[Samba] Weird statup probems TLS & SSL openldap and samba 3.0.23

Jose Gilberto Torres jogeedaklown at yahoo.com
Fri Jul 21 18:10:38 GMT 2006 

Finally figured it out.  I have to startup nscd.  I guess nscd is 
required. 

Jose
> Hello,
> I am kind of confused with this situation.  I am attempting to build a 
> PDC using TLS/SSL with the following version of software.
>
> Samba 3.0.23
> OpenLDAP 2.3.19
> Fedora Core 5
>
> When I startup the Samba server via the "service" command (service smb 
> start) I get the following errors in my logs.
>
> Using SSL:
>
> Jul 13 09:52:34 prism smbd[23161]:   smbldap_search_suffix: Problem 
> during the LDAP search: error:14094410:SSL 
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure (Time limit 
> exceeded)
> Jul 13 09:52:34 prism smbd[23161]: [2006/07/13 09:52:34, 0] 
> lib/smbldap.c:smb_ldap_start_tls(546)
> Jul 13 09:52:34 prism smbd[23161]:   Failed to issue the StartTLS 
> instruction: Can't contact LDAP server
>
> Using TLS
>
> Jul 18 10:32:09 prism smbd[7441]: [2006/07/18 10:32:09, 0] 
> lib/smbldap.c:smb_ldap_start_tls(612)
> Jul 18 10:32:09 prism smbd[7441]:   Failed to issue the StartTLS 
> instruction: Connect error
>
> But when I start up Samba issuing this command "/etc/init.d/smb start", 
> it works.  This this a bug in the "service" command.  Did I 
> mis-configured something?  Is there any thing I can try to debug this 
> problem?  I've included the configuration files for samba and ldap.  
> I've hid the actual hostname and DIT.  Thanks!
>
> /etc/openldap/ldap.conf
> **********************
> URI ldaps://yyyy.com <-
> BASE dc=xxxx,dc=xxxx,dc=com
> TLS_REQCERT demand
> TLS_CACERT /etc/openldap/ca.crt
> TLS_CERT /etc/openldap/server.crt
> TLS_KEY  /etc/openldap/server.key
>
> /etc/openldap/slap.conf
> ******************
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd/slapd.args
>
> database        bdb
> suffix          dc=xxxx,dc=xxxx,dc=com
> rootdn          "cn=Manager,dc=xxxx,dc=xxxx,dc=com"
> rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> directory     /var/lib/ldap
>
> index cn                      pres,sub,eq
> index sn                      pres,sub,eq
> index uid                     pres,sub,eq
> index displayName             pres,sub,eq
> index uidNumber               eq
> index gidNumber               eq
> index objectClass          eq
> index memberUid               eq,subinitial
> index mail                 eq,subinitial
> index givenname               eq,subinitial
> index   sambaSID              eq
> index   sambaPrimaryGroupSID  eq
> index   sambaDomainName       eq
> index   default               sub
>
> #Access to read the root DSE (DSA [Directory System Agent] Specific 
> Entry)
> access to dn.base=""
>    by self write
>    by * auth
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>         by self write
>    by anonymous auth
>    by * none
> access to *
>    by * read
>    by anonymous auth
>
> security tls=1
> TLSCACertificateFile /etc/openldap/ca.crt
> TLSCertificateFile /etc/openldap/server.crt
> TLSCertificateKeyFile /etc/openldap/server.key
> TLSVerifyClient demand
>
> /etc/ldap.conf
> ***********
> uri ldap://yyyy.com
> host yyyy.com
> port 389
> ssl start_tls
> tls_reqcert demand
> tls_checkpeer yes
> tls_cert /etc/openldap/server.crt
> tls_key /etc/openldap/server.key
> tls_cacertfile /etc/openldap/ca.crt
> base dc=xxxx,dc=xxxx,dc=com
> binddn cn=Manager,dc=xxxx,dc=xxxx,dc=com
> bindpw TTTTT
> nss_base_passwd   ou=Users,dc=xxxx,dc=xxxx,dc=com?one
> nss_base_passwd   ou=Computers,dc=xxxx,dc=xxxx,dc=com?one
> nss_base_shadow   ou=Users,dc=xxxx,dc=xxxx,dc=com?one
> nss_base_group    ou=Groups,dc=xxxx,dc=xxxx,dc=com?one
> nss_base_hosts    ou=Hosts,dc=xxxx,dc=xxxx,dc=com?one
> pam_password md5
>
> /etc/samba/smb.conf   - Just the global portion.
> ***********************************
> [global]
>         # Your Workgroup Name
>         workgroup = TEST-PURPLE
>         # Server name
>         netbios name = TEST-PURPLE
>         passdb backend = ldapsam:ldap://yyyy.com
>         username map = /etc/samba/smbusers
>         printcap name = cups
>         add user script = /usr/local/sbin/smbldap-useradd -m '%u'
>         delete user script = /usr/local/sbin/smbldap-userdel %u
>         add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
>         delete group script = /usr/local/sbin/smbldap-groupdel '%g'
>         add user to group script = /usr/local/sbin/smbldap-groupmod -m 
> '%u' '%g'
>         delete user from group script = 
> /usr/local/sbin/smbldap-groupmod 
> -x '%u' '%g'
>         set primary group script = /usr/local/sbin/smbldap-usermod -g 
> '%g' '%u'
>         add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>         enable privileges = yes
> #Domain Controller setup
>         domain logons = Yes
>         os level = 44
>         preferred master = Yes
>         domain master = Yes
>         show add printer wizard = Yes
> #OpenLdap
>         ldap suffix = dc=xxxx,dc=xxxx,dc=com
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = ou=Idmap
>         ldap admin dn = cn=Manager,dc=xxxx,dc=xxxx,dc=com
>         ldap passwd sync = Yes
>         ldap ssl = start_tls
> #        ldap ssl = on
>         idmap uid = 15000-20000
>         idmap gid = 15000-20000
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list