[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")

Graham Allan allan at physics.umn.edu
Wed Jan 6 15:53:50 UTC 2016

On 1/5/2016 7:19 PM, Lee Brown wrote:
> A total guess would be to use either ldaps:// and don't bother with
> start_tls, or add the :636 to the end of the ldap:// specification as it
> seems to me that start_tls is pretty agnostic regarding whatever
> protocol it works against (SMTP, LDAP, etc.).  ie
> passdb backend = ldapsam:"ldaps://ldap-server-fqdn"
> #ldap ssl = start_tls
> OR
> passdb backend = ldapsam:"ldap://ldap-server-fqdn:636"
> ldap ssl = start_tls
> Otherwise I'd suggest a packet dump on the ldap machine to see what the
> difference is between what works and what doesn't to provide some clue.

The packet dump is a good idea. I get the same failure using straight 
SSL to port 636, but wireshark might be able to decode any StartTLS 
negotiation attempt on the default port. Failing that I guess I'll 
resort to running smbd in gdb...


More information about the samba mailing list