[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")

Graham Allan allan at physics.umn.edu
Tue Jan 5 23:35:21 UTC 2016

I know this is something which should have a simple fix but I'm failing 
to see it somehow.

I'm moving samba service between a couple of FreeBSD systems (9.3 to 
10.2), and I'm stuck on getting samba on the new machine to connect to 
our openldap server over ssl - frustrating since I've been running 
samba+ldap for 15 years or so; feel sure I'm missing something basic! 
I'm getting the traditional error of "Failed to issue the StartTLS 
instruction: Connect error".

I've tried this with two versions of samba: 3.6.25 (same version as the 
working installation on the older server) and 4.2.3, and get the same 
issue with both.

My default config is using:
passdb backend = ldapsam:"ldap://ldap-server-fqdn"
ldap ssl = start_tls

If I disable ssl in smb.conf with:

ldap ssl = never

then samba does start successfully - suggesting a certificate validation 

However, all my other ldap functions work fine over ssl, including pam, 
nslcd, and a plain "ldapsearch -ZZ".

Also curious is that if I disable certificate validation in the openldap 
ldap.conf, with "TLS_REQCERT never", smbd still fails to communicate.

Now, our libldap.so is linked against the system openssl, while I 
believe samba 4.2 at least uses GnuTLS - might that cause a problem? 
However my samba 3.6 build is using openssl so this doesn't seem a 
likely cause.

gnutls-cli -p 636 ldap-server-fqdn

does also successfully print out the certificate chain and declare the 
certificate trusted.

Any ideas what I might be missing?

Thanks, Graham

BTW here's a debug level 5 snippet of log around the error:

> [2016/01/05 16:50:44.382984,  2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
>   smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPA))]
> [2016/01/05 16:50:44.383048,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
>   smbldap_search_ext: base => [dc=physics,dc=umn,dc=edu], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SPA))], scope => [2]
> [2016/01/05 16:50:44.383124,  5] ../source3/lib/smbldap.c:1114(smbldap_close)
>   The connection to the LDAP server was closed
> [2016/01/05 16:50:44.407310,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
>   Failed to issue the StartTLS instruction: Connect error
> [2016/01/05 16:50:44.407377,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
>   Connection to LDAP server failed for the 1 try!
> [2016/01/05 16:50:45.412481,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
>   Failed to issue the StartTLS instruction: Connect error
> [2016/01/05 16:50:45.412558,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
>   Connection to LDAP server failed for the 1 try!

More information about the samba mailing list