On Saturday 12 Nov 2011 21:34:05 you wrote: > Hi Steve, > > 2011/11/12 steve <st...@steve-ss.com>: > > My smb conf looks like this: > > > > passdb backend = ldapsam:ldap://hh1.site > > idmap backend = ldap:ldap://hh1.site > > ldap ssl = start tls > > Looks right. > > > hh1.site is my FQDN and is also the CN for the CA and servercerts. > > Good > > > But I'm wondering. Since the samba and ldap servers are both on the same > > box, is that why TLS isn't working? > > Nope. But you could disable ssl/tls in that case: "ldap ssl = off" > > > Because it doesn't make sense to have > > it? > > It doesn't make sense to use ssl/tls connections in your case, but it > is not the cause your setup is not working. > > > There is no communication between samba and ldap over the network as > > > they are both on the same machine. Would this explain the errors: > No > > > However, they can connect with: > > > > TLS_REQCERT never > > in > > /etc/openldap/ldap.conf > > Yes, because you're are missing your CA. If you want samba to connect > to openldap over tls/ssl, you need something like this: > > > TLS_REQCERT hard > TLS_CACERT /path/to/your/ca.crt > > > Confused! > > Basically you either need to disable tls (ldapsam:ldap://.... and ldap > ssl = off) or put your CA in your samba server and tell ldap where to > find it. > > Regards, > Norberto
Noberto, you are magic. I commented out: #TLS_REQCERT never and added: TLS_REQCERT hard TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem to /etc/openldap/ldap.conf. restarted ldap and samba and it connected with STARTTLS! Thank you so much. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba