[Samba] Fwd: TLS between winbind and openldap

thierry DeTheGeek dethegeek at gmail.com
Thu Aug 8 03:06:41 MDT 2013 

Hi,

I found a possible workaround to my issue myself. It seems to be working.

After reading one more time about ldap.conf I tried to export
environment variables to set my private key and my certificate.

This seems to be working on both debian 6 and debian 7:

I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that
winbind cannot work with OpenLDAP in debug mode, as expected.

I edited /etc/defaults/winbind and added the following lines

export LDAPTLS_CERT="/etc/ssl/certs/omv-domain-local.crt"
export LDAPTLS_KEY="/etc/ssl/private/omv-domain-local.key"

I restarted winbind with the command line service winbind restart. Now
wbinfo -i user is working and I get an uid for the user.

I will check further to ensure there is no more related issue.




2013/8/5 thierry DeTheGeek <dethegeek at gmail.com>
>
> Hi,
>
> I'm working hard to setup winbind and openLDAP work together with TLS
>
> My networks contains:
> - a windows server 2008 R2 domain controller
> - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6
> - a debian 7 computer running winbind 3.6.6
>
> I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS.
>
> I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6).
>
> I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer.
>
> OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate.
>
> When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1.
>
> the logs produced show that openLDAP and winbind work together with encryption in both directions.
>
> When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user.
>
> Let's see the configuration files (domain name obsfucated) :
>
> ##cn=config.ldif
>
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/slapd/slapd.args
> olcLogLevel: none
> olcPidFile: /var/run/slapd/slapd.pid
> olcToolThreads: 1
> structuralObjectClass: olcGlobal
> entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65
> creatorsName: cn=config
> createTimestamp: 20130803105505Z
> olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
> olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key
> olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt
> olcTLSVerifyClient: demand
> entryCSN: 20130803125708.704922Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20130803125708Z
>
> ##smb.conf
> #======================= Global Settings =======================
> [global]
> workgroup = DOMAIN
> server string = %h server
> include = /etc/samba/dhcp.conf
> dns proxy = no
> log level = 0
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog only = yes
> panic action = /usr/share/samba/panic-action %d
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = no
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> guest account = nobody
> load printers = no
> disable spoolss = yes
> printing = bsd
> printcap name = /dev/null
> unix extensions = yes
> wide links = no
> create mask = 0777
> directory mask = 0777
> use sendfile = no
> null passwords = no
> local master = yes
> time server = no
> wins support = no
> password server = *
> realm = DOMAIN.LOCAL
> security = ads
> allow trusted domains = no
>
> ;
> ; samba 3.5.6 idmap configuration
> ;
>
> idmap backend = ldap:ldap://omv.domain.local
> ldap admin dn = cn=winbind-idmap,dc=domain,dc=local
> ldap idmap suffix = ou=Idmap
> ldap suffix = dc=domain,dc=local
> ldap ssl = start tls
> ldap debug level = 4
> ldap debug threshold = 1
>
> idmap uid = 16777216-50000000
> idmap gid = 16777216-50000000
> idmap config * : backend = ldap
> idmap config * : ldap_url = ldap://omv.domain.local
> idmap config * : ldap_anon = no
> idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local
> idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
> idmap config * : range = 16777216-50000000
>
> idmap alloc backend = ldap
> idmap alloc config : ldap_url = ldap://omv.domain.local
> idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local
> idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
>
> winbind use default domain = true
> winbind offline logon = false
>
> ; disable enum users/groups on medium or large organization (affects performance)
> ; if disabled this will disable domain users/groups enumeration with getent
> winbind enum users = yes
> winbind enum groups = yes
>
> winbind separator = /
> winbind nested groups = yes
> ;winbind normalize names = yes
> winbind refresh tickets = yes
> ;template primary group = users
> template shell = /bin/bash
> template homedir = /home/%D/%U
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> client ntlmv2 auth = yes
> client use spnego = yes
>
> #======================= Share Definitions =======================
> #======================= Home Directories =======================
> [homes]
> comment = Home directories
> browseable = yes
> writable = yes
> create mask = 0640
> directory mask = 0750
> valid users = %S
>
> ##/etc/ldap/ldap.conf
> URI     ldap://omv.domain.local
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>
> TLS_REQCERT demand
>
> ##/root/ldaprc
>
> TLS_CERT /etc/ssl/certs/omv-domain-local.crt
> TLS_KEY /etc/ssl/private/omv-domain-local.key
>
> Let me say also that ca-certificates.crt contains the certificate for my self signed authority.
>
> What am I missing to make it run smootly ?
>
>
>
>
>

More information about the samba mailing list