[Samba] Samba StartTLS

steve steve at steve-ss.com
Sat Nov 12 12:41:27 MST 2011

On 11/12/2011 06:52 PM, zoolook wrote:
> 2011/11/11 steve<steve at steve-ss.com>:
>>   So, On a
>> win 7 client, where do I put the CA cert?
> You don't :-)
> Win will talk to samba. Samba talks to OpenLDAP over a tls conection.
> > From my experience (since -from my pov- it is not clear in the docs),
> Samba needs:
>          passdb backend = ldapsam:ldaps://ldap.yourdomain.tld
>          ldap ssl = off
> Or
>          passdb backend = ldapsam:ldap://ldap.yourdomain.tld
>          ldap ssl = start tls
> BTW, the CN in the certificate must match the ldap uri if smb.conf. In
> other words, if your certificate was created using CN=ldap.mydomian,
> and you put ldapsam:ldap://localhost in smb.conf, it won't work.
> HTH,
> Norberto

Hi Norberto

My smb conf looks like this:

passdb backend =  ldapsam:ldap://hh1.site
idmap backend = ldap:ldap://hh1.site
ldap ssl = start tls

hh1.site is my FQDN and is also the CN for the CA and servercerts.

But I'm wondering. Since the samba and ldap servers are both on the same 
box, is that why TLS isn't working? Because it doesn't make sense to 
have it? There is no communication between samba and ldap over the 
network as they are both on the same machine. Would this explain the errors:

The windows clients can login but are denied access to their home folder:

Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556,  0]
Nov 10 11:20:16 hh1 smbd[6066]:   Failed to issue the StartTLS instruction:
Connect error

However, they can connect with:


Thanks for your patience.

More information about the samba mailing list