enabling secure ldap samba4
esiotrot at gmail.com
Sat Aug 21 13:53:45 MDT 2010
On 20 August 2010 21:40, Matthieu Patou <mat at samba.org> wrote:
> On 20/08/2010 20:58, Michael Wood wrote:
>> I'm trying to talk to Samba4 via LDAP using TLS, and I'm getting the
>> following exception:
> Have you compiled with gnutls ?
$ ldd /usr/local/samba/sbin/samba | grep gnutls
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x10941000)
> Is a certificate present in the private/tls ?
No. Thanks for the hint. I did not find this documented anywhere,
but I have now found the relevant smb.conf parameters:
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
I've generated a cert and key with a test CA and put them into the
private/tls directory. I also generated a DH params file in case
that's needed. I explicitly included the above parameters into the
global section of my smb.conf except that I specified the name of the
DH parameters file.
It does not appear that Samba even attempts to open any of the files.
I checked using -d100 and also strace.
The only relevant output I see in the strace output is as follows:
open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
send(66, "0I\2\1\1xD\n\1\1\4\0\4%START-TLS: Failed "..., 75, 0) = 75
I must be missing something still.
> Did you check with other tools (just verified with apachestudio with a test
> provision it's ok for START-TLS.
Not yet, but I will try ldapsearch when I get the server to use the cert.
Thanks again for your help.
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical