[Samba] Samba StartTLS
steve
steve at steve-ss.com
Sat Nov 12 12:41:27 MST 2011
On 11/12/2011 06:52 PM, zoolook wrote:
> 2011/11/11 steve<steve at steve-ss.com>:
>> So, On a
>> win 7 client, where do I put the CA cert?
> You don't :-)
>
> Win will talk to samba. Samba talks to OpenLDAP over a tls conection.
>
> > From my experience (since -from my pov- it is not clear in the docs),
> Samba needs:
>
> passdb backend = ldapsam:ldaps://ldap.yourdomain.tld
> ldap ssl = off
>
> Or
>
> passdb backend = ldapsam:ldap://ldap.yourdomain.tld
> ldap ssl = start tls
>
>
>
> BTW, the CN in the certificate must match the ldap uri if smb.conf. In
> other words, if your certificate was created using CN=ldap.mydomian,
> and you put ldapsam:ldap://localhost in smb.conf, it won't work.
>
> HTH,
> Norberto
Hi Norberto
My smb conf looks like this:
passdb backend = ldapsam:ldap://hh1.site
idmap backend = ldap:ldap://hh1.site
ldap ssl = start tls
hh1.site is my FQDN and is also the CN for the CA and servercerts.
But I'm wondering. Since the samba and ldap servers are both on the same
box, is that why TLS isn't working? Because it doesn't make sense to
have it? There is no communication between samba and ldap over the
network as they are both on the same machine. Would this explain the errors:
The windows clients can login but are denied access to their home folder:
Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0]
lib/smbldap.c:731(smb_ldap_start_tls)
Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction:
Connect error
However, they can connect with:
TLS_REQCERT never
in
/etc/openldap/ldap.conf
Confused!
Thanks for your patience.
Steve
More information about the samba
mailing list