[Samba] SSL Certificate

Rowland Penny rpenny at samba.org
Sun Jan 15 14:09:31 UTC 2017 

On Sun, 15 Jan 2017 12:04:07 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:

> On 11/01/2017 17:14, Carlos A. P. Cunha wrote:
> > ldapsearch -U USER -h ldaps://localhost -p636  -w PASS -b 
> > dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)'
> > givenName -LLL -n -N -Z
> > ldap_start_tls: Connect error (-11)
> >         additional info: (unknown error code)
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> >         additional info: (unknown error code)
> >
> >
> > What would be wrong? 
> 
> You are trying to do two mutually-exclusive things at the same time.
> 
> (1) An ldaps:// URL means that TLS is negotiated as soon as the TCP 
> connection is established, before any LDAP operation takes place.
> This happens on port 636.
> 
> (2) The -Z flag means "use the STARTTLS extension to the LDAP
> protocol to request TLS".  You only ever use this on port 389. The
> normal LDAP connection is established, *then* the STARTTLS message is
> sent, *then* TLS is negotiated.
> 
> 
> The difference between ldaps (636) and ldap (389) is the same as the 
> different between https (443) and http (80).
> 
> To check if your Samba is listening on port 636, use:
> 
> netstat -natp | grep :636
> 
> and look for LISTEN
> 
> HTH,
> 
> Brian.
> 
> 

OK, try this:

The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The username is 'rowland'

This is all done on the DC.

Configure the /etc/openldap/ldap.conf file as follows:

HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls

restart Samba

Now test with this command:

ldapsearch -D "rowland at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H
ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

and/or this command:

ldapsearch -D "rowland at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H ldap://dc1.samdom.example.com
-Z -W sAMAccountName=rowland

Rowland

More information about the samba mailing list