[Samba] smbldap_search_suffix: certificate verify failed

Antoine Jacoutot ajacoutot at dioranews.com
Tue Oct 14 09:25:44 GMT 2003 

Hi :)

I'm using samba-3.0 with LDAP as a PDC under FreeBSD-5.1.
Note that I compiled samba --with-ldap, not --with-ldapsam.
I'm having a strange problem with TLS ldap certificates.
If I set the following option in smb.conf: "ldap ssl = start_tls", I get
errors like this:

$  pdbedit -L
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (Connect error)
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (Connect error)
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP Server failed for the 7 try!
smbldap_search_suffix: Problem during the LDAP search:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (Connect error)
ldapsam_setsampwent: LDAP search failed: Connect error

nss_ldap and pam_ldap both work well using TLS.
For your information, here is ma configuration concerning TLS in:
slapd.conf -->
TLSCertificateFile /usr/local/etc/openldap/ldap.cert
TLSCertificateKeyFile /usr/local/etc/openldap/ldap.key
TLSCACertificateFile /usr/local/etc/openldap/ca.cert

ldap.conf -->
BASE    dc=domain, dc=com
URI     ldap://server.domain.com
TLS_CACERT /usr/local/etc/openldap/ca.cert

smb.conf -->
ldap passwd sync = yes
passdb backend = ldapsam:ldap://server.domain.com guest
ldap machine suffix = ou=Computers,dc=domain,dc=com
ldap user suffix = ou=People,dc=domain,dc=com
ldap group suffix = ou=Groups,dc=domain,dc=com
ldap suffix = "dc=domain,dc=com"
ldap admin dn = "cn=Manager,dc=domain,dc=com"
ldap ssl = start_tls

I get no error using ldapsearch, so I really think this is a Samba
problem. If I set the option "ldap ssl = no", then everything works
fine.

If you have any idea concerning this issue, I would really appreciate.
Thanks.

Regards.

Antoine

More information about the samba mailing list