[Samba] Samba and slapd.conf's TLSVerifyClient

Doug Campbell doug at bpta.net
Fri Apr 8 01:55:19 GMT 2005 

> > Either way, my question is where do I specify the client certificate for
> > Samba to use? or put another way, does Samba even support this?
> ----
> evidently, no one else wanted to answer...

Thank you for trying :)  Maybe no one knows the answer :(

> samba has no means to provide a client certificate that I am aware of.
> Samba should be using nss/padl stuff so in a RHEL / Fedora environment,
> any references to certificates should be in /etc/ldap.conf and I believe
> that should encompass options not specified in smb.conf directly. Thus
> samba isn't providing a certificate because it cannot do so but would
> rely upon other external methods (nss/padl) if that is configured to do
> so.

This actually is not the case.  Samba appears to reference the OpenLDAP
client ldap.conf stored on my system in /etc/openldap.

I can show this in the following way:

1.  Comment out reference to the ca cert in both padl and openldap ldap.conf
files.
2.  Restart Samba
3.  The process hangs for a while with many errors indicating that Samba is
failing in starting a TLS connection.
4.  Restore the ca cert reference in the papl ldap.conf and restart Samba,
same result as before.
5.  comment out padl reference, restore openldap's ldap.conf ca cert
reference and restart Samba.  Samba starts fine.

This is why I found it necessary to say that I had this process working for
PADL stuff (like doing a su username or getent passwd), smbtools-ldap (the
smbldap-tools.conf file allows defining of all the necessary certificates to
use) and ldapsearch.

The problem I see is that Samba uses the openldap global ldap.conf but that
the tls_cert and tls_key directives are user level directives.  So, for
example, in order to get ldapsearch to work with the TLSVerifyClient demand
directive, I have to specify the tls_cert and tls_key directives in root's
.ldaprc file.

Samba from what I have been able to discern does not have a .ldaprc file of
it's own and it does appear to use root's .ldaprc file.

Would this be considered a samba bug if it does indeed not have a way to
specify a client certificate or would this considered a desired feature?

> Oh and it's rather rude to cross post the same message to different
> message bases - if you're gonna do that, you should have the courtesy of
> an announcement.

Sorry.  Why is this rude?  I posted the question first in the ldap-interop
and then thought that maybe it would make sense to ask the samba mailing
list as well.  I don't see how this would offend anyone.  I apologize if it
did.

Doug

More information about the samba mailing list