enabling secure ldap samba4

Matthieu Patou mat at samba.org
Sun Aug 22 03:46:15 MDT 2010 

  Hi Michael,

> Could it be something to do with not having pkg-config installed?
>> In config.h I have:
>>
>> #define HAVE_LIBGNUTLS 1
>> #define HAVE_GNUTLS_GNUTLS_H 1
>> #define HAVE_GNUTLS_GLOBAL_INIT 1
>> #define HAVE_GNUTLS_X509_H 1
>> #define HAVE_GNUTLS_X509_CRT_SET_VERSION 1
>> #define HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID 1
>> #define HAVE_GNUTLS_DATUM 1
>> #define HAVE_GNUTLS_DATUM_T 1
>> #define HAVE_LIBGCRYPT 1
>>
>> but no ENABLE_GNUTLS.
>>
>> After looking in source4/lib/tls/wscript the lack of pkg-config does
>> indeed seem to be the cause.
We had this pb in the old build system, maybe with waf now it's possible 
to correctly detect the presence of pkg-config and to print an clear 
message when it's not here and also to fail if there is no pkg-config 
and the user asked --enable-gnutls.

> [...]
>
> I've re-run the configure and now have ENABLE_GNUTLS defined in
> config.h and after compiling samba loads the cert, key and CA cert :)
>
> stat64("/usr/local/samba/private/tls/ca.pem", {st_mode=S_IFREG|0644,
> st_size=2650, ...}) = 0
> open("/usr/local/samba/private/tls/ca.pem", O_RDONLY) = 45
> open("/usr/local/samba/private/tls/key.pem", O_RDONLY) = 45
> open("/usr/local/samba/private/tls/cert.pem", O_RDONLY) = 45
>
> I reprovisioned, but the certs were not generated, so I used my own.
In fact at startup the samba daemon checks for the certs (if compiled 
with ENABLE_GNUTLS):

sudo ./bin/samba -i -s ~/workspace/samba/homematwsnet/etc/smb.conf -M 
single
samba version 4.0.0alpha12-GIT-5c272b8 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
samba: using 'single' process model
Attempting to autogenerate TLS self-signed keys for https for hostname 
'ARES.home.matws.net'
TLS self-signed keys generated OK

> Unfortunately I'm still having trouble connecting:
>
> Traceback (most recent call last):
>    File "./ldap-tls-test", line 12, in<module>
>      conn.start_tls_s()
>    File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line
> 540, in start_tls_s
>      return self._ldap_call(self._l.start_tls_s)
>    File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96,
> in _ldap_call
>      result = func(*args,**kwargs)
> ldap.CONNECT_ERROR: {'info': '(unknown error code)', 'desc': 'Connect error'}
>
> and:
>
> $ ldapsearch -ZZx -h localhost
> ldap_start_tls: Connect error (-11)
> 	additional info: (unknown error code)
>
Well I'm puzzled, can you try something like this:

ldbsearch -H ldap://localhost -b ""  -s base

And you should get something like:
configurationNamingContext: CN=Configuration,DC=home,DC=matws,DC=net
defaultNamingContext: DC=home,DC=matws,DC=net
dsServiceName: CN=NTDS 
Settings,CN=ARES,CN=Servers,CN=Default-First-Site-Name,
  CN=Sites,CN=Configuration,DC=home,DC=matws,DC=net
ldapServiceName: home.matws.net:ARES$@HOME.MATWS.NET
rootDomainNamingContext: DC=home,DC=matws,DC=net
schemaNamingContext: CN=Schema,CN=Configuration,DC=home,DC=matws,DC=net
serverName: 
CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
  ation,DC=home,DC=matws,DC=net
subschemaSubentry: 
CN=Aggregate,CN=Schema,CN=Configuration,DC=home,DC=matws,DC
  =net
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedLDAPVersion: 3
supportedLDAPVersion: 2
vendorName: Samba Team (http://samba.org)
isSynchronized: TRUE
dnsHostName: ARES.home.matws.net
currentTime: 20100822091918.0Z
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
namingContexts: DC=home,DC=matws,DC=net
namingContexts: CN=Configuration,DC=home,DC=matws,DC=net
namingContexts: CN=Schema,CN=Configuration,DC=home,DC=matws,DC=net
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
highestCommittedUSN: 8954
domainFunctionality: 3
forestFunctionality: 3
domainControllerFunctionality: 3
isGlobalCatalogReady: TRUE


And also try this patch, it's for trying to debug the starttls thing. If 
everything is ok you should see something like :

Start TLS called on LDAP
Start TLS: init_server ok

But I guess you'll only see "Start TLS called on LDAP" or even nothing !

Matthieu.


-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list