[Samba] Samba StartTLS [SOLVED]
steve
steve at steve-ss.com
Sat Nov 12 22:55:15 MST 2011
On Saturday 12 Nov 2011 21:34:05 you wrote:
> Hi Steve,
>
> 2011/11/12 steve <steve at steve-ss.com>:
> > My smb conf looks like this:
> >
> > passdb backend = ldapsam:ldap://hh1.site
> > idmap backend = ldap:ldap://hh1.site
> > ldap ssl = start tls
>
> Looks right.
>
> > hh1.site is my FQDN and is also the CN for the CA and servercerts.
>
> Good
>
> > But I'm wondering. Since the samba and ldap servers are both on the same
> > box, is that why TLS isn't working?
>
> Nope. But you could disable ssl/tls in that case: "ldap ssl = off"
>
> > Because it doesn't make sense to have
> > it?
>
> It doesn't make sense to use ssl/tls connections in your case, but it
> is not the cause your setup is not working.
>
> > There is no communication between samba and ldap over the network as
>
> > they are both on the same machine. Would this explain the errors:
> No
>
> > However, they can connect with:
> >
> > TLS_REQCERT never
> > in
> > /etc/openldap/ldap.conf
>
> Yes, because you're are missing your CA. If you want samba to connect
> to openldap over tls/ssl, you need something like this:
>
>
> TLS_REQCERT hard
> TLS_CACERT /path/to/your/ca.crt
>
> > Confused!
>
> Basically you either need to disable tls (ldapsam:ldap://.... and ldap
> ssl = off) or put your CA in your samba server and tell ldap where to
> find it.
>
> Regards,
> Norberto
Noberto, you are magic.
I commented out:
#TLS_REQCERT never
and added:
TLS_REQCERT hard
TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem
to /etc/openldap/ldap.conf.
restarted ldap and samba and it connected with STARTTLS!
Thank you so much.
Steve.
More information about the samba
mailing list