UPDATE:
I just finished troubleshooting a login problem with the user from the
password change problem below. He could not login today. It eventually was
discovered that he could login with the new password he was changing to when
the messages below were being generated.
We did not think the password change was successful because on the windows
machine he is using he was getting errors during the transaction yesterday.
So it appears that smbd is not handling the return code from the self-signed
properly or it needs to be able to ignore the verification somehow similar to
how the /etc/ldap.conf / openldap does.
Ideas / Suggestions?
Thanks
Jim Summers wrote:
Hello List,
I am attempting to resolve a problem with my samba / ldap setup when a
user attempts to change their samba password. I am running smbd
version: 3.0.22 on RHEL4. When a user attempts to change their windows
password the following shows up in the smbd.log file:
ldapsam_modify_entry: LDAP Password could not be changed for user sland:
Confidentiality required
Operation requires a secure connection.
Since my ldap server is setup with ldaps using a self-signed certificate
I figured all I need to do is turn ssl on with:
ldap ssl = on
and the passdb backend set with "ldap://host"
but that still returned the same error messages in the log.
Next I tried changing the passdb backend to use "ldaps://host"
but then I started getting the following message in the log:
LDAP error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Time
limit exceeded)
and using: openssl s_client -connect server-cert:636 -showcerts -state
ends with: Verify return code: 19 (self signed certificate in
certificate chain)
Which works ok with /etc/ldap.conf by turning off certificate checking.
So I am not sure which way to go at this point. Since the ldap
authentication for the operating system works through ldaps with no
problem, I have it set to not verify the certificate in ldap.conf, then
it seems I need to be able to tell samba to not verify the certificate?
I looked through the docs and did not see a parameter for that. Is
there such a parameter.
Any ideas or suggestions?
TIA
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba