enabling secure ldap samba4

Matthieu Patou mat at samba.org
Sat Aug 21 14:10:42 MDT 2010 

  On 21/08/2010 23:53, Michael Wood wrote:
> Hi
>
> On 20 August 2010 21:40, Matthieu Patou<mat at samba.org>  wrote:
>>   On 20/08/2010 20:58, Michael Wood wrote:
> [...]
>>> I'm trying to talk to Samba4 via LDAP using TLS, and I'm getting the
>>> following exception:
> [...]
>> Have you compiled with gnutls ?
> Yes:
>
> $ ldd /usr/local/samba/sbin/samba | grep gnutls
> 	libgnutls.so.26 =>  /usr/lib/libgnutls.so.26 (0x10941000)
>
>> Is a certificate present in the private/tls ?
> No.  Thanks for the hint.  I did not find this documented anywhere,
> but I have now found the relevant smb.conf parameters:
>
Normaly it's automatically generated, but at a moment we had a bug for 
provision not located in the default path (/usr/local/samba/private)


> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> tls crlfile =
> tls dh params file =
testparm -v | grep tls gives me also this:
     tls enabled = Yes
     tls keyfile = tls/key.pem
     tls certfile = tls/cert.pem
     tls cafile = tls/ca.pem
     tls crlfile =
     tls dh params file =

> I've generated a cert and key with a test CA and put them into the
> private/tls directory.  I also generated a DH params file in case
> that's needed.  I explicitly included the above parameters into the
> global section of my smb.conf except that I specified the name of the
> DH parameters file.
>
> It does not appear that Samba even attempts to open any of the files.
> I checked using -d100 and also strace.
>
> The only relevant output I see in the strace output is as follows:
>
> open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
> [...]
> send(66, "0I\2\1\1xD\n\1\1\4\0\4%START-TLS: Failed "..., 75, 0) = 75
>
> I must be missing something still.
can you do a cat strace_log | grep tls.

ie.
open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libutil.so.1", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libnsl.so.1", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libdl.so.2", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libcrypt.so.1", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libm.so.6", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libpthread.so.0", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
stat64("/home/mat/workspace/samba/homematwsnet/private/tls/ca.pem", 
{st_mode=S_IFREG|0644, st_size=964, ...}) = 0
open("/home/mat/workspace/samba/homematwsnet/private/tls/ca.pem", 
O_RDONLY) = 49
open("/home/mat/workspace/samba/homematwsnet/private/tls/key.pem", 
O_RDONLY) = 49
open("/home/mat/workspace/samba/homematwsnet/private/tls/cert.pem", 
O_RDONLY) = 49

Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list