[Samba] Weird statup probems TLS & SSL openldap and samba 3.0.23

Jose Gilberto Torres jogeedaklown at yahoo.com
Tue Jul 18 18:18:10 GMT 2006

I am kind of confused with this situation.  I am attempting to build a 
PDC using TLS/SSL with the following version of software.

Samba 3.0.23
OpenLDAP 2.3.19
Fedora Core 5

When I startup the Samba server via the "service" command (service smb 
start) I get the following errors in my logs.

Using SSL:

Jul 13 09:52:34 prism smbd[23161]:   smbldap_search_suffix: Problem 
during the LDAP search: error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure (Time limit exceeded)
Jul 13 09:52:34 prism smbd[23161]: [2006/07/13 09:52:34, 0] 
Jul 13 09:52:34 prism smbd[23161]:   Failed to issue the StartTLS 
instruction: Can't contact LDAP server

Using TLS

Jul 18 10:32:09 prism smbd[7441]: [2006/07/18 10:32:09, 0] 
Jul 18 10:32:09 prism smbd[7441]:   Failed to issue the StartTLS 
instruction: Connect error

But when I start up Samba issuing this command "/etc/init.d/smb start", 
it works.  This this a bug in the "service" command.  Did I 
mis-configured something?  Is there any thing I can try to debug this 
problem?  I've included the configuration files for samba and ldap.  
I've hid the actual hostname and DIT.  Thanks!

URI ldaps://yyyy.com <-
BASE dc=xxxx,dc=xxxx,dc=com
TLS_CACERT /etc/openldap/ca.crt
TLS_CERT /etc/openldap/server.crt
TLS_KEY  /etc/openldap/server.key

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

database        bdb
suffix          dc=xxxx,dc=xxxx,dc=com
rootdn          "cn=Manager,dc=xxxx,dc=xxxx,dc=com"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
directory     /var/lib/ldap

index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index objectClass          eq
index memberUid               eq,subinitial
index mail                 eq,subinitial
index givenname               eq,subinitial
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub

#Access to read the root DSE (DSA [Directory System Agent] Specific Entry)
access to dn.base=""
   by self write
   by * auth
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
   by anonymous auth
   by * none
access to *
   by * read
   by anonymous auth

security tls=1
TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/server.crt
TLSCertificateKeyFile /etc/openldap/server.key
TLSVerifyClient demand

uri ldap://yyyy.com
host yyyy.com
port 389
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cert /etc/openldap/server.crt
tls_key /etc/openldap/server.key
tls_cacertfile /etc/openldap/ca.crt
base dc=xxxx,dc=xxxx,dc=com
binddn cn=Manager,dc=xxxx,dc=xxxx,dc=com
bindpw TTTTT
nss_base_passwd   ou=Users,dc=xxxx,dc=xxxx,dc=com?one
nss_base_passwd   ou=Computers,dc=xxxx,dc=xxxx,dc=com?one
nss_base_shadow   ou=Users,dc=xxxx,dc=xxxx,dc=com?one
nss_base_group    ou=Groups,dc=xxxx,dc=xxxx,dc=com?one
nss_base_hosts    ou=Hosts,dc=xxxx,dc=xxxx,dc=com?one
pam_password md5

/etc/samba/smb.conf   - Just the global portion.
        # Your Workgroup Name
        workgroup = TEST-PURPLE
        # Server name
        netbios name = TEST-PURPLE
        passdb backend = ldapsam:ldap://yyyy.com
        username map = /etc/samba/smbusers
        printcap name = cups
        add user script = /usr/local/sbin/smbldap-useradd -m '%u'
        delete user script = /usr/local/sbin/smbldap-userdel %u
        add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/local/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/local/sbin/smbldap-groupmod -m 
'%u' '%g'
        delete user from group script = /usr/local/sbin/smbldap-groupmod 
-x '%u' '%g'
        set primary group script = /usr/local/sbin/smbldap-usermod -g 
'%g' '%u'
        add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
        enable privileges = yes
#Domain Controller setup
        domain logons = Yes
        os level = 44
        preferred master = Yes
        domain master = Yes
        show add printer wizard = Yes
        ldap suffix = dc=xxxx,dc=xxxx,dc=com
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=Manager,dc=xxxx,dc=xxxx,dc=com
        ldap passwd sync = Yes
        ldap ssl = start_tls
#        ldap ssl = on
        idmap uid = 15000-20000
        idmap gid = 15000-20000

More information about the samba mailing list