Hi Peter, as you can see from your logs your samba server does not like the SSL certificate because it is self signed. If you are using self signed certificates you must copy some data onto all clients which are going to connect to your server over SSL. Or as I have done you can create your own CA authority using OpenSSL which I think is a cleaner way to configure things, take a look at these instructions maybe you'll find them helpfull,
http://www.octaldream.com/~scottm/talks/ssl/opensslca.html thanks Andy. Hi! I know this should be asked to the Openldap mailing list but: I'm trying to set up a Samba/ldap environment were the Samba server is separated from the ldap server. Everything seams to work on the ldap server and when I do a ldapsearch like this: ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x Everything works on both. But when I do: ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x It works on the ldap server without errors, but on the Samba server I get the following error: TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile /usr/local/etc/openldap/server.pem. I created a CA certificate called server.pem on the ldap server with FQDN as "Common Name". I simply copied it to the Samba server. Both my ldap.conf looks like this: # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. HOST 130.237.179.25 BASE dc=dbb, dc=su, dc=se #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /usr/local/etc/openldap/server.pem # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" tls_cacertfile /usr/local/etc/openldap/server.pem #tls_cacertdir /etc/ssl/certs I'm very grateful for your answer Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba