[Samba] Re: Samba 3.0.1 and OpenLDAP 2.2.4 with TLS

Martin Ritchie martin.ritchie at kelvininstitute.com
Mon Feb 2 10:05:27 GMT 2004 

Here are the configurations that i've been using I still am unable to 
get samba to authenticate with OpenLDAP if anyone has a working 
combination then I would love to hear from you. The ldap server is 
working fine as a unix and exim authenticator but I can't get samba to 
talk to it using a secure channel. Without tls/ssl everything is fine.

Anyone have any thoughts on the configuration or approach.

My Samba configure was this
   $ ./configure --prefix=/usr --localstatedir=/var 
--with-configdir=/etc/samba --with-privatedir=/etc/samba/private 
--with-lockdir=/var/lock --with-piddir=/var/run 
--with-logfilebase=/var/log --with-smbmount --with-utmp --with-syslog 
--with-pam_smbpass --with-ldapsam --with-ldap --with-quotas --with-ssl

My smb.conf is more or less this
[global]
      netbios name = cam
      ldap server = xxxx.kelvininstitute.com
      ldap admin dn="cn=Manager,dc=kelvininstitute,dc=com"
       ## This should be chanded to an account with less permissions.

# I tried both of these ssl options but neither would work.
# start_tls is what the docs said to use.
      ldap ssl = start_tls
#     ldap ssl = on

      ldap delete dn = no
      ldap suffix = dc=kelvininstitute,dc=com
      ldap user suffix = ou = People
      ldap group suffix = ou = Group
      ldap machine suffix = ou = Computers
      # generally the default ldap search filter is ok
      ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
      ldap passwd sync = yes

This is pretty much the /etc/ldap.conf:
# Your LDAP server. Must be resolvable without using LDAP.
host xxxxx.kelvininstitute.com
# The distinguished name of the search base.
base dc=kelvininstitute,dc=com
pam_password exop
nss_base_passwd ou=people,dc=kelvininstitute,dc=com?one
nss_base_shadow ou=people,dc=kelvininstitute,dc=com?one
nss_base_group  ou=group,dc=kelvininstitute,dc=com?one
nss_base_hosts  ou=hosts,dc=kelvininstitute,dc=com?one

TLS_CACERT /var/ki-ca2/demoCA/cacert.pem
ssl on





Philip Juels wrote:
> I'm new to this too and wondering if you have any notes or did you 
> follow online docs to get Samba to authenticate over ldap.  I've hit a 
> wall...have a working ldap server (with TLS) which we can successfully 
> authenticate jboss connections,  compiled samba from latest source 
> with-ldap and with-ldapsam, added a test user to the ldap server with 
> sambaSamAccount and posixAccount, but I'm not sure how to set up 
> smb.conf and ldap.conf.
> 
> Thanks,
> 
> Philip Juels
> pjuels at rics.bwh.harvard.edu
> 
> Martin Ritchie wrote:
> 
>> Hi all I know this may be more a Samba question but I'm hoping this is 
>> something someone else has done.
>>
>> I've been searching the lists and web for an answer but i'm stumped 
>> hope some one here has an answer for me. As I'm new to this sysadmin 
>> role.
>> I have set up OpenLDAP to authenticate our linux users and exim MTAs. 
>> This all works fine with OpenLDAP only providing a ldaps:/// 
>> connection on 636.
>>
>> However I cannot for the life of me get samba to speak tls to it. I've 
>> seen numerous suggestions of simply putting
>>
>> ldap ssl = start_tls or
>> ldap ssl = on
>>
>> in the smb.conf file but neither do the trick my dev platform that 
>> doesn't use tls works fine. However I get the following responses from 
>> the above two options.
>>
>> with start_tls I get a not supported option
>> [root at ki-14 source]# smbpasswd ritchiem
>> New SMB password:
>> Retype new SMB password:
>> Failed to issue the StartTLS instruction: Not Supported
>> Connection to LDAP Server failed for the 1 try!
>> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not 
>> Supported)
>> Failed to issue the StartTLS instruction: Not Supported
>> Connection to LDAP Server failed for the 1 try!
>> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not 
>> Supported)
>> Failed to find entry for user ritchiem.
>> Failed to modify password entry for user ritchiem
>>
>>
>> and with ldap ssl = on , the conection just dies
>>
>> [root at ki-14 source]#  smbpasswd ritchiem
>> New SMB password:
>> Retype new SMB password:
>> failed to bind to server with dn= cn=Manager,dc=kelvininstitute,dc=com 
>> Error: Can't contact LDAP server
>>         (unknown)
>> Connection to LDAP Server failed for the 1 try!
>> Broken pipe
>>
>>
>> Now I'm guessing that the reason I get "Not Supported" from the 
>> start_tls is that my backeddb is a ldapam with a ldaps url and so all 
>> comms should be secure. However when running strace over the above 
>> command the reason that I get a broken pipe with ssl = on is that it 
>> is trying to send the dn= cn=Manager,dc=kelvininstitute,dc=com and 
>> password as plain text.
>>
>>
>> One final thing about the smb.conf file. Is the ldap port information 
>> actually used as when running testparm it doesn't show up in the 
>> output and the port to connect on seems to be determined by the 
>> backend passdb uri; either ldap for 386 or ldaps for 636. Is this so 
>> or am I missing a trick?
>>
>> Any suggestions on how to make this go?
>>
>>
>> tia
>>
> 

-- 
Martin Ritchie

the Kelvin Institute
50, George Street
Glasgow
Scotland, UK
G1 1QE

www.kelvininstitute.com
+44 (0) 141 548 5719

More information about the samba mailing list