[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
Graham Allan
allan at physics.umn.edu
Tue Jan 5 23:35:21 UTC 2016
I know this is something which should have a simple fix but I'm failing
to see it somehow.
I'm moving samba service between a couple of FreeBSD systems (9.3 to
10.2), and I'm stuck on getting samba on the new machine to connect to
our openldap server over ssl - frustrating since I've been running
samba+ldap for 15 years or so; feel sure I'm missing something basic!
I'm getting the traditional error of "Failed to issue the StartTLS
instruction: Connect error".
I've tried this with two versions of samba: 3.6.25 (same version as the
working installation on the older server) and 4.2.3, and get the same
issue with both.
My default config is using:
passdb backend = ldapsam:"ldap://ldap-server-fqdn"
ldap ssl = start_tls
If I disable ssl in smb.conf with:
ldap ssl = never
then samba does start successfully - suggesting a certificate validation
issue.
However, all my other ldap functions work fine over ssl, including pam,
nslcd, and a plain "ldapsearch -ZZ".
Also curious is that if I disable certificate validation in the openldap
ldap.conf, with "TLS_REQCERT never", smbd still fails to communicate.
Now, our libldap.so is linked against the system openssl, while I
believe samba 4.2 at least uses GnuTLS - might that cause a problem?
However my samba 3.6 build is using openssl so this doesn't seem a
likely cause.
gnutls-cli -p 636 ldap-server-fqdn
does also successfully print out the certificate chain and declare the
certificate trusted.
Any ideas what I might be missing?
Thanks, Graham
BTW here's a debug level 5 snippet of log around the error:
> [2016/01/05 16:50:44.382984, 2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
> smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPA))]
> [2016/01/05 16:50:44.383048, 5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [dc=physics,dc=umn,dc=edu], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SPA))], scope => [2]
> [2016/01/05 16:50:44.383124, 5] ../source3/lib/smbldap.c:1114(smbldap_close)
> The connection to the LDAP server was closed
> [2016/01/05 16:50:44.407310, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
> Failed to issue the StartTLS instruction: Connect error
> [2016/01/05 16:50:44.407377, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
> Connection to LDAP server failed for the 1 try!
> [2016/01/05 16:50:45.412481, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
> Failed to issue the StartTLS instruction: Connect error
> [2016/01/05 16:50:45.412558, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
> Connection to LDAP server failed for the 1 try!
More information about the samba
mailing list