TLS: Differences between testparm output, manpage and how Samba is acting

Andrew Bartlett abartlet at
Sun Jun 23 05:48:38 MDT 2013

On Sat, 2013-06-22 at 19:54 +0200, Marc Muehlfeld wrote:
> Hello,
> new week - new Wiki-HowTo. :-) This week I wrote a HowTo about setting 
> up LDAPS on a DC ( 
> But while doing researches and testings, I found some contradictions:
> If no „tls*“ parameter are in my smb.conf, then testparm, shows the 
> following:
> # testparm -vs | grep tls
>          ldap ssl = start tls
>          tls enabled = No
>          tls keyfile =
>          tls certfile =
>          tls cafile =
>          tls crlfile =
>          tls dh params file =
> And samba-tool shows:
> # samba-tool testparm -v --suppress-prompt | grep tls
>          tls enabled = Yes
>          tls keyfile = tls/key.pem
>          tls certfile = tls/cert.pem
>          tls cafile = tls/ca.pem
>          tls crlfile =
>          tls dh params file =
> But there are differences between testparm, the manpage and what Samba 
> really does:
> 1. „testparm -v“ says tls is disabled when not set, what is in 
> contradiction with the manpage (default = yes). testparm seems to get a 
> wrong value („No“) from somewhere. "samba-tool testparm" says it's 
> enabled. And when I start Samba without this parameter, then the daemon 
> is listening on 636/tcp and 3269/tcp. If I set explicit „tls enabled = 
> no“, then this ports are not used and TLS is turned off.
> -> Who is wrong here? Testparm, Manpage, Samba daemon?
> 2. The manpage says, that the default for „tls cafile“, „tls certfile“ 
> and „tls keyfile“ is empty. But when this values are not set, then the 
> autogenerated certs/key files in .../private/tls/ are used. This is also 
> what "samba-tool testparm" says. These files were re-generated 
> automatically, when all 3 files don't exist. If only one or two of the 
> files are existing, nothing is autogenerated - but then Samba doesn't 
> start at all („TLS failed to initialise  ...file“ in the logs).
> -> Who is wrong here? Testparm, Manpage, Samba daemon?
> I haven't written a bug report yet, because I wanted to know first, 
> which behavior of Samba is expected and which parts are wrong. Then I 
> can write a specific bug report. Also I need to adapt my HowTo then.

So, as Ricky has explained, and I can confirm, the issue comes from the
two different parts of the codebase.  We try to pretend we only have one
smb.conf, but we still have two complete, distinct parsers.  The
defaults in the two don't match.  

Patches to make the defaults match (lib/param - samba-tool testparm vs
source3/param - testparm) and tests to show that they keep matching
would be very much appriciated, because bugs like this are silly and

This may be a bit easier in master now we only have one build system.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list