[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")

John Hixson john at ixsystems.com
Wed Jan 6 23:04:11 UTC 2016 

On Tue, Jan 05, 2016 at 05:35:21PM -0600, Graham Allan wrote:
> I know this is something which should have a simple fix but I'm failing 
> to see it somehow.
> 
> I'm moving samba service between a couple of FreeBSD systems (9.3 to 
> 10.2), and I'm stuck on getting samba on the new machine to connect to 
> our openldap server over ssl - frustrating since I've been running 
> samba+ldap for 15 years or so; feel sure I'm missing something basic! 
> I'm getting the traditional error of "Failed to issue the StartTLS 
> instruction: Connect error".
> 
> I've tried this with two versions of samba: 3.6.25 (same version as the 
> working installation on the older server) and 4.2.3, and get the same 
> issue with both.
> 
> My default config is using:
> passdb backend = ldapsam:"ldap://ldap-server-fqdn"
> ldap ssl = start_tls
> 
> If I disable ssl in smb.conf with:
> 
> ldap ssl = never
> 
> then samba does start successfully - suggesting a certificate validation 
> issue.
> 
> However, all my other ldap functions work fine over ssl, including pam, 
> nslcd, and a plain "ldapsearch -ZZ".
> 
> Also curious is that if I disable certificate validation in the openldap 
> ldap.conf, with "TLS_REQCERT never", smbd still fails to communicate.
> 
> Now, our libldap.so is linked against the system openssl, while I 
> believe samba 4.2 at least uses GnuTLS - might that cause a problem? 
> However my samba 3.6 build is using openssl so this doesn't seem a 
> likely cause.
> 
> gnutls-cli -p 636 ldap-server-fqdn
> 
> does also successfully print out the certificate chain and declare the 
> certificate trusted.
> 
> Any ideas what I might be missing?
> 
> Thanks, Graham
> 
> BTW here's a debug level 5 snippet of log around the error:
> 
> > [2016/01/05 16:50:44.382984,  2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
> >   smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPA))]
> > [2016/01/05 16:50:44.383048,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> >   smbldap_search_ext: base => [dc=physics,dc=umn,dc=edu], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SPA))], scope => [2]
> > [2016/01/05 16:50:44.383124,  5] ../source3/lib/smbldap.c:1114(smbldap_close)
> >   The connection to the LDAP server was closed
> > [2016/01/05 16:50:44.407310,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
> >   Failed to issue the StartTLS instruction: Connect error
> > [2016/01/05 16:50:44.407377,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
> >   Connection to LDAP server failed for the 1 try!
> > [2016/01/05 16:50:45.412481,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
> >   Failed to issue the StartTLS instruction: Connect error
> > [2016/01/05 16:50:45.412558,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
> >   Connection to LDAP server failed for the 1 try!
> 

I work on FreeNAS and have at least one complaint about this exact same
issue. I'm interested in a solution (or reason for this) as well.

- John

> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list