cancel
Showing results for 
Search instead for 
Did you mean: 

Connection to the Active Directory Domain Controller on SAMBA

ZS
Aspirant

Connection to the Active Directory Domain Controller on SAMBA

Hello,

 

I am using FSPMS version 13.12 and linking to AD domain on WS2008R2 with no problem using the FSPMC console using LDAP: //servername.domain.


However, if I want to connect to the Active Directory Domain Controller on SAMBA, I get the verse "Could not connect to the domain server. Check that you entered all necessary information correctly. " has anyone tried to connect to AD on SAMBA?


The error fragment from the Administrator.error.log file

Spoiler
Thu Feb 28 10:09:53 CET 2019
java.util.concurrent.ExecutionException: com.fsecure.fsa.ad.ldap.LdapException: Could not connect to the domain server. Check that you entered all necessary information correctly.
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at javax.swing.SwingWorker.get(SwingWorker.java:602)
at com.fsecure.fspmc.ui.adsync.AddressAndCredentialsPage$1.done(AddressAndCredentialsPage.java:115)
at javax.swing.SwingWorker$5.run(SwingWorker.java:737)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832)
at sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842)
at javax.swing.Timer.fireActionPerformed(Timer.java:313)
at javax.swing.Timer$DoPostEvent.run(Timer.java:245)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:109)
at java.awt.WaitDispatchSupport$2.run(WaitDispatchSupport.java:190)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:235)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:233)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.WaitDispatchSupport.enter(WaitDispatchSupport.java:233)
at java.awt.Dialog.show(Dialog.java:1084)
at com.fsecure.common.awt.FDialog.show(FDialog.java:250)
at com.fsecure.common.awt.WizardDialog.show(WizardDialog.java:190)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:185)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:177)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createRule(ActiveDirectoryView.java:400)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createSyncRule(ActiveDirectoryView.java:392)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView$9.actionPerformed(ActiveDirectoryView.java:381)
at com.fsecure.fspmc.ui.installation.ActionItem.lambda$new$0(ActionItem.java:85)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:289)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2237)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2295)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4889)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4526)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4467)
at java.awt.Container.dispatchEventImpl(Container.java:2281)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.awt.EventQueue$4.run(EventQueue.java:729)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

 

1 ACCEPTED SOLUTION

Accepted Solutions
ZS
Aspirant

Re: Connection to the Active Directory Domain Controller on SAMBA

Thanks to the help it worked

 

1. I checked the AD server certificate then from the directory

           "openssl s_client -showcerts -connect ad1.domain.local: 636"

           cd / usr / local / samba / private / tls ## if you compiled samba from sources

           cd / var / lib / samba / private / tls ## if you installed samba from repos

2. I copied the certificate and converted it using * .pem to * .crt

           openssl x509 -outform der -in your-cert.pem -out your-cert.crt

           and finally according to the instructions

3. Run the following command to go to Policy Manager's JRE directory:

           cd /opt/f-secure/fspms/jre/

4. Run keytoolto apply the certificate:

            ./bin/keytool -importcert -keystore ./lib/security/cacerts -file /tmp/crt/server.crt

           keytool prompts you to enter a password. Use the default keystore password, changeit.

5. Enter yes when asked if you trust this certificate, and press Enter.

6. Restart the Policy Manager service:

           /etc/init.d/fspms restart

 

Samba from version 4 uses LDAPS to connect

8 REPLIES 8
Highlighted
Superuser

Re: Connection to the Active Directory Domain Controller on SAMBA

Hello,

 

> if I want to connect to the Active Directory Domain Controller on SAMBA

 

What is the version of Samba and what is the underlying OS: such exacting technical information would be important for any answer.

 

On the other hand, Samba is a kind of hack, a reverse engineered project, so official support is probably not provided for connectivity with that, only bona fide Microsoft AD.

 

Best regards: Tamas Feher, Hungary.

F-Secure

Re: Connection to the Active Directory Domain Controller on SAMBA

Hello ZS,

 

PM was not ever tested with SAMBA, but in theory LDAP should work...

Please check Policy Manager Server fspms-webapp-errors.log for corresponding exception, it should contain details about the reason.

 

BR,

Alexander

ZS
Aspirant

Re: Connection to the Active Directory Domain Controller on SAMBA

The Samba 4.7.6-Ubuntu OS version is Ubuntu 18.04.1 LTS

 

Errors from the fspms-webapp-errors.log file
This is a mistake as I try to connect using LDAP: //

Spoiler
04.03.2019 11:52:23,920 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - BindSimple: Transport encryption required.]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3145) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]

and this is like using LDAPS: //

Spoiler
04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
F-Secure

Re: Connection to the Active Directory Domain Controller on SAMBA

Could you please provide full exception happened 04.03.2019 11:54:20,564 (from the second spoiler), including “Caused by”?

ZS
Aspirant

Re: Connection to the Active Directory Domain Controller on SAMBA

Of course, here he is

Spoiler
04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at sun.reflect.GeneratedMethodAccessor1123.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:338) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.remoting.support.RemoteInvocationTraceInterceptor.invoke(RemoteInvocationTraceInterceptor.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at com.sun.proxy.$Proxy193.query(Unknown Source) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
at org.springframework.remoting.support.RemoteInvocation.invoke(RemoteInvocation.java:215) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.remoting.support.DefaultRemoteInvocationExecutor.invoke(DefaultRemoteInvocationExecutor.java:39) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.remoting.support.RemoteInvocationBasedExporter.invoke(RemoteInvocationBasedExporter.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.remoting.support.RemoteInvocationBasedExporter.invokeAndCreateResult(RemoteInvocationBasedExporter.java:114) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at com.fsecure.commons.java.spring.remoting.httpinvoker.StreamHttpInvokerServiceExporter.handleRequest(StreamHttpInvokerServiceExporter.java:61) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:53) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:881) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:855) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[javax.servlet-api-3.1.0.jar:3.1.0]
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:848) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
at com.fsecure.fspms.notification.BayeuxClientIdFilter.doFilter(BayeuxClientIdFilter.java:35) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at com.fsecure.commons.java.spring.session.SessionTerminationFilter.doFilter(SessionTerminationFilter.java:52) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) ~[spring-security-web-3.2.10.RELEASE.jar:?]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) ~[jetty-security-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335) ~[jetty-rewrite-9.3.22.v20171030.jar:9.3.22.v20171030]
at com.fsecure.fspms.jetty.RewriteHandlerWithAsyncSupport.handle(RewriteHandlerWithAsyncSupport.java:30) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at com.fsecure.fspms.jetty.SingleConnectorHandler.handle(SingleConnectorHandler.java:33) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:169) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.Server.handle(Server.java:534) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:333) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[?:1.8.0_152]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_152]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_152]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_152]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
... 108 more
Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
at com.fsecure.fsa.ad.ldap.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.java:45) ~[commons-java-ldap-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985) ~[?:1.8.0_152]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:1.8.0_152]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
... 108 more
F-Secure

Re: Connection to the Active Directory Domain Controller on SAMBA

That’s the reason:
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain

 

I’d suggest to check the certificate at your LDAPS port, for instance by running “openssl.exe s_client -connect AD1.DOMAIN.LOCAL:636”, that dumps the certificate to the console. If you save this certificate dump to the *.crt file, certificate viewer will allow you to check all details.


To make LDAPS working, you need to establish trust relationship between PM and SAMBA (by changing LDAPS certificate, importing certificate’s CA to the PM or both).
If Policy Manager is installed at Windows host, PM uses system’s Trusted Root CA. As for PM running at Linux, please check the following Admin Guide page: https://help.f-secure.com/product.html#business/policy-manager/14.00/en/task_A2581FFE289649E6A64D0BE...

ZS
Aspirant

Re: Connection to the Active Directory Domain Controller on SAMBA

Thanks to the help it worked

 

1. I checked the AD server certificate then from the directory

           "openssl s_client -showcerts -connect ad1.domain.local: 636"

           cd / usr / local / samba / private / tls ## if you compiled samba from sources

           cd / var / lib / samba / private / tls ## if you installed samba from repos

2. I copied the certificate and converted it using * .pem to * .crt

           openssl x509 -outform der -in your-cert.pem -out your-cert.crt

           and finally according to the instructions

3. Run the following command to go to Policy Manager's JRE directory:

           cd /opt/f-secure/fspms/jre/

4. Run keytoolto apply the certificate:

            ./bin/keytool -importcert -keystore ./lib/security/cacerts -file /tmp/crt/server.crt

           keytool prompts you to enter a password. Use the default keystore password, changeit.

5. Enter yes when asked if you trust this certificate, and press Enter.

6. Restart the Policy Manager service:

           /etc/init.d/fspms restart

 

Samba from version 4 uses LDAPS to connect

F-Secure

Re: Connection to the Active Directory Domain Controller on SAMBA

Great! Thank you for the update!