TLS: Differences between testparm output, manpage and how Samba is acting

Ricky Nance ricky.nance at
Sat Jun 22 16:55:00 MDT 2013

Hi Marc, the first thing you will want to remember is that samba-tool is
made for the AD DC setup, while the other binaries (smbpasswd, testparm,
etc) are made for the smbd daemon and the various setup it can have. That
being said, it is very likely that the manpage has been update, along with
samba-tool being right, but testparm might not have been updated
accordingly. As for the other questions there, I will leave that up to
someone else to answer.


On Sat, Jun 22, 2013 at 12:54 PM, Marc Muehlfeld <samba at>wrote:

> Hello,
> new week - new Wiki-HowTo. :-) This week I wrote a HowTo about setting up
> LDAPS on a DC (**php/Setup_LDAPS_on_a_DC<>).
> But while doing researches and testings, I found some contradictions:
> If no „tls*“ parameter are in my smb.conf, then testparm, shows the
> following:
> # testparm -vs | grep tls
>         ldap ssl = start tls
>         tls enabled = No
>         tls keyfile =
>         tls certfile =
>         tls cafile =
>         tls crlfile =
>         tls dh params file =
> And samba-tool shows:
> # samba-tool testparm -v --suppress-prompt | grep tls
>         tls enabled = Yes
>         tls keyfile = tls/key.pem
>         tls certfile = tls/cert.pem
>         tls cafile = tls/ca.pem
>         tls crlfile =
>         tls dh params file =
> But there are differences between testparm, the manpage and what Samba
> really does:
> 1. „testparm -v“ says tls is disabled when not set, what is in
> contradiction with the manpage (default = yes). testparm seems to get a
> wrong value („No“) from somewhere. "samba-tool testparm" says it's enabled.
> And when I start Samba without this parameter, then the daemon is listening
> on 636/tcp and 3269/tcp. If I set explicit „tls enabled = no“, then this
> ports are not used and TLS is turned off.
> -> Who is wrong here? Testparm, Manpage, Samba daemon?
> 2. The manpage says, that the default for „tls cafile“, „tls certfile“ and
> „tls keyfile“ is empty. But when this values are not set, then the
> autogenerated certs/key files in .../private/tls/ are used. This is also
> what "samba-tool testparm" says. These files were re-generated
> automatically, when all 3 files don't exist. If only one or two of the
> files are existing, nothing is autogenerated - but then Samba doesn't start
> at all („TLS failed to initialise  ...file“ in the logs).
> -> Who is wrong here? Testparm, Manpage, Samba daemon?
> I haven't written a bug report yet, because I wanted to know first, which
> behavior of Samba is expected and which parts are wrong. Then I can write a
> specific bug report. Also I need to adapt my HowTo then.
> Regards,
> Marc

More information about the samba-technical mailing list