[Samba] Samba StartTLS

steve steve at steve-ss.com
Fri Nov 11 12:34:53 MST 2011


On 11/11/2011 08:23 PM, zoolook wrote:
> 2011/11/11 steve<steve at steve-ss.com>:
>> On 11/11/2011 08:31 AM, steve wrote:
>>> Hi
>>> Scenario:
>>> Lan with opensuse 11.4 Samba and LDAP server. Linux, win-xp and win7
>>> clients.
>>>
>>>
>>>
>>> Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556,  0]
>>> lib/smbldap.c:731(smb_ldap_start_tls)
>>> Nov 10 11:20:16 hh1 smbd[6066]:   Failed to issue the StartTLS
>>> instruction:
>>> Connect error
>>>
>> Solved?
>> Adding:
>>
>> TLS_REQCERT never
>>
>> to
>>
>> /etc/openldap/ldap.conf
>>
>> allows windows to connect to the samba domain with TLS.
>>
>> Can anyone comment on the security of this workaround?
>> Thanks
> Or you can copy your servers' CA to your clients, in this case your
> samba server and use "TLS_REQCERT hard"
>
> Your solution works, but some other machine can impersonate your ldap
> server and your smb server will never know the difference.
>
>
> Regards,
> Norberto

Hi
Thanks for the reply.

But then I'm back to the samba not being able to use tls errors as above 
no?

I made the workaround to get rid of the error. But I'll have a go. So, 
On a win 7 client, where do I put the CA cert?


More information about the samba mailing list