[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")

Wed Jan 6 01:19:01 UTC 2016

On Tue, Jan 5, 2016 at 3:35 PM, Graham Allan <allan at physics.umn.edu> wrote:

> I know this is something which should have a simple fix but I'm failing to
> see it somehow.
>
> I'm moving samba service between a couple of FreeBSD systems (9.3 to
> 10.2), and I'm stuck on getting samba on the new machine to connect to our
> openldap server over ssl - frustrating since I've been running samba+ldap
> for 15 years or so; feel sure I'm missing something basic! I'm getting the
> traditional error of "Failed to issue the StartTLS instruction: Connect
> error".
>
> I've tried this with two versions of samba: 3.6.25 (same version as the
> working installation on the older server) and 4.2.3, and get the same issue
> with both.
>
> My default config is using:
> passdb backend = ldapsam:"ldap://ldap-server-fqdn"
> ldap ssl = start_tls
>
> If I disable ssl in smb.conf with:
>
> ldap ssl = never
>
> then samba does start successfully - suggesting a certificate validation
> issue.
>
> However, all my other ldap functions work fine over ssl, including pam,
> nslcd, and a plain "ldapsearch -ZZ".
>
> Also curious is that if I disable certificate validation in the openldap
> ldap.conf, with "TLS_REQCERT never", smbd still fails to communicate.
>
> Now, our libldap.so is linked against the system openssl, while I believe
> samba 4.2 at least uses GnuTLS - might that cause a problem? However my
> samba 3.6 build is using openssl so this doesn't seem a likely cause.
>
> gnutls-cli -p 636 ldap-server-fqdn
>
> does also successfully print out the certificate chain and declare the
> certificate trusted.
>
> Any ideas what I might be missing?
>
> Thanks, Graham
>
> BTW here's a debug level 5 snippet of log around the error:
>
> [2016/01/05 16:50:44.382984,  2]
>> ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
>>   smbldap_search_domain_info: Searching
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=SPA))]
>> [2016/01/05 16:50:44.383048,  5]
>> ../source3/lib/smbldap.c:1249(smbldap_search_ext)
>>   smbldap_search_ext: base => [dc=physics,dc=umn,dc=edu], filter =>
>> [(&(objectClass=sambaDomain)(sambaDomainName=SPA))], scope => [2]
>> [2016/01/05 16:50:44.383124,  5]
>> ../source3/lib/smbldap.c:1114(smbldap_close)
>>   The connection to the LDAP server was closed
>> [2016/01/05 16:50:44.407310,  0]
>> ../source3/lib/smbldap.c:575(smbldap_start_tls)
>>   Failed to issue the StartTLS instruction: Connect error
>> [2016/01/05 16:50:44.407377,  1]
>> ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
>>   Connection to LDAP server failed for the 1 try!
>> [2016/01/05 16:50:45.412481,  0]
>> ../source3/lib/smbldap.c:575(smbldap_start_tls)
>>   Failed to issue the StartTLS instruction: Connect error
>> [2016/01/05 16:50:45.412558,  1]
>> ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
>>   Connection to LDAP server failed for the 1 try!
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

A total guess would be to use either ldaps:// and don't bother with
start_tls, or add the :636 to the end of the ldap:// specification as it
seems to me that start_tls is pretty agnostic regarding whatever protocol
it works against (SMTP, LDAP, etc.).  ie

passdb backend = ldapsam:"ldaps://ldap-server-fqdn"
#ldap ssl = start_tls

OR

passdb backend = ldapsam:"ldap://ldap-server-fqdn:636"
ldap ssl = start_tls

Otherwise I'd suggest a packet dump on the ldap machine to see what the
difference is between what works and what doesn't to provide some clue.