[Samba] Samba and slapd.conf's TLSVerifyClient

Craig White craigwhite at azapple.com
Thu Apr 7 17:27:00 GMT 2005

On Thu, 2005-04-07 at 11:12 +0800, Doug Campbell wrote:
> I have Samba 3.0.13 and LDAP 2.2.24 installed.  I have placed the following
> directive in my slapd.conf file.
> TLSVerifyClient demand
> I have the PADL stuff configured and working fine.
> ldapsearch with -ZZ works fine.
> I even have the Idealx smbldap-tools working fine.
> Samba won't work though unless I set
> TLSVerifyClient try
> According to the slapd.conf man page, "try" causes a client certificate to
> be requested.  If no client certificate is returned then the session
> proceeds normally.  If a client certificate is returned and it is bad the
> session is terminated otherwise it should proceed normally.
> This seems to mean that either
> 1.  Samba doesn't provide a client certificate
> or
> 2.  Samba is providing a bad client certificate
> Either way, my question is where do I specify the client certificate for
> Samba to use? or put another way, does Samba even support this?
evidently, no one else wanted to answer...

samba has no means to provide a client certificate that I am aware of.
Samba should be using nss/padl stuff so in a RHEL / Fedora environment,
any references to certificates should be in /etc/ldap.conf and I believe
that should encompass options not specified in smb.conf directly. Thus
samba isn't providing a certificate because it cannot do so but would
rely upon other external methods (nss/padl) if that is configured to do

Your question seems rather confused to me...

ldapsearch command actually doesn't use padl stuff at all - it uses a
file called ldap.conf that will be in the same folder as your slapd.conf

padl stuff uses /etc/ldap.conf 

thus there are likely 2 files called ldap.conf on your system and each
are used for different things.

Then I can't understand how IDEALX - smbldap is working fine but samba

I haven't used TLSVerifyClient commands so I can't really direct you
there. It does seem to me that you should verify that all clients can
connect via TLS before you make it mandatory.

Oh and it's rather rude to cross post the same message to different
message bases - if you're gonna do that, you should have the courtesy of
an announcement.


More information about the samba mailing list