TLS: Differences between testparm output, manpage and how Samba is acting

Marc Muehlfeld samba at
Sat Jun 22 11:54:20 MDT 2013


new week - new Wiki-HowTo. :-) This week I wrote a HowTo about setting 
up LDAPS on a DC ( 
But while doing researches and testings, I found some contradictions:

If no „tls*“ parameter are in my smb.conf, then testparm, shows the 
# testparm -vs | grep tls
         ldap ssl = start tls
         tls enabled = No
         tls keyfile =
         tls certfile =
         tls cafile =
         tls crlfile =
         tls dh params file =

And samba-tool shows:
# samba-tool testparm -v --suppress-prompt | grep tls
         tls enabled = Yes
         tls keyfile = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile = tls/ca.pem
         tls crlfile =
         tls dh params file =

But there are differences between testparm, the manpage and what Samba 
really does:

1. „testparm -v“ says tls is disabled when not set, what is in 
contradiction with the manpage (default = yes). testparm seems to get a 
wrong value („No“) from somewhere. "samba-tool testparm" says it's 
enabled. And when I start Samba without this parameter, then the daemon 
is listening on 636/tcp and 3269/tcp. If I set explicit „tls enabled = 
no“, then this ports are not used and TLS is turned off.
-> Who is wrong here? Testparm, Manpage, Samba daemon?

2. The manpage says, that the default for „tls cafile“, „tls certfile“ 
and „tls keyfile“ is empty. But when this values are not set, then the 
autogenerated certs/key files in .../private/tls/ are used. This is also 
what "samba-tool testparm" says. These files were re-generated 
automatically, when all 3 files don't exist. If only one or two of the 
files are existing, nothing is autogenerated - but then Samba doesn't 
start at all („TLS failed to initialise  ...file“ in the logs).
-> Who is wrong here? Testparm, Manpage, Samba daemon?

I haven't written a bug report yet, because I wanted to know first, 
which behavior of Samba is expected and which parts are wrong. Then I 
can write a specific bug report. Also I need to adapt my HowTo then.


More information about the samba-technical mailing list