked.

The main issue is that applications programmed in either PHP or JAVA (Maybe others too, I only had apps using the two languages…) require a valid ssl cert fo AD access. This worked for all applications I had to connect to AD.

Now, how exactly to do this in NS8…
Maybe @mrmarkuz has a good idea?

My 2 cents
Andy

From my NS7 notes:

————————————————————
Install LE in AD
————————————————————

cp

awr7-nethserver.r7.anwi.ch

/var/lib/machines/nsdc/var/lib/samba/private/tls/

nano /etc/e-smith/events/certificate-update/S80push2ad
Contents:

#!/bin/bash
cp -f -p /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp -f -p /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba


chmod 750 /etc/e-smith/events/certificate-update/S80push2ad

Afterwards:

/etc/e-smith/events/certificate-update/

————————————————————

mrmarkuz · August 20, 2024, 9:39am

Here are my steps to use a letsencrypt cert for samba but there’s room for improvement and it’s just a first draft, so please test it before using it in production environments.

Some ideas for the future:

Use letsencrypt DNS verification instead of HTTP to avoid the port forward to the DC that’s needed for renewal
Automate the process

Check current Samba certificate:

openssl s_client -connect localhost:636

You should get an answer like that, use CTRL-C to exit the command.
Check the CN to get the FQDN of the DC, in my case it is dc1.ad.mrmarkuz.com

CONNECTED(00000003)
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = DC1.ad.mrmarkuz.com

Get a letsenrypt certficate for the samba DC. In my case it worked by just port forwarding port 80 from my NethSecurity to the NS8. No additional DNS entries were needed.

Backup the current certificate:

My samba user/instance name is samba1, please adapt all following commands to use your right samba instance/user…

mv /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem.bkp
mv /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem.bkp

I used traefik-certs-dumper tool to extract the certs from traefik, see also Path to the certs? - #4 by mrmarkuz

Download and extract the tool:

wget https://github.com/ldez/traefik-certs-dumper/releases/download/v2.8.3/traefik-certs-dumper_v2.8.3_linux_386.tar.gz
tar -xzvf traefik-certs-dumper_v2.8.3_linux_386.tar.gz

Get the certificates out of traefik using the tool:

./traefik-certs-dumper file --source /home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json --domain-subdir --crt-ext=.pem --key-ext=.pem --version v2

The cert files that we will use for samba should be located in dump/<yourdcname>/ (in my case dump/dc1.ad.mrmarkuz.com so please adapt the following commands accourdingly.

Copy the certificates to the samba volume:

cp dump/dc1.ad.mrmarkuz.com/certificate.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem
cp dump/dc1.ad.mrmarkuz.com/privatekey.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem

Set right owner:

chown samba1:samba1 /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/*.pem

We got no CA file so we need to add following samba config to /home/samba1/.local/share/containers/storage/volumes/config/_data/include.conf else the service won’t start:

tls cafile =

If you created the file please check the file owner, it should be samba1:samba1

Restart the samba dc service:

runagent -m samba1 systemctl --user restart samba-dc

Check the samba cert again:

root@home:~# openssl s_client -connect localhost:636
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = dc1.ad.mrmarkuz.com
verify return:1

I didn’t test a samba client yet but as the cert is there it should work…

EddieA · August 20, 2024, 4:55pm

mrmarkuz:

Check current Samba certificate:
openssl s_client -connect localhost:636
You should get an answer like that, use CTRL-C to exit the command.
Check the CN to get the FQDN of the DC, in my case it is dc1.ad.mrmarkuz.com
CONNECTED(00000003)
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = DC1.ad.mrmarkuz.com

That’s exactly how I came up with: NSDC-NETHSERVER.bogolinux.net.

This is why I don’t understand it’s not working for me. My DreamMachine router forwards both ports 80 and 443 to the NS8 instance, which I know are working because I can browse my web setup. I have both internal and external DNS entries both for the domain itself and a FQDN for NSDC-NETHSERVER.

I was able to successfully pull a certificate for ns8.bogolinux.net to allow Thunderbird to connect, and I don’t see any differences between how the 2 were configured.

Cheers.

mrmarkuz · August 20, 2024, 5:24pm

Did you already try to delete the certificate and create a new one?

I used small letters for the FQDN in the certificate.

EddieA · August 20, 2024, 5:45pm

Yes, and now it seems to be in a strange state.

Deleting the uppercase FQDN and requesting a lower case one completed in a matter of seconds, which was my first clue that something was wrong. The second was running the openssl command:

[eddie@BogoLinux.net@Nethserver ~]$ openssl s_client -connect ns8.bogolinux.net:686
socket: Bad file descriptor
connect:errno=9
[eddie@BogoLinux.net@Nethserver ~]$

I tried restarting traefik and requesting again, same result. And restating Samba, same result.

Cheers.

mrmarkuz · August 20, 2024, 5:57pm

Let’s check the samba hostname, in my case it’s written in small letters.

runagent -m samba1 podman exec samba-dc hostname

EddieA · August 20, 2024, 5:59pm

[root@ns8 ~]# runagent -m samba1 podman exec samba-dc hostname
nsdc-nethserver.bogolinux.net
[root@ns8 ~]#

Cheers.

mrmarkuz · August 20, 2024, 6:01pm

Is it the same when you connect to localhost?

openssl s_client -connect localhost:686

EddieA · August 20, 2024, 6:18pm

Nope:

[root@ns8 ~]# openssl s_client localhost:686
80BBB34A6F7F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:114:calling connect()
80BBB34A6F7F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:116:
80BBB34A6F7F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:114:calling connect()
80BBB34A6F7F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:116:
connect:errno=111
[root@ns8 ~]#

Looks like Samba isn’t happy any more:

[root@ns8 ~]# ss -tupln | grep 686
[root@ns8 ~]# ss -tupln | grep samba
[root@ns8 ~]#

Here’s the Samba log since I last restarted it:

2024-08-20T10:43:19-07:00 [1:samba1:systemd] Starting Samba AD Domain Controller…
2024-08-20T10:43:20-07:00 [1:samba1:systemd] Started libcrun container.
2024-08-20T10:43:20-07:00 [1:samba1:podman] 2ce172cd3e1ff5cf90ee57838a965ae86e4d23abd678c7abf01786c4d192e510
2024-08-20T10:43:20-07:00 [1:samba1:bash] /usr/bin/bash: connect: Connection refused
2024-08-20T10:43:20-07:00 [1:samba1:bash] /usr/bin/bash: line 1: /dev/tcp/192.168.0.225/53: Connection refused
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] 2024-08-20T17:43:20Z chronyd version 4.3 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] 2024-08-20T17:43:20Z Disabled control of system clock
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] 2024-08-20T17:43:20Z MS-SNTP authentication enabled
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] samba version 4.18.6-Ubuntu started.
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] Copyright Andrew Tridgell and the Samba Team 1992-2023
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] daemon_status: daemon ‘samba’ : Starting process…
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] binary_smbd_main: samba: using ‘prefork’ process model
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] Error registering NSDC-NETHSERVER<00> with 192.168.0.225 on interface 192.168.0.255 - NT_STATUS_CONFLICTING_ADDRESSES
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] Error registering NSDC-NETHSERVER<03> with 192.168.0.225 on interface 192.168.0.255 - NT_STATUS_CONFLICTING_ADDRESSES
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] Error registering NSDC-NETHSERVER<20> with 192.168.0.225 on interface 192.168.0.255 - NT_STATUS_CONFLICTING_ADDRESSES
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] Error registering DISCWORLD<1b> with 192.168.0.225 on interface 192.168.0.255 - NT_STATUS_CONFLICTING_ADDRESSES
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] /usr/sbin/smbd: smbd version 4.18.6-Ubuntu started.
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] /usr/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2023
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] /usr/sbin/smbd: INFO: Profiling turned OFF from pid 18
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] /usr/sbin/winbindd: winbindd version 4.18.6-Ubuntu started.
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] /usr/sbin/winbindd: Copyright Andrew Tridgell and the Samba Team 1992-2023
2024-08-20T10:43:20-07:00 [1:samba1:samba-dc] /usr/sbin/winbindd: initialize_winbindd_cache: clearing cache and re-creating with version number 2
2024-08-20T10:43:25-07:00 [1:samba1:systemd] Started Samba AD Domain Controller.
2024-08-20T10:43:35-07:00 [1:samba1:samba-dc] Doing a full scan on DC=ForestDnsZones,DC=bogolinux,DC=net and looking for deleted objects
2024-08-20T10:43:35-07:00 [1:samba1:samba-dc] Doing a full scan on DC=DomainDnsZones,DC=bogolinux,DC=net and looking for deleted objects
2024-08-20T10:43:35-07:00 [1:samba1:samba-dc] Doing a full scan on CN=Configuration,DC=bogolinux,DC=net and looking for deleted objects
2024-08-20T10:43:35-07:00 [1:samba1:samba-dc] Doing a full scan on DC=bogolinux,DC=net and looking for deleted objects
2024-08-20T10:47:37-07:00 [1:samba1:samba-dc] Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][NETHSERVER$@BOGOLINUX.NET] at [Tue, 20 Aug 2024 17:47:37.151883 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.0.254:54001] became [DISCWORLD][NETHSERVER$] [S-1-5-21-3075704105-855794552-2468492304-1103]. local host [NULL]
2024-08-20T10:47:37-07:00 [1:samba1:samba-dc] Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][NETHSERVER$@BOGOLINUX.NET] at [Tue, 20 Aug 2024 17:47:37.165022 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.0.254:60018] became [DISCWORLD][NETHSERVER$] [S-1-5-21-3075704105-855794552-2468492304-1103]. local host [NULL]
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][ldapservice@bogolinux.net] at [Tue, 20 Aug 2024 17:54:04.796384 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:58664] became [DISCWORLD][ldapservice] [S-1-5-21-3075704105-855794552-2468492304-1108]. local host [ipv4:192.168.0.225:636]
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][ldapservice@bogolinux.net] at [Tue, 20 Aug 2024 17:54:04.796402 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:58662] became [DISCWORLD][ldapservice] [S-1-5-21-3075704105-855794552-2468492304-1108]. local host [ipv4:192.168.0.225:636]
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][CN=admin,CN=Users,DC=bogolinux,DC=net] at [Tue, 20 Aug 2024 17:54:04.885080 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:58664] became [DISCWORLD][admin] [S-1-5-21-3075704105-855794552-2468492304-1104]. local host [ipv4:192.168.0.225:636]
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][ldapservice@bogolinux.net] at [Tue, 20 Aug 2024 17:54:34.685476 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:58664] became [DISCWORLD][ldapservice] [S-1-5-21-3075704105-855794552-2468492304-1108]. local host [ipv4:192.168.0.225:636]
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][CN=eddie,CN=Users,DC=bogolinux,DC=net] at [Tue, 20 Aug 2024 17:54:34.748114 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:58664] became [DISCWORLD][eddie] [S-1-5-21-3075704105-855794552-2468492304-1106]. local host [ipv4:192.168.0.225:636]
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:54:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T10:58:52-07:00 [1:samba1:systemd] Started podman-3277.scope.
2024-08-20T11:02:39-07:00 [1:samba1:samba-dc] Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][NETHSERVER$@BOGOLINUX.NET] at [Tue, 20 Aug 2024 18:02:39.037932 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.0.254:54420] became [DISCWORLD][NETHSERVER$] [S-1-5-21-3075704105-855794552-2468492304-1103]. local host [NULL]
2024-08-20T11:02:39-07:00 [1:samba1:samba-dc] Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][NETHSERVER$@BOGOLINUX.NET] at [Tue, 20 Aug 2024 18:02:39.055043 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.0.254:60070] became [DISCWORLD][NETHSERVER$] [S-1-5-21-3075704105-855794552-2468492304-1103]. local host [NULL]
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][ldapservice@bogolinux.net] at [Tue, 20 Aug 2024 18:09:04.814392 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:60232] became [DISCWORLD][ldapservice] [S-1-5-21-3075704105-855794552-2468492304-1108]. local host [ipv4:192.168.0.225:636]
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][ldapservice@bogolinux.net] at [Tue, 20 Aug 2024 18:09:04.815376 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:60230] became [DISCWORLD][ldapservice] [S-1-5-21-3075704105-855794552-2468492304-1108]. local host [ipv4:192.168.0.225:636]
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][CN=admin,CN=Users,DC=bogolinux,DC=net] at [Tue, 20 Aug 2024 18:09:04.903377 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:60230] became [DISCWORLD][admin] [S-1-5-21-3075704105-855794552-2468492304-1104]. local host [ipv4:192.168.0.225:636]
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:04-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][ldapservice@bogolinux.net] at [Tue, 20 Aug 2024 18:09:34.708032 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:60230] became [DISCWORLD][ldapservice] [S-1-5-21-3075704105-855794552-2468492304-1108]. local host [ipv4:192.168.0.225:636]
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] Auth: [LDAP,simple bind/TLS] user [DISCWORLD][CN=eddie,CN=Users,DC=bogolinux,DC=net] at [Tue, 20 Aug 2024 18:09:34.770920 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-NETHSERVER] remote host [ipv4:192.168.0.225:60230] became [DISCWORLD][eddie] [S-1-5-21-3075704105-855794552-2468492304-1106]. local host [ipv4:192.168.0.225:636]
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
2024-08-20T11:09:34-07:00 [1:samba1:samba-dc] TLS …/…/source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.

Cheers.

mrmarkuz · August 20, 2024, 6:26pm

Let’s check the samba service:

runagent -m samba1 systemctl --user status samba-dc -l

Did you create the file /home/samba1/.local/share/containers/storage/volumes/config/_data/include.conf with the right owner samba1:samba1 as explained above?

Things to compare:

TLS config:

root@home:~# runagent -m samba1 podman exec samba-dc /usr/bin/testparm -s -v | grep tls
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_ACTIVE_DIRECTORY_DC

	ldap ssl = start tls
	tls cafile = 
	tls certfile = tls/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = tls/key.pem
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = as_strict_as_possible

Samba config dir:

root@home:~# ls -l /home/samba2/.local/share/containers/storage/volumes/config/_data/
total 28
-rw-r--r-- 1 samba2 samba2    8 Aug  7  2023 gdbcommands
-rw-r--r-- 1 samba2 samba2  107 Aug 20 10:26 include.conf
-rw-r--r-- 1 samba2 samba2  923 Aug 20 19:53 smb.conf
-rw-r--r-- 1 samba2 samba2 8917 Nov 21  2023 smb.conf.distro
drwxr-xr-x 2 samba2 samba2 4096 Oct 10  2023 tls

Certificate dir:

root@home:~# ls -l /home/samba2/.local/share/containers/storage/volumes/data/_data/private/tls/
total 20
-rw-r--r-- 1 samba2 samba2 2029 Dec 24  2023 ca.pem.bkp
-rw-r--r-- 1 samba2 samba2 3928 Aug 20 10:12 cert.pem
-rw-r--r-- 1 samba2 samba2 2033 Dec 24  2023 cert.pem.bkp
-rw------- 1 samba2 samba2 3243 Aug 20 10:12 key.pem
-rw------- 1 samba2 samba2 3243 Dec 24  2023 key.pem.bkp

EddieA · August 21, 2024, 12:25am

Duhhhhhhhhh. Somewhere along the line, we both went from trying openssl on port 636 to 686 which obviously isn’t going to work, and I also assumed that the process name would be samba, which it isn’t.

Anyway, by following your instructions I got port 636 to present the correct certificate when contacted. But that’s about as far as I got. Trying to connect from TrueNAS resulted in:

Which isn’t really helpful at all. Opening the More info… just gives a list of the Python calls with no input or output data to see what might be wrong.

One difference I did notice is the specification of the Bind DN parameter. NS8 shows it as an email address:

Where TrueNAS is expecting this:

It wouldn’t let me put the email format in.

I was going to trace the traffic until I realised it was going to be encrypted and I wouldn’t be able to read it.

Guess I can try posting a question on the TrueNAS board, but I’m sure they haven’t come across connecting to NS8 (or maybe 7) previously, but worth a try.

Cheers,
Eddie

mrmarkuz · August 21, 2024, 4:56pm

The correct bind DN should be something like:

CN=ldapservice,CN=Users,DC=bogolinux,DC=net

or

CN=ldapservice,DC=bogolinux,DC=net

If nothing else works, It’s also possible to disable the need for strong auth but it’s not recommended because of the weak security:

Add the following to your /home/samba1/.local/share/containers/storage/volumes/config/_data/include.conf and restart the samba-dc service:

ldap server require strong auth = no

Is the TrueNAS Scale able to resolve the hostname of the DC correctly?

Maybe you can use an IP address as hostname in the LDAP settings?

EddieA · August 21, 2024, 6:34pm

That’s the correct one. THANK YOU.

But it only works with this:

Which I used to test, because I was going to use tcpdump to capture packets, but didn’t need to, because I got meaningful error messages back this time. But after finding the correct setting, turning on the encryption caused it to fail again. Maybe a certificate error, although I did ensure that the Root CA for Letsencrypt certificates was loaded. Maybe that’s one for the TrueNAS folks.

But thanks again for hanging in there.

Cheers.

mrmarkuz · August 21, 2024, 6:44pm

I think you could create a CA on TrueNAS and issue a certificate to use for samba.

Just in case you didn’t already try it, there’s an option to disable “Validate Certificates” in the advanced LDAP options of TrueNAS.