[Samba] TLS between winbind and openldap

thierry DeTheGeek dethegeek at gmail.com
Tue Aug 6 03:27:12 MDT 2013


Hi,

I found a possible workaround to my issue myself. It seems to be working.

After reading one more time about ldap.conf I tried to export environment
variables to set my private key and my certificate.

This seems to be working on both debian 6 and debian 7:

I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that
winbind cannot work with OpenLDAP in debug mode, as expected.

I edited /etc/defaults/winbind and added the following lines

export LDAPTLS_CERT="/etc/ssl/certs/omv-domain-local.crt"
export LDAPTLS_KEY="/etc/ssl/private/omv-domain-local.key"

I restarted winbind with the command line service winbind restart. Now
wbinfo -i user is working and I get an uid for the user.

I will check further to ensure there is no more related issue.



2013/8/5 thierry DeTheGeek <dethegeek at gmail.com>

> Hi,
>
> I'm working hard to setup winbind and openLDAP work together with TLS
>
> My networks contains:
> - a windows server 2008 R2 domain controller
> - a debian 6 based file server (openmediavault v0.4) running OpenLDAP
> 2.4.23 and Samba v3.5.6
> - a debian 7 computer running winbind 3.6.6
>
> I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant
> uid and gid for users on all linux based computers and then use both CIFS
> and NFS.
>
> I'm trying to solve my issue on openmediavault (debian 6) only for now,
> because I get the exact same issue when trying to establish communication
> between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6).
>
> I created a self signed certificate authority with openssl and created a
> private key and a certificate for te file server. I used the same
> certificate authority to create an other key and certificate for my debian
> 7 computer.
>
> OpenLDAP uses his key and is configured to check clients certificates.
> winbind on the same computer uses the same key and certificate to
> communicate with openLDAP and is configured to check the openLDAP's
> certificate.
>
> When running winbind in interactive debug mode everything is running file
> and wbinfo -i user is able to allocate an uid to the user. an other try
> shows the uid assigned is effectively retrived from openLDAP. The command
> line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried
> also to run openLDAP in debug mode with the command line slapd -d 1.
>
> the logs produced show that openLDAP and winbind work together with
> encryption in both directions.
>
> When I run winbind daemon with the command line service winbind start, the
> TLS connection cannot be initiated and I cannot allocate a uid to any user
> using wbinfo -i user.
>
> Let's see the configuration files (domain name obsfucated) :
>
> ##cn=config.ldif
>
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/slapd/slapd.args
> olcLogLevel: none
> olcPidFile: /var/run/slapd/slapd.pid
> olcToolThreads: 1
> structuralObjectClass: olcGlobal
> entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65
> creatorsName: cn=config
> createTimestamp: 20130803105505Z
> olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
> olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key
> olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt
> olcTLSVerifyClient: demand
> entryCSN: 20130803125708.704922Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20130803125708Z
>
> ##smb.conf
> #======================= Global Settings =======================
> [global]
> workgroup = DOMAIN
> server string = %h server
> include = /etc/samba/dhcp.conf
> dns proxy = no
> log level = 0
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog only = yes
> panic action = /usr/share/samba/panic-action %d
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = no
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
> %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> guest account = nobody
> load printers = no
> disable spoolss = yes
> printing = bsd
> printcap name = /dev/null
> unix extensions = yes
> wide links = no
> create mask = 0777
> directory mask = 0777
> use sendfile = no
> null passwords = no
> local master = yes
> time server = no
> wins support = no
> password server = *
> realm = DOMAIN.LOCAL
> security = ads
> allow trusted domains = no
>
> ;
> ; samba 3.5.6 idmap configuration
> ;
>
> idmap backend = ldap:ldap://omv.domain.local
> ldap admin dn = cn=winbind-idmap,dc=domain,dc=local
> ldap idmap suffix = ou=Idmap
> ldap suffix = dc=domain,dc=local
> ldap ssl = start tls
> ldap debug level = 4
> ldap debug threshold = 1
>
> idmap uid = 16777216-50000000
> idmap gid = 16777216-50000000
> idmap config * : backend = ldap
> idmap config * : ldap_url = ldap://omv.domain.local
> idmap config * : ldap_anon = no
> idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local
> idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
> idmap config * : range = 16777216-50000000
>
> idmap alloc backend = ldap
> idmap alloc config : ldap_url = ldap://omv.domain.local
> idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local
> idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
>
> winbind use default domain = true
> winbind offline logon = false
>
> ; disable enum users/groups on medium or large organization (affects
> performance)
> ; if disabled this will disable domain users/groups enumeration with getent
> winbind enum users = yes
> winbind enum groups = yes
>
> winbind separator = /
> winbind nested groups = yes
> ;winbind normalize names = yes
> winbind refresh tickets = yes
> ;template primary group = users
> template shell = /bin/bash
> template homedir = /home/%D/%U
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> client ntlmv2 auth = yes
> client use spnego = yes
>
> #======================= Share Definitions =======================
> #======================= Home Directories =======================
> [homes]
> comment = Home directories
> browseable = yes
> writable = yes
> create mask = 0640
> directory mask = 0750
> valid users = %S
>
> ##/etc/ldap/ldap.conf
> URI     ldap://omv.domain.local
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>
> TLS_REQCERT demand
>
> ##/root/ldaprc
>
> TLS_CERT /etc/ssl/certs/omv-domain-local.crt
> TLS_KEY /etc/ssl/private/omv-domain-local.key
>
> Let me say also that ca-certificates.crt contains the certificate for my
> self signed authority.
>
> What am I missing to make it run smootly ?
>
>
>
>
>
>


More information about the samba mailing list