[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
Graham Allan
allan at physics.umn.edu
Fri Jan 8 21:15:35 UTC 2016
I also (belatedly) set "ldap debug level = 1" in smb.conf (wish I'd
thought of that before!). At the same time I set_ldap_option for the
same debug level in my test program. Lo! the smbd output complains of
certificate signature failure.
smbd output:
> [LDAP] ldap_simple_bind_s
> [LDAP] ldap_sasl_bind_s
> [LDAP] ldap_sasl_bind
> [LDAP] ldap_send_initial_request
> [LDAP] ldap_new_connection 1 1 0
> [LDAP] ldap_int_open_connection
> [LDAP] ldap_connect_to_host: TCP ldap.spa.umn.edu:636
> [LDAP] ldap_new_socket: 9
> [LDAP] ldap_prepare_socket: 9
> [LDAP] ldap_connect_to_host: Trying 128.101.220.24:636
> [LDAP] ldap_pvt_connect: fd: 9 tm: -1 async: 0
> [LDAP] attempting to connect:
> [LDAP] connect success
> [LDAP] TLS trace: SSL_connect:before/connect initialization
> [LDAP] TLS trace: SSL_connect:SSLv2/v3 write client hello A
> [LDAP] TLS trace: SSL_connect:SSLv3 read server hello A
> [LDAP] TLS certificate verification: depth: 3, err: 0, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root,[LDAP] issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> [LDAP] TLS certificate verification: depth: 2, err: 0, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority,[LDAP] issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> [LDAP] TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA,[LDAP] issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
> [LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
> [LDAP] TLS certificate verification: Error, certificate signature failure
> [LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
> [LDAP] TLS trace: SSL_connect:SSLv3 read server certificate A
> [LDAP] TLS trace: SSL_connect:SSLv3 read server done A
> [LDAP] TLS trace: SSL_connect:SSLv3 write client key exchange A
> [LDAP] TLS trace: SSL_connect:error in error
> [LDAP] TLS trace: SSL_connect:error in error
> [LDAP] TLS: can't connect: .
But the test program on same machine gives:
> ldap_simple_bind_s
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap.spa.umn.edu:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 128.101.220.24:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect success
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 3, err: 0, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> TLS certificate verification: depth: 2, err: 0, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA, issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
> TLS certificate verification: depth: 0, err: 0, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu, issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read server session ticket A
> TLS trace: SSL_connect:SSLv3 read finished A
> ldap_open_defconn: successful
> ldap_send_server_request
Same certificate chain, but one case verifies and the other doesn't...
G.
More information about the samba
mailing list