enabling secure ldap samba4

Michael Wood esiotrot at gmail.com
Sat Aug 21 15:41:02 MDT 2010 

On 21 August 2010 22:10, Matthieu Patou <mat at samba.org> wrote:
>  On 21/08/2010 23:53, Michael Wood wrote:
>> On 20 August 2010 21:40, Matthieu Patou<mat at samba.org>  wrote:
>>>  On 20/08/2010 20:58, Michael Wood wrote:
>> [...]
>>>>
>>>> I'm trying to talk to Samba4 via LDAP using TLS, and I'm getting the
>>>> following exception:
>>
>> [...]
>>>
>>> Have you compiled with gnutls ?
>>
>> Yes:
>>
>> $ ldd /usr/local/samba/sbin/samba | grep gnutls
>>        libgnutls.so.26 =>  /usr/lib/libgnutls.so.26 (0x10941000)

After some debugging I have discovered that tls.c is compiled without
ENABLE_GNUTLS being defined, so tls_initialise() is a stub.  This is
despite running configure.developer with the --enable-gnutls option,
and it clearly being linked to the samba binary.

After looking in the config.log I've found that I did not have
pkg-config installed in the VM and there was a complaint about that in
the log, but it still found gnutls anyway:

-----------------------------------8<------------------------------------------
# using ../buildtools/bin/waf configure -C --enable-developer
--enable-socket-wrapper --enable-nss-wrapper --prefix=/usr/local/samba
--enable-gnutls
[...]
Checking for gnutls >= 1.4.0
pkg-config --errors-to-stdout --print-errors "gnutls >= 1.4.0"
--cflags --libs gnutls
/bin/sh: pkg-config: not found
not found

-----------------------------------------------------------------------------------------------
Checking for library gnutls
==>

int main() {
        return 0;
}

<==
[1/2] Compiling test.c
restoring from cache 'default/test_1.o'
[2/2] Linking default/testprog
['/usr/lib/ccache/gcc', 'default/test_1.o', '-o',
'/home/michael/src/samba/source4/bin/.conf_check_0/testbuild/default/testprog',
'-Wl,-Bdynamic', '-lgnutls']
yes

-----------------------------------------------------------------------------------------------
Checking for gnutls_global_init
[...]
['/usr/lib/ccache/gcc', 'default/test_1.o', '-o',
'/home/michael/src/samba/source4/bin/.conf_check_0/testbuild/default/testprog',
'-Wl,-Bdynamic', '-lgnutls']
ok
-----------------------------------8<------------------------------------------

Could it be something to do with not having pkg-config installed?

In config.h I have:

#define HAVE_LIBGNUTLS 1
#define HAVE_GNUTLS_GNUTLS_H 1
#define HAVE_GNUTLS_GLOBAL_INIT 1
#define HAVE_GNUTLS_X509_H 1
#define HAVE_GNUTLS_X509_CRT_SET_VERSION 1
#define HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID 1
#define HAVE_GNUTLS_DATUM 1
#define HAVE_GNUTLS_DATUM_T 1
#define HAVE_LIBGCRYPT 1

but no ENABLE_GNUTLS.

After looking in source4/lib/tls/wscript the lack of pkg-config does
indeed seem to be the cause.

I'm not sure I understand the wscript file correctly, but it seems
that it checks for GnuTLS using pkg-config and also by compiling
little programs and linking with -lgnutls, but it only defines
ENABLE_GNUTLS in the first case.  Is this a bug in
source4/lib/tls/wscript?

>>> Is a certificate present in the private/tls ?
>>
>> No.  Thanks for the hint.  I did not find this documented anywhere,
>> but I have now found the relevant smb.conf parameters:
>>
> Normaly it's automatically generated, but at a moment we had a bug for
> provision not located in the default path (/usr/local/samba/private)

That is the path I'm using, but of course it wouldn't work because of
the ENABLE_GNUTLS issue.

[...]
>> I've generated a cert and key with a test CA and put them into the
>> private/tls directory.  I also generated a DH params file in case
>> that's needed.  I explicitly included the above parameters into the
>> global section of my smb.conf except that I specified the name of the
>> DH parameters file.
>>
>> It does not appear that Samba even attempts to open any of the files.
>> I checked using -d100 and also strace.
>>
>> The only relevant output I see in the strace output is as follows:
>>
>> open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
>> [...]
>> send(66, "0I\2\1\1xD\n\1\1\4\0\4%START-TLS: Failed "..., 75, 0) = 75
>>
>> I must be missing something still.
>
> can you do a cat strace_log | grep tls.
>
> ie.
> open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
> open("/lib/tls/i686/cmov/libutil.so.1", O_RDONLY) = 3
> open("/lib/tls/i686/cmov/libnsl.so.1", O_RDONLY) = 3
> open("/lib/tls/i686/cmov/libdl.so.2", O_RDONLY) = 3
> open("/lib/tls/i686/cmov/libcrypt.so.1", O_RDONLY) = 3
> open("/lib/tls/i686/cmov/libm.so.6", O_RDONLY) = 3
> open("/lib/tls/i686/cmov/libpthread.so.0", O_RDONLY) = 3
> open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
> stat64("/home/mat/workspace/samba/homematwsnet/private/tls/ca.pem",
> {st_mode=S_IFREG|0644, st_size=964, ...}) = 0
> open("/home/mat/workspace/samba/homematwsnet/private/tls/ca.pem", O_RDONLY)
> = 49
> open("/home/mat/workspace/samba/homematwsnet/private/tls/key.pem", O_RDONLY)
> = 49
> open("/home/mat/workspace/samba/homematwsnet/private/tls/cert.pem",
> O_RDONLY) = 49

Yes, I get the same, except without the open("...tls/*.pem") calls, as
you would expect given the tls_initialise() function being a stub.

I have installed pkg-config and will recompile and try again.

Thanks :)

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list