Highlighted
downhill2
2 Iron

connecting to AD with SFU using SSL

Trying to understand if to use a CIFS server account to connect to AD using the -kaccount and only -basedn precludes the use of -sslenabled "y". I doubt it does but I don't see anywhere in the Naming Services doc as far as how to set the LDAP connection so that the server talks over 636 instead of 389.

Here is the command.

server_ldap server_2 -set -basedn dc=our,dc=domain,dc=com -sslenabled y -servers ourdcs -kerberos -kaccount ourcifsbox$

This command completes but cannot get connected. I've imported our certs using the server_certificate command but it makes no difference. If I connect with ssl disabled, it connects just fine.

Does ldap.conf need to be configured specifically for SSL? Or, does server_certificate all those imported certs to be used for LDAPS /NFSv4 -securenfs?

thanks!

0 Kudos
2 Replies
SAMEERK1
2 Iron

Re: connecting to AD with SFU using SSL

please check this primus article from powerlink : emc231825

hope this helps

Sameer Kulkarni

0 Kudos
downhill2
2 Iron

Re: connecting to AD with SFU using SSL

Nope, NTP is working everywhere. It has been suggested to me that "sslenabled y" is not necessary when using kaccount (kerberos) since kerberos by it's nature is encrypted auth. But, I cannot seem to find any documentation which specifically calls this out with regards to how this works with Celerra. It just seems odd to me that the process of connecting to AD using an "LDAP" command clearly uses port 389 according to the tcpdump, works fine, but when forcing it to use 636 fails.

To be clear, the only reason we are using the kerberos option is to be able to export shares using "sec=krbp5", of which there is very minimal documentation around what the real requirements are to do such a thing.

thanks for the tip though.

0 Kudos