[Samba] TLS between winbind and openldap

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Aug 6 13:51:26 MDT 2013 

Did you try using LDAPS (ldap over SSL, typically on port 636.)     I 
can't speak specifically about it with winbind BUT I have found that in 
other situations LDAPS creates less headaches with CA cert issues.



On 08/06/13 05:27, thierry DeTheGeek wrote:
> Hi,
>
> I found a possible workaround to my issue myself. It seems to be working.
>
> After reading one more time about ldap.conf I tried to export environment
> variables to set my private key and my certificate.
>
> This seems to be working on both debian 6 and debian 7:
>
> I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that
> winbind cannot work with OpenLDAP in debug mode, as expected.
>
> I edited /etc/defaults/winbind and added the following lines
>
> export LDAPTLS_CERT="/etc/ssl/certs/omv-domain-local.crt"
> export LDAPTLS_KEY="/etc/ssl/private/omv-domain-local.key"
>
> I restarted winbind with the command line service winbind restart. Now
> wbinfo -i user is working and I get an uid for the user.
>
> I will check further to ensure there is no more related issue.
>
>
>
> 2013/8/5 thierry DeTheGeek <dethegeek at gmail.com>
>
>> Hi,
>>
>> I'm working hard to setup winbind and openLDAP work together with TLS
>>
>> My networks contains:
>> - a windows server 2008 R2 domain controller
>> - a debian 6 based file server (openmediavault v0.4) running OpenLDAP
>> 2.4.23 and Samba v3.5.6
>> - a debian 7 computer running winbind 3.6.6
>>
>> I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant
>> uid and gid for users on all linux based computers and then use both CIFS
>> and NFS.
>>
>> I'm trying to solve my issue on openmediavault (debian 6) only for now,
>> because I get the exact same issue when trying to establish communication
>> between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6).
>>
>> I created a self signed certificate authority with openssl and created a
>> private key and a certificate for te file server. I used the same
>> certificate authority to create an other key and certificate for my debian
>> 7 computer.
>>
>> OpenLDAP uses his key and is configured to check clients certificates.
>> winbind on the same computer uses the same key and certificate to
>> communicate with openLDAP and is configured to check the openLDAP's
>> certificate.
>>
>> When running winbind in interactive debug mode everything is running file
>> and wbinfo -i user is able to allocate an uid to the user. an other try
>> shows the uid assigned is effectively retrived from openLDAP. The command
>> line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried
>> also to run openLDAP in debug mode with the command line slapd -d 1.
>>
>> the logs produced show that openLDAP and winbind work together with
>> encryption in both directions.
>>
>> When I run winbind daemon with the command line service winbind start, the
>> TLS connection cannot be initiated and I cannot allocate a uid to any user
>> using wbinfo -i user.
>>
>> Let's see the configuration files (domain name obsfucated) :
>>
>> ##cn=config.ldif
>>
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcArgsFile: /var/run/slapd/slapd.args
>> olcLogLevel: none
>> olcPidFile: /var/run/slapd/slapd.pid
>> olcToolThreads: 1
>> structuralObjectClass: olcGlobal
>> entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65
>> creatorsName: cn=config
>> createTimestamp: 20130803105505Z
>> olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
>> olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key
>> olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt
>> olcTLSVerifyClient: demand
>> entryCSN: 20130803125708.704922Z#000000#000#000000
>> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> modifyTimestamp: 20130803125708Z
>>
>> ##smb.conf
>> #======================= Global Settings =======================
>> [global]
>> workgroup = DOMAIN
>> server string = %h server
>> include = /etc/samba/dhcp.conf
>> dns proxy = no
>> log level = 0
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog only = yes
>> panic action = /usr/share/samba/panic-action %d
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = no
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
>> %n\n *password\supdated\ssuccessfully* .
>> pam password change = yes
>> socket options = TCP_NODELAY IPTOS_LOWDELAY
>> guest account = nobody
>> load printers = no
>> disable spoolss = yes
>> printing = bsd
>> printcap name = /dev/null
>> unix extensions = yes
>> wide links = no
>> create mask = 0777
>> directory mask = 0777
>> use sendfile = no
>> null passwords = no
>> local master = yes
>> time server = no
>> wins support = no
>> password server = *
>> realm = DOMAIN.LOCAL
>> security = ads
>> allow trusted domains = no
>>
>> ;
>> ; samba 3.5.6 idmap configuration
>> ;
>>
>> idmap backend = ldap:ldap://omv.domain.local
>> ldap admin dn = cn=winbind-idmap,dc=domain,dc=local
>> ldap idmap suffix = ou=Idmap
>> ldap suffix = dc=domain,dc=local
>> ldap ssl = start tls
>> ldap debug level = 4
>> ldap debug threshold = 1
>>
>> idmap uid = 16777216-50000000
>> idmap gid = 16777216-50000000
>> idmap config * : backend = ldap
>> idmap config * : ldap_url = ldap://omv.domain.local
>> idmap config * : ldap_anon = no
>> idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local
>> idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
>> idmap config * : range = 16777216-50000000
>>
>> idmap alloc backend = ldap
>> idmap alloc config : ldap_url = ldap://omv.domain.local
>> idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local
>> idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
>>
>> winbind use default domain = true
>> winbind offline logon = false
>>
>> ; disable enum users/groups on medium or large organization (affects
>> performance)
>> ; if disabled this will disable domain users/groups enumeration with getent
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> winbind separator = /
>> winbind nested groups = yes
>> ;winbind normalize names = yes
>> winbind refresh tickets = yes
>> ;template primary group = users
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> client ntlmv2 auth = yes
>> client use spnego = yes
>>
>> #======================= Share Definitions =======================
>> #======================= Home Directories =======================
>> [homes]
>> comment = Home directories
>> browseable = yes
>> writable = yes
>> create mask = 0640
>> directory mask = 0750
>> valid users = %S
>>
>> ##/etc/ldap/ldap.conf
>> URI     ldap://omv.domain.local
>> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>>
>> TLS_REQCERT demand
>>
>> ##/root/ldaprc
>>
>> TLS_CERT /etc/ssl/certs/omv-domain-local.crt
>> TLS_KEY /etc/ssl/private/omv-domain-local.key
>>
>> Let me say also that ca-certificates.crt contains the certificate for my
>> self signed authority.
>>
>> What am I missing to make it run smootly ?
>>
>>
>>
>>
>>
>>

More information about the samba mailing list