[Samba] samba + start tls

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Fri Sep 15 19:32:13 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/15/2006 12:24 PM, Matt Herzog escreveu:
> On Fri, Sep 15, 2006 at 11:34:04AM -0300, Felipe Augusto van de Wiel wrote:
>>	The correct option is "start_tls", but it is the default
>>option, you don't need to setup this. And the key server is not
>>related with Samba, this option just tells samba to use SSL when
>>talking with the LDAP server.
> 
> I have winbind working nicely with AD here. It took a while to 
> figure out but now AD user accounts can ssh into my Linux boxen
> reliably, which is really all I needed; just ssh access. But I
> want to make sure all the LDAP traffic is secured via TLS/SSL.

	Ok, but this is not Samba part of the job. :)

	If Samba is not talking with your LDAP server, then this
parameter has no effect. You should do the TLS/SSL configurations
on your LDAP server. And you should use kerberos to have real
security in your smb network.


> On my network if I run nmap on the Win2K AD server I see that 
> port 636 is open. So I generated a cert file on the Win2K
> server and converted it to a PEM file (using openssl on Linux)
> and placed it in /etc/openldap/cacerts and made sure
> it was world readable. My ldap.conf file looks like this:

	If it is a PEM with private certificate, shouldn't be
world readable.


> #-----------------------------------------------------------
> BASE    dc=cinteractive, dc=com
> URI     ldaps://attu.binteractive.com:636
> debug 256
> logdir /var/log/ldap.errors
> host BATTU
> base BINTERACTIVE.COM
> ssl yes
> TLS_CACERT /etc/openldap/cacerts/battu.pem
> pam_password md5
> #------------------------------------------------------------
> 
> The ldap log file I set up is empty. Nothing ever gets written to it.

	Increase the log level on slapd.conf.


> Every time I su to root on the Linux servers I see:
> 
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS: can't connect.
> 
> I'm not looking to run slapd on this server. LDAP and winbind are used only
> to allow users to login via ssh with their AD credentials.

	Ok, it is a configuration of libldap and other software
that will use resources to query LDAP server. But AIUI you are
not using Samba to query LDAP, you are using winbind to do that,
and then, your question is a little bit off-topic here. ;)

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFCv+9Cj65ZxU4gPQRAoKCAKCqXb+x1B3XI929b5gVoAmZW0c/CgCgxsQw
8UqEnltKCKcDWYGw4mgxnAQ=
=5y38
-----END PGP SIGNATURE-----

More information about the samba mailing list