[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")

Lee Brown leeb at ratnaling.org
Wed Jan 6 19:34:21 UTC 2016

On Wed, Jan 6, 2016 at 10:36 AM, Graham Allan <allan at physics.umn.edu> wrote:

> On 01/06/2016 09:53 AM, Graham Allan wrote:
>> The packet dump is a good idea. I get the same failure using straight
>> SSL to port 636, but wireshark might be able to decode any StartTLS
>> negotiation attempt on the default port. Failing that I guess I'll
>> resort to running smbd in gdb...
> tshark tells me the (smbd) client sends a decrypt error (TLS alert code
> 51) to the ldap server after receiving the certificate, while the working
> "ldapsearch -ZZ" moves on to client key exchange etc.
> Puzzling, it doesn't seem like a certificate validation error, I'd expect
> that to result in something like codes 42-48.
> I'd be very interested to see how you troubleshoot this.  I'm running
FreeBSD 10.1, samba 4.2.3, but I don't use openldap as the backend, samba
is my LDAP now as it does Active Directory.  I've found SSL to be
incredibly hard to troubleshoot, especially when client certs get involved
as it gets hard to determine if the problem is on the server side not
liking the client cert, or the client side not liking the server cert.  In
some cases I've had to bundle the entire chain in a single file, while
others I've had to point to a directory of certs.

Good luck and please keep us updated.

More information about the samba mailing list