[Samba] Is "tls cafile" ignored when ldap.conf is present?

Alex Korobkin korobkin+smb at gmail.com
Fri May 9 10:17:44 MDT 2014

Hi all,

My CUPS+Samba printserver authenticates to an OpenLDAP server for Linux
clients, and to AD LDAP for Windows clients.

However, OpenLDAP and AD started to use different certificate chains, so I
need to tell Samba to use different root CA cert when talking to AD DC.

In ldap.conf I have
 tls_reqcert demand
 tls_cacert /usr/share/ca-certificates/ca-openldap.crt

In smb.conf I'm trying to add this line to [global]:
 tls cafile = /etc/samba/tls/ca-ad.pem

testparm shows that Samba sees this line:

ldap ssl = start tls
 ldap ssl ads = Yes
tls cafile = /etc/samba/tls/ca-ad.pem

However, it doesn't seem to have any effect. Samba still tries to
communicate with AD using ca-openldap.crt

What am I doing wrong here?
It's Samba 4.1.7 compiled with gnutls support on Ubuntu 12.04.


More information about the samba mailing list