enabling secure ldap samba4

Michael Wood esiotrot at gmail.com
Sat Aug 21 13:53:45 MDT 2010


On 20 August 2010 21:40, Matthieu Patou <mat at samba.org> wrote:
>  On 20/08/2010 20:58, Michael Wood wrote:
>> I'm trying to talk to Samba4 via LDAP using TLS, and I'm getting the
>> following exception:
> Have you compiled with gnutls ?


$ ldd /usr/local/samba/sbin/samba | grep gnutls
	libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x10941000)

> Is a certificate present in the private/tls ?

No.  Thanks for the hint.  I did not find this documented anywhere,
but I have now found the relevant smb.conf parameters:

tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =

I've generated a cert and key with a test CA and put them into the
private/tls directory.  I also generated a DH params file in case
that's needed.  I explicitly included the above parameters into the
global section of my smb.conf except that I specified the name of the
DH parameters file.

It does not appear that Samba even attempts to open any of the files.
I checked using -d100 and also strace.

The only relevant output I see in the strace output is as follows:

open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
send(66, "0I\2\1\1xD\n\1\1\4\0\4%START-TLS: Failed "..., 75, 0) = 75

I must be missing something still.

> Did you check with other tools (just verified with apachestudio with a test
> provision it's ok for START-TLS.

Not yet, but I will try ldapsearch when I get the server to use the cert.

Thanks again for your help.

Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list