[Samba] Is this a new tls problem?

Peter Nyberg Peter.Nyberg at dbb.su.se
Mon May 30 12:44:19 GMT 2005 

Please CC to me since I’m not in the list anymore!

I have red miles of text about tls problems in the samba list. This time I can’t
find any helpful hint.
I had a fully functional test environment with samba-3.0.10 (tls enabled)
openldap-2.1.x
After upgrading to newer version suddenly samba stopped authenticate against
openldap with tls enabled.
My configuration is just like the one on idealx.org
I can make users
I can connect to with self made account.
My smb.conf have the “ldap ssl = start tls” setting but it seams like samba at
some point suddenly stopped having support for the tls option.
I can successfully do a:
ldapsearch –x –ZZ
My ldap account for samba is cn=samba,ou=DSA,dc=dbb,dc=su,dc=se
I’ve added the password to secret.tdb
I can successfully do a:
ldapsearch –x –ZZ –h localhost –D cn=samba,ou=DSA,dc=dbb,dc=su,dc=se –W

As soon as I start use samba I get the tls problem. When I start samba I get the
following error in my syslog:

May 30 14:21:21 frodo slapd[6242]: connection_read(12): unable to get TLS client
DN, error=49 id=234
May 30 14:21:21 frodo smbd[11539]: [2005/05/30 14:21:21, 0]
lib/smbldap.c:smbldap_open_connection(677)
May 30 14:21:21 frodo smbd[11539]:   Failed to issue the StartTLS instruction:
Connect error
May 30 14:21:21 frodo smbd[11539]: [2005/05/30 14:21:21, 1]
lib/smbldap.c:another_ldap_try(1011)
May 30 14:21:21 frodo smbd[11539]:   Connection to LDAP server failed for the 1
try!

Testparm doesn’t show any errors.

I don’t know how samba connect to the ldap server but I assume it uses ldap.conf
and here it is:
HOST frodo.dbb.su.se
##host= 127.0.0.1
BASE dc=dbb,dc=su,dc=se

rootbinddn cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se

nss_base_passwd         ou=Users,dc=dbb,dc=su,dc=se?one
nss_base_passwd         ou=Computers,dc=dbb,dc=su,dc=se?one
nss_base_shadow         ou=Users,dc=dbb,dc=su,dc=se?one
nss_base_group          ou=Groups,dc=dbb,dc=su,dc=se?one

##ssl no
pam_password md5

tls_checkpeer yes
TLS_CACERT /etc/ldap/ca.pem
##tls_cacertfile /etc/ldap/ca.pem ####have never worked for some reoson
TLS_REQCERT demand
ssl start_tls
tls_cert /etc/nssldapcets/nssldap.pem
tls_key /etc/nssldapcets/nssldap.key

This also works:
ldapsearch –x –ZZ –h localhost –D cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se –W

I have nssldap password in ldap.secret

# - The End

I’m totally lost. Any idée is appreciated.


Thanks

Peter




Peter Nyberg
Institutionen för Biokemi och Biofysik (DBB)
Sv.Arrhenius vägen 12
106 91 Stockholm
Tel: 08-16 24 69

More information about the samba mailing list