注:この記事での事象はsamba 4で使用していた証明書の期限切れが原因でした。
「LDAP Error: Strong authentication is required Details」もしくは「「Unable to connect to NetLogon service on」」というエラーがでる場合については別途「ONTAP 9.5でsambaドメインに参加できない & ONTAP 9.7で失敗」という記事にしています。
テスト環境作成のためNetAppシミュレータの9.5P6を作ってsamba 4で構築したActive Directory環境に登録しようとした・・・
netapp95sim::*> vserver cifs create -cifs-server netappcifs -domain ad.osakana.net -ou CN=Computers -vserver netappcifs -netbios-aliases netappcifs
In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a
Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "AD.OSAKANA.NET"
domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 215] Loaded the preliminary configuration.
[ 267] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 342] Successfully connected to ip 172.17.44.49, port 636 using
TCP
[ 379] Required certificate with CA ADSERVER.ad.osakana.net is
not installed
[ 381] Unable to start LDAPS: Can't contact LDAP server
[ 381] Additional info: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify
failed
[ 381] Unable to connect to LDAP (Active Directory) service on
adserver.ad.osakana.net (Error: Can't contact LDAP
server)
**[ 381] FAILURE: Unable to make a connection (LDAP (Active
** Directory):AD.OSAKANA.NET), result: 7642
Error: command failed: Failed to create the Active Directory machine account "netappcifs". Reason: LDAP Error: Cannot
contact the LDAP server.
netapp95sim::*>
エラー発生。
なんか調べたところ、active-directoryというコマンドでも登録できるらしいのでそれでもテストしてみる。
netapp95sim::*> active-directory create -vserver netappcifs -account-name adserver -domain ad.osakana.net
(vserver active-directory create)
In order to create an Active Directory machine account, you must supply the name and password of a Windows account with
sufficient privileges to add computers to the "CN=Computers" container within the "AD.OSAKANA.NET" domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 179] Loaded the preliminary configuration.
[ 230] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 298] Successfully connected to ip 172.17.44.49, port 636 using
TCP
[ 333] Required certificate with CA ADSERVER.ad.osakana.net is
not installed
[ 335] Unable to start LDAPS: Can't contact LDAP server
[ 335] Additional info: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify
failed
[ 336] Unable to connect to LDAP (Active Directory) service on
adserver.ad.osakana.net (Error: Can't contact LDAP
server)
**[ 336] FAILURE: Unable to make a connection (LDAP (Active
** Directory):AD.OSAKANA.NET), result: 7642
Error: command failed: Failed to create the Active Directory machine account "ADSERVER". Reason: LDAP Error: Cannot
contact the LDAP server.
netapp95sim::*>
同じようにエラー。
この後いろいろ試行錯誤した結果、自己証明CAをNetAppに入れればいいのでは?とやってみた。(「クラスタまたはSVMがクライアントであるSSLサーバを認証するためのサーバCA証明書のインストール」)
netapp95sim::*> security certificate install -vserver netappcifs -type server-ca
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
<sambaの/usr/local/samba/private/tls/ca.pemの内容を張り付け>
-----END CERTIFICATE-----
Error: command failed: The certificate has expired.
netapp95sim::*>
ん?「The certificate has expired.」???
samba公式「Configuring LDAP over SSL (LDAPS) on a Samba AD DC」の「Verifying the certificate」に書いてある手法で確認してみます。
# ls -l /usr/local/samba/private/tls
合計 12
-rw-r--r--. 1 root root 2041 3月 27 2018 ca.pem
-rw-r--r--. 1 root root 2045 3月 27 2018 cert.pem
-rw-------. 1 root root 3243 3月 27 2018 key.pem
#
# openssl verify /usr/local/samba/private/tls/cert.pem -CApath /usr/local/samba/private/tls/ca.pem
/usr/local/samba/private/tls/cert.pem: O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = ADSERVER.AD.OSAKANA.NET
error 20 at 0 depth lookup:unable to get local issuer certificate
Error opening certificate file -CApath
140285523859344:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('-CApath','r')
140285523859344:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate
/usr/local/samba/private/tls/ca.pem: O = Samba Administration, OU = Samba - temporary autogenerated CA certificate, CN = ADSERVER.AD.OSAKANA.NET
error 18 at 0 depth lookup:self signed certificate
O = Samba Administration, OU = Samba - temporary autogenerated CA certificate, CN = ADSERVER.AD.OSAKANA.NET
error 10 at 0 depth lookup:certificate has expired
OK
#
はい。証明書の有効期限切れでした。
手順がめんどいので、/usr/local/samba/private/tlsにあるファイルをリネームしてから「systemctl stop samba-ad-dc.service」「systemctl start samba-ad-dc.service」で強制再作成させました。