[Samba] Problem with intermediate certificate (tls cafile)

MAS Jean-Louis jean-louis.mas at imag.fr
Thu Aug 6 15:36:52 UTC 2020 

Nobody has any clues about the tls cafile ?

Regards

Le 04/08/2020 à 15:18, MAS Jean-Louis via samba a écrit :
> I have several samba servers on Debian 10 all using :
> 
> samba          2:4.9.5+dfsg-5+deb10u1 amd64
> 
> I use tls cafile, tls certfile and tls keyfile with certificates from
> Sectigo (https://cert-manager.com)
> 
> And when checking my connexion from the samba server, or from outside,
> I've got "unable to verify the first certificate" even if tls_cafile is
> provided in smb.conf.
> 
> What is wrong ?
> 
> # checking my connexion
> 
> openssl s_client -showcerts -connect localhost:636
> 
> CONNECTED(00000003)
> Can't use SSL_get_servername
> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
> XXX, CN = ad-rep2.example.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
> XXX, CN = ad-rep2.example.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ...
> Server certificate
> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
> CN = ad-rep2.example.com
> 
> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> 
> ---
> Acceptable client certificate CA names
> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
> = USERTrust RSA Certification Authority
> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
> = AAA Certificate Services
> Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
> Shared Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 3041 bytes and written 393 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
> 
> # checking my connexion with intermediate certificate
> 
> openssl s_client -showcerts -connect localhost:636 -CAfile
> /etc/ssl/certs/ad-rep2.example.com-2020-intermediate.pem
> 
> CONNECTED(00000003)
> Can't use SSL_get_servername
> depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA
> Limited, CN = AAA Certificate Services
> verify return:1
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
> verify return:1
> depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> verify return:1
> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
> CN = ad-rep2.example.com
> verify return:1
> ---
> Certificate chain
>  0 s:C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN
> = ad-rep2.example.com
>    i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> ---
> Server certificate
> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
> CN = ad-rep2.example.com
> 
> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> 
> ---
> Acceptable client certificate CA names
> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
> = USERTrust RSA Certification Authority
> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
> = AAA Certificate Services
> Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
> Shared Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 3041 bytes and written 393 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> closed
> 
> # My smb.conf
> 
> [global]
>         allow dns updates = nonsecure and secure
>         disable spoolss = Yes
>         dns forwarder = w.x.y.z a.b.c.d
>         load printers = No
>         log file = /var/log/samba/samba-ad.log
>         netbios name = AD-REP2
>         passdb backend = samba_dsdb
>         printcap cache time = 0
>         printcap name = /dev/null
>         realm = EXAMPLE.COM
>         server role = active directory domain controller
>         server string = Samba Server Version %v
>         template homedir = /home/%ACCOUNTNAME%
>         template shell = /bin/bash
>         tls cafile = tls/ad-rep2.example.com-2020-intermediate.pem
>         tls certfile = tls/ad-rep2.example.com-2020-certonly.pem
>         tls keyfile = tls/ad-rep2.example.com-2020.key
>         tls verify peer = ca_and_name
>         workgroup = EXAMPLE
>         winbindd:use external pipes = true
>         smbd:backgroundqueue = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:tcpip = no
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         lpq command = lpq -P'%p'
>         lprm command = lprm -P'%p' %j
>         map archive = No
>         print command = lpr -r -P'%p' %s
>         printing = bsd
> 
> Intermediate certificates
> (tls/ad-rep2.example.com-2020-intermediate.pem) are ordered as mentioned
> in sectigo's documentation :
> 
> "SSLCertificateChainFile: Intermediate(s)/Root only,  PEM encoded (it
> contains the certificates from the leaf, without the certificate itself,
> to the root)"
> 
> Thanks
> 

-- 
Jean Louis Mas
Équipe MI LIG
Tel: 04 57 421 425
chat : https://tchat.univ-grenoble-alpes.fr/direct/masjea

More information about the samba mailing list