[Samba] Problem with intermediate certificate (tls cafile)
MAS Jean-Louis
jean-louis.mas at imag.fr
Thu Aug 6 15:36:52 UTC 2020
Nobody has any clues about the tls cafile ?
Regards
Le 04/08/2020 à 15:18, MAS Jean-Louis via samba a écrit :
> I have several samba servers on Debian 10 all using :
>
> samba 2:4.9.5+dfsg-5+deb10u1 amd64
>
> I use tls cafile, tls certfile and tls keyfile with certificates from
> Sectigo (https://cert-manager.com)
>
> And when checking my connexion from the samba server, or from outside,
> I've got "unable to verify the first certificate" even if tls_cafile is
> provided in smb.conf.
>
> What is wrong ?
>
> # checking my connexion
>
> openssl s_client -showcerts -connect localhost:636
>
> CONNECTED(00000003)
> Can't use SSL_get_servername
> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
> XXX, CN = ad-rep2.example.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
> XXX, CN = ad-rep2.example.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ...
> Server certificate
> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
> CN = ad-rep2.example.com
>
> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>
> ---
> Acceptable client certificate CA names
> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
> = USERTrust RSA Certification Authority
> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
> = AAA Certificate Services
> Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
> Shared Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 3041 bytes and written 393 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
>
> # checking my connexion with intermediate certificate
>
> openssl s_client -showcerts -connect localhost:636 -CAfile
> /etc/ssl/certs/ad-rep2.example.com-2020-intermediate.pem
>
> CONNECTED(00000003)
> Can't use SSL_get_servername
> depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA
> Limited, CN = AAA Certificate Services
> verify return:1
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
> verify return:1
> depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> verify return:1
> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
> CN = ad-rep2.example.com
> verify return:1
> ---
> Certificate chain
> 0 s:C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN
> = ad-rep2.example.com
> i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> ---
> Server certificate
> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
> CN = ad-rep2.example.com
>
> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>
> ---
> Acceptable client certificate CA names
> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
> = USERTrust RSA Certification Authority
> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
> = AAA Certificate Services
> Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
> Shared Requested Signature Algorithms:
> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 3041 bytes and written 393 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> closed
>
> # My smb.conf
>
> [global]
> allow dns updates = nonsecure and secure
> disable spoolss = Yes
> dns forwarder = w.x.y.z a.b.c.d
> load printers = No
> log file = /var/log/samba/samba-ad.log
> netbios name = AD-REP2
> passdb backend = samba_dsdb
> printcap cache time = 0
> printcap name = /dev/null
> realm = EXAMPLE.COM
> server role = active directory domain controller
> server string = Samba Server Version %v
> template homedir = /home/%ACCOUNTNAME%
> template shell = /bin/bash
> tls cafile = tls/ad-rep2.example.com-2020-intermediate.pem
> tls certfile = tls/ad-rep2.example.com-2020-certonly.pem
> tls keyfile = tls/ad-rep2.example.com-2020.key
> tls verify peer = ca_and_name
> workgroup = EXAMPLE
> winbindd:use external pipes = true
> smbd:backgroundqueue = no
> rpc_daemon:spoolssd = embedded
> rpc_server:tcpip = no
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
> map archive = No
> print command = lpr -r -P'%p' %s
> printing = bsd
>
> Intermediate certificates
> (tls/ad-rep2.example.com-2020-intermediate.pem) are ordered as mentioned
> in sectigo's documentation :
>
> "SSLCertificateChainFile: Intermediate(s)/Root only, PEM encoded (it
> contains the certificates from the leaf, without the certificate itself,
> to the root)"
>
> Thanks
>
--
Jean Louis Mas
Équipe MI LIG
Tel: 04 57 421 425
chat : https://tchat.univ-grenoble-alpes.fr/direct/masjea
More information about the samba
mailing list