[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
John Hixson
john at ixsystems.com
Wed Jan 6 23:04:11 UTC 2016
On Tue, Jan 05, 2016 at 05:35:21PM -0600, Graham Allan wrote:
> I know this is something which should have a simple fix but I'm failing
> to see it somehow.
>
> I'm moving samba service between a couple of FreeBSD systems (9.3 to
> 10.2), and I'm stuck on getting samba on the new machine to connect to
> our openldap server over ssl - frustrating since I've been running
> samba+ldap for 15 years or so; feel sure I'm missing something basic!
> I'm getting the traditional error of "Failed to issue the StartTLS
> instruction: Connect error".
>
> I've tried this with two versions of samba: 3.6.25 (same version as the
> working installation on the older server) and 4.2.3, and get the same
> issue with both.
>
> My default config is using:
> passdb backend = ldapsam:"ldap://ldap-server-fqdn"
> ldap ssl = start_tls
>
> If I disable ssl in smb.conf with:
>
> ldap ssl = never
>
> then samba does start successfully - suggesting a certificate validation
> issue.
>
> However, all my other ldap functions work fine over ssl, including pam,
> nslcd, and a plain "ldapsearch -ZZ".
>
> Also curious is that if I disable certificate validation in the openldap
> ldap.conf, with "TLS_REQCERT never", smbd still fails to communicate.
>
> Now, our libldap.so is linked against the system openssl, while I
> believe samba 4.2 at least uses GnuTLS - might that cause a problem?
> However my samba 3.6 build is using openssl so this doesn't seem a
> likely cause.
>
> gnutls-cli -p 636 ldap-server-fqdn
>
> does also successfully print out the certificate chain and declare the
> certificate trusted.
>
> Any ideas what I might be missing?
>
> Thanks, Graham
>
> BTW here's a debug level 5 snippet of log around the error:
>
> > [2016/01/05 16:50:44.382984, 2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
> > smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPA))]
> > [2016/01/05 16:50:44.383048, 5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> > smbldap_search_ext: base => [dc=physics,dc=umn,dc=edu], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SPA))], scope => [2]
> > [2016/01/05 16:50:44.383124, 5] ../source3/lib/smbldap.c:1114(smbldap_close)
> > The connection to the LDAP server was closed
> > [2016/01/05 16:50:44.407310, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
> > Failed to issue the StartTLS instruction: Connect error
> > [2016/01/05 16:50:44.407377, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
> > Connection to LDAP server failed for the 1 try!
> > [2016/01/05 16:50:45.412481, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
> > Failed to issue the StartTLS instruction: Connect error
> > [2016/01/05 16:50:45.412558, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
> > Connection to LDAP server failed for the 1 try!
>
I work on FreeNAS and have at least one complaint about this exact same
issue. I'm interested in a solution (or reason for this) as well.
- John
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list