[Samba] Samba 3.0.1 and OpenLDAP 2.2.4 with TLS
Martin Ritchie
martin.ritchie at kelvininstitute.com
Fri Jan 30 10:09:06 GMT 2004
Hi all,
I've been searching the lists and web for an answer but i'm stumped hope
some one here has an answer for me. As I'm new to this sysadmin role.
I have set up OpenLDAP to authenticate our linux users and exim MTAs.
This all works fine with OpenLDAP only providing a ldaps:/// connection
on 636.
However I cannot for the life of me get samba to speak tls to it. I've
seen numerous suggestions of simply putting
ldap ssl = start_tls or
ldap ssl = on
in the smb.conf file but neither do the trick my dev platform that
doesn't use tls works fine. However I get the following responses from
the above two options.
with start_tls I get a not supported option
[root at ki-14 source]# smbpasswd ritchiem
New SMB password:
Retype new SMB password:
Failed to issue the StartTLS instruction: Not Supported
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not
Supported)
Failed to issue the StartTLS instruction: Not Supported
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not
Supported)
Failed to find entry for user ritchiem.
Failed to modify password entry for user ritchiem
and with ldap ssl = on , the conection just dies
[root at ki-14 source]# smbpasswd ritchiem
New SMB password:
Retype new SMB password:
failed to bind to server with dn= cn=Manager,dc=kelvininstitute,dc=com
Error: Can't contact LDAP server
(unknown)
Connection to LDAP Server failed for the 1 try!
Broken pipe
Now I'm guessing that the reason I get "Not Supported" from the
start_tls is that my backeddb is a ldapam with a ldaps url and so all
comms should be secure. However when running strace over the above
command the reason that I get a broken pipe with ssl = on is that it is
trying to send the dn= cn=Manager,dc=kelvininstitute,dc=com and password
as plain text.
One final thing about the smb.conf file. Is the ldap port information
actually used as when running testparm it doesn't show up in the output
and the port to connect on seems to be determined by the backend passdb
uri; either ldap for 386 or ldaps for 636. Is this so or am I missing a
trick?
Any suggestions on how to make this go?
tia
--
Martin Ritchie
the Kelvin Institute
50, George Street
Glasgow
Scotland, UK
G1 1QE
www.kelvininstitute.com
+44 (0) 141 548 5719
More information about the samba
mailing list