[Samba] TLS between winbind and openldap

thierry DeTheGeek dethegeek at gmail.com
Mon Aug 5 07:49:19 MDT 2013


I'm working hard to setup winbind and openLDAP work together with TLS

My networks contains:
- a windows server 2008 R2 domain controller
- a debian 6 based file server (openmediavault v0.4) running OpenLDAP
2.4.23 and Samba v3.5.6
- a debian 7 computer running winbind 3.6.6

I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant uid
and gid for users on all linux based computers and then use both CIFS and

I'm trying to solve my issue on openmediavault (debian 6) only for now,
because I get the exact same issue when trying to establish communication
between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6).

I created a self signed certificate authority with openssl and created a
private key and a certificate for te file server. I used the same
certificate authority to create an other key and certificate for my debian
7 computer.

OpenLDAP uses his key and is configured to check clients certificates.
winbind on the same computer uses the same key and certificate to
communicate with openLDAP and is configured to check the openLDAP's

When running winbind in interactive debug mode everything is running file
and wbinfo -i user is able to allocate an uid to the user. an other try
shows the uid assigned is effectively retrived from openLDAP. The command
line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried
also to run openLDAP in debug mode with the command line slapd -d 1.

the logs produced show that openLDAP and winbind work together with
encryption in both directions.

When I run winbind daemon with the command line service winbind start, the
TLS connection cannot be initiated and I cannot allocate a uid to any user
using wbinfo -i user.

Let's see the configuration files (domain name obsfucated) :


dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65
creatorsName: cn=config
createTimestamp: 20130803105505Z
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key
olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt
olcTLSVerifyClient: demand
entryCSN: 20130803125708.704922Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20130803125708Z

#======================= Global Settings =======================
workgroup = DOMAIN
server string = %h server
include = /etc/samba/dhcp.conf
dns proxy = no
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = no
null passwords = no
local master = yes
time server = no
wins support = no
password server = *
security = ads
allow trusted domains = no

; samba 3.5.6 idmap configuration

idmap backend = ldap:ldap://omv.domain.local
ldap admin dn = cn=winbind-idmap,dc=domain,dc=local
ldap idmap suffix = ou=Idmap
ldap suffix = dc=domain,dc=local
ldap ssl = start tls
ldap debug level = 4
ldap debug threshold = 1

idmap uid = 16777216-50000000
idmap gid = 16777216-50000000
idmap config * : backend = ldap
idmap config * : ldap_url = ldap://omv.domain.local
idmap config * : ldap_anon = no
idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local
idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
idmap config * : range = 16777216-50000000

idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://omv.domain.local
idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local
idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local

winbind use default domain = true
winbind offline logon = false

; disable enum users/groups on medium or large organization (affects
; if disabled this will disable domain users/groups enumeration with getent
winbind enum users = yes
winbind enum groups = yes

winbind separator = /
winbind nested groups = yes
;winbind normalize names = yes
winbind refresh tickets = yes
;template primary group = users
template shell = /bin/bash
template homedir = /home/%D/%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
client use spnego = yes

#======================= Share Definitions =======================
#======================= Home Directories =======================
comment = Home directories
browseable = yes
writable = yes
create mask = 0640
directory mask = 0750
valid users = %S

URI     ldap://omv.domain.local
TLS_CACERT /etc/ssl/certs/ca-certificates.crt



TLS_CERT /etc/ssl/certs/omv-domain-local.crt
TLS_KEY /etc/ssl/private/omv-domain-local.key

Let me say also that ca-certificates.crt contains the certificate for my
self signed authority.

What am I missing to make it run smootly ?

More information about the samba mailing list