[Samba] LDAP problem

Brian Candler b.candler at pobox.com
Mon Feb 13 12:12:42 UTC 2017

On 13/02/2017 10:01, Lukz Ferris wrote:
> This error suggests a problem with your certificate. If it used to work
> previously, then check it hasn't expired.
>       openssl s_client -connect devsamba.lucas.ufes.br:636
> copy-paste the certificate into a pem file, including begin/end lines
>       openssl x509 -in mycert.pem -noout -enddate
> And check your root CA cert hasn't expired:
>       openssl x509 -in /usr/local/samba/private/tls/cert.pem -noout -enddate
> I did the first command and I got this:
> openssl s_client -connect devsamba.lucas.ufes.br:636
> socket: Connection refused
> connect:errno=111

Then your server is not even listening on the ldaps port, or port 636 is 
being blocked. If this worked in the past, then probably something has 
changed in your config.

To check whether it's a firewall problem, on the server itself check for 
listening processes:

# netstat -natp | grep LISTEN

If no process is listening on port 636, then that's where your problem 
is.  Go check logs etc to see why the LDAP server isn't listening.

If there *is* a process listening on port 636 (and it's not bound to a 
local interface like or ::1) then check what's blocking the 
traffic in between your client and server - e.g. iptables rules.

 > Then I copy-paste the certificate and got this:

What certificate did you copy-paste?? The purpose of the "open s_client 
-connect x.x.x.x:636" command was to connect and find out what 
certificate the server was sending to you.  But you didn't establish the 
connection, so there was no certificate to check.



More information about the samba mailing list