enabling secure ldap samba4
Matthieu Patou
mat at samba.org
Sat Aug 21 14:10:42 MDT 2010
On 21/08/2010 23:53, Michael Wood wrote:
> Hi
>
> On 20 August 2010 21:40, Matthieu Patou<mat at samba.org> wrote:
>> On 20/08/2010 20:58, Michael Wood wrote:
> [...]
>>> I'm trying to talk to Samba4 via LDAP using TLS, and I'm getting the
>>> following exception:
> [...]
>> Have you compiled with gnutls ?
> Yes:
>
> $ ldd /usr/local/samba/sbin/samba | grep gnutls
> libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x10941000)
>
>> Is a certificate present in the private/tls ?
> No. Thanks for the hint. I did not find this documented anywhere,
> but I have now found the relevant smb.conf parameters:
>
Normaly it's automatically generated, but at a moment we had a bug for
provision not located in the default path (/usr/local/samba/private)
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> tls crlfile =
> tls dh params file =
testparm -v | grep tls gives me also this:
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
> I've generated a cert and key with a test CA and put them into the
> private/tls directory. I also generated a DH params file in case
> that's needed. I explicitly included the above parameters into the
> global section of my smb.conf except that I specified the name of the
> DH parameters file.
>
> It does not appear that Samba even attempts to open any of the files.
> I checked using -d100 and also strace.
>
> The only relevant output I see in the strace output is as follows:
>
> open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
> [...]
> send(66, "0I\2\1\1xD\n\1\1\4\0\4%START-TLS: Failed "..., 75, 0) = 75
>
> I must be missing something still.
can you do a cat strace_log | grep tls.
ie.
open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libutil.so.1", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libnsl.so.1", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libdl.so.2", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libcrypt.so.1", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libm.so.6", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libpthread.so.0", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
stat64("/home/mat/workspace/samba/homematwsnet/private/tls/ca.pem",
{st_mode=S_IFREG|0644, st_size=964, ...}) = 0
open("/home/mat/workspace/samba/homematwsnet/private/tls/ca.pem",
O_RDONLY) = 49
open("/home/mat/workspace/samba/homematwsnet/private/tls/key.pem",
O_RDONLY) = 49
open("/home/mat/workspace/samba/homematwsnet/private/tls/cert.pem",
O_RDONLY) = 49
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list