[Samba] Problem with intermediate certificate (tls cafile)
MAS Jean-Louis
jean-louis.mas at imag.fr
Tue Aug 4 13:18:47 UTC 2020
I have several samba servers on Debian 10 all using :
samba 2:4.9.5+dfsg-5+deb10u1 amd64
I use tls cafile, tls certfile and tls keyfile with certificates from
Sectigo (https://cert-manager.com)
And when checking my connexion from the samba server, or from outside,
I've got "unable to verify the first certificate" even if tls_cafile is
provided in smb.conf.
What is wrong ?
# checking my connexion
openssl s_client -showcerts -connect localhost:636
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
XXX, CN = ad-rep2.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
XXX, CN = ad-rep2.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
...
Server certificate
subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
CN = ad-rep2.example.com
issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
---
Acceptable client certificate CA names
C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
= USERTrust RSA Certification Authority
C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
= AAA Certificate Services
Requested Signature Algorithms:
RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3041 bytes and written 393 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
# checking my connexion with intermediate certificate
openssl s_client -showcerts -connect localhost:636 -CAfile
/etc/ssl/certs/ad-rep2.example.com-2020-intermediate.pem
CONNECTED(00000003)
Can't use SSL_get_servername
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA
Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
verify return:1
depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
CN = ad-rep2.example.com
verify return:1
---
Certificate chain
0 s:C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN
= ad-rep2.example.com
i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
---
Server certificate
subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
CN = ad-rep2.example.com
issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
---
Acceptable client certificate CA names
C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
= USERTrust RSA Certification Authority
C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
= AAA Certificate Services
Requested Signature Algorithms:
RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3041 bytes and written 393 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
closed
# My smb.conf
[global]
allow dns updates = nonsecure and secure
disable spoolss = Yes
dns forwarder = w.x.y.z a.b.c.d
load printers = No
log file = /var/log/samba/samba-ad.log
netbios name = AD-REP2
passdb backend = samba_dsdb
printcap cache time = 0
printcap name = /dev/null
realm = EXAMPLE.COM
server role = active directory domain controller
server string = Samba Server Version %v
template homedir = /home/%ACCOUNTNAME%
template shell = /bin/bash
tls cafile = tls/ad-rep2.example.com-2020-intermediate.pem
tls certfile = tls/ad-rep2.example.com-2020-certonly.pem
tls keyfile = tls/ad-rep2.example.com-2020.key
tls verify peer = ca_and_name
workgroup = EXAMPLE
winbindd:use external pipes = true
smbd:backgroundqueue = no
rpc_daemon:spoolssd = embedded
rpc_server:tcpip = no
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
map archive = No
print command = lpr -r -P'%p' %s
printing = bsd
Intermediate certificates
(tls/ad-rep2.example.com-2020-intermediate.pem) are ordered as mentioned
in sectigo's documentation :
"SSLCertificateChainFile: Intermediate(s)/Root only, PEM encoded (it
contains the certificates from the leaf, without the certificate itself,
to the root)"
Thanks
--
Jean Louis Mas
More information about the samba
mailing list