[Samba] samba + start tls

Matt Herzog msh at blisses.org
Fri Sep 15 15:24:44 GMT 2006

On Fri, Sep 15, 2006 at 11:34:04AM -0300, Felipe Augusto van de Wiel wrote:
> Hash: SHA1
> 	The correct option is "start_tls", but it is the default
> option, you don't need to setup this. And the key server is not
> related with Samba, this option just tells samba to use SSL when
> talking with the LDAP server.

I have winbind working nicely with AD here. It took a while to figure out
but now AD user accounts can ssh into my Linux boxen reliably, which is really all
I needed; just ssh access. But I want to make sure all the LDAP traffic is
secured via TLS/SSL.

On my network if I run nmap on the Win2K AD server I see that port 636 is open.
So I generated a cert file on the Win2K server and converted it to a PEM
file (using openssl on Linux) and placed it in /etc/openldap/cacerts and made sure 
it was world readable. My ldap.conf file looks like this:

BASE    dc=cinteractive, dc=com
URI     ldaps://attu.binteractive.com:636
debug 256
logdir /var/log/ldap.errors
host BATTU
ssl yes
TLS_CACERT /etc/openldap/cacerts/battu.pem
pam_password md5

The ldap log file I set up is empty. Nothing ever gets written to it.

Every time I su to root on the Linux servers I see:

TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect.

I'm not looking to run slapd on this server. LDAP and winbind are used only
to allow users to login via ssh with their AD credentials.

More information about the samba mailing list