Re: [Samba] SAMBA + LDAP + TLS
Samba is a client to slapd, so it needs a properly configured ldap.conf. On 10/9/06, Net Warrior <[EMAIL PROTECTED]> wrote: Ok, thanks I'll try that. I did not modify ldap.conf, cause I thought that ldap.conf is a client setting and not a server seting, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA + LDAP + TLS
Ok, thanks I'll try that. I did not modify ldap.conf, cause I thought that ldap.conf is a client setting and not a server seting, I'll try that anyway. And one me thing : wha't right like this -> passdb backend = ldapsam:ldap://127.0.0.1, or like this -> ldaps://127.0.0.1:636 ? Thanks for your time, very kind of you. 2006/10/9, Guillaume <[EMAIL PROTECTED]>: Net Warrior a écrit : > Hi there guys, do not know if post this here or in openldap list, sorry > if I > disturb you. > > I configured samba+ldap as a PDC and byt now it's working fine, so, I > decided to put some security to the stuff. > The problem is that I coudl not make it work, here I what I've done. > > This is what netstat shows. > > tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED > tcp 0 0 :::389 :::* LISTEN > tcp 0 0 :::636 :::* LISTEN > > > in slapd.conf i have > > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key > VerifyClient demand > > I created the certificate like this: > > openssl genrsa 2048 -out > server.key > openssl req -new -key server.key -out server.csr > openssl req -in server.csr -key server.key -x509 -out server.crt > > > openssl s_client -connect localhost:636 -showcerts > > CONNECTED(0003) > --- > Certificate chain > 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd > i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd > -BEGIN CERTIFICATE- > the garbage > -END CERTIFICATE- > > > subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd > issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd > --- > No client certificate CA names sent > --- > SSL handshake has read 1115 bytes and written 468 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A > Session-ID-ctx: > Master-Key: > 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 > > > Key-Arg : None > Start Time: 1160232704 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > > --- > closed > > > smb.conf > passdb backend = ldapsam:ldap://127.0.0.1 > Does it hae to be ldaps://127.0.0.1:636 ? > > > Is this enought to establish a secure conection? I never see , with > netstat, > 636 ESTABLISHED > > If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals > how-to's I get > for example with pdbedit -Lv or trying to login from an XP machine the > followigin in the server: > > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))] > smbldap_open_connection: connection opened > failed to bind to server ldaps://127.0.0.1:636 with > dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > Connection to LDAP server failed for the 1 try! > and on, and on. and on.. > > What am I missing? > > My clients are XP machines > > > Thanks in advance, sorry for the noise and for my very basic question. Hi I think you have a problem because you sign your certificat by yourself. Just try to put this line in you ldap.conf file the client config file... not the slapd.conf !! - TLS_REQCERT allow - Regards Guillaume -- Guillaume E-mail: silencer__free-4ever__net Blog: http://guillaume.free-4ever.net Site: http://www.free-4ever.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA + LDAP + TLS
Net Warrior a écrit : Hi there guys, do not know if post this here or in openldap list, sorry if I disturb you. I configured samba+ldap as a PDC and byt now it's working fine, so, I decided to put some security to the stuff. The problem is that I coudl not make it work, here I what I've done. This is what netstat shows. tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED tcp 0 0 :::389 :::* LISTEN tcp 0 0 :::636 :::* LISTEN in slapd.conf i have TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key VerifyClient demand I created the certificate like this: openssl genrsa 2048 -out > server.key openssl req -new -key server.key -out server.csr openssl req -in server.csr -key server.key -x509 -out server.crt openssl s_client -connect localhost:636 -showcerts CONNECTED(0003) --- Certificate chain 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd -BEGIN CERTIFICATE- the garbage -END CERTIFICATE- subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd --- No client certificate CA names sent --- SSL handshake has read 1115 bytes and written 468 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A Session-ID-ctx: Master-Key: 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 Key-Arg : None Start Time: 1160232704 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed smb.conf passdb backend = ldapsam:ldap://127.0.0.1 Does it hae to be ldaps://127.0.0.1:636 ? Is this enought to establish a secure conection? I never see , with netstat, 636 ESTABLISHED If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals how-to's I get for example with pdbedit -Lv or trying to login from an XP machine the followigin in the server: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))] smbldap_open_connection: connection opened failed to bind to server ldaps://127.0.0.1:636 with dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Connection to LDAP server failed for the 1 try! and on, and on. and on.. What am I missing? My clients are XP machines Thanks in advance, sorry for the noise and for my very basic question. Hi I think you have a problem because you sign your certificat by yourself. Just try to put this line in you ldap.conf file the client config file... not the slapd.conf !! - TLS_REQCERT allow - Regards Guillaume -- Guillaume E-mail: silencer__free-4ever__net Blog: http://guillaume.free-4ever.net Site: http://www.free-4ever.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA + LDAP + TLS
Hi there guys, do not know if post this here or in openldap list, sorry if I disturb you. I configured samba+ldap as a PDC and byt now it's working fine, so, I decided to put some security to the stuff. The problem is that I coudl not make it work, here I what I've done. This is what netstat shows. tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED tcp 0 0 :::389 :::* LISTEN tcp 0 0 :::636 :::* LISTEN in slapd.conf i have TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key VerifyClient demand I created the certificate like this: openssl genrsa 2048 -out > server.key openssl req -new -key server.key -out server.csr openssl req -in server.csr -key server.key -x509 -out server.crt openssl s_client -connect localhost:636 -showcerts CONNECTED(0003) --- Certificate chain 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd -BEGIN CERTIFICATE- the garbage -END CERTIFICATE- subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd --- No client certificate CA names sent --- SSL handshake has read 1115 bytes and written 468 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A Session-ID-ctx: Master-Key: 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 Key-Arg : None Start Time: 1160232704 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed smb.conf passdb backend = ldapsam:ldap://127.0.0.1 Does it hae to be ldaps://127.0.0.1:636 ? Is this enought to establish a secure conection? I never see , with netstat, 636 ESTABLISHED If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals how-to's I get for example with pdbedit -Lv or trying to login from an XP machine the followigin in the server: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))] smbldap_open_connection: connection opened failed to bind to server ldaps://127.0.0.1:636 with dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Connection to LDAP server failed for the 1 try! and on, and on. and on.. What am I missing? My clients are XP machines Thanks in advance, sorry for the noise and for my very basic question. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + TLS
On 10/24/05, Jukka Hienola <[EMAIL PROTECTED]> wrote: > My question is, how changing "passdb backend" from ldap.server,name to > 127.0.0.1 can have this effect, since the server name should have been > resolvable with /etc/hosts file? Does it has something to do with my > certificate files, which are generated using ldap.server.name? However, > I was able to login with TLS and Apache, so I don't think that's the case. Some LDAP clients are more or less forgiving of certificate name mismatches. OpenLDAP 2.0.27 will work if the name mismatches; OpenLDAP 2.2.23 won't; IIRC, pam_ldap won't, even if linked against OpenLDAP 2.0.27 libraries. So that may explain why some software works and some doesn't. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + TLS
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jukka Hienola wrote: | So, our name server was unavailable this morning due | to OS update. Division's Samba and LDAP services are | running on same server, and Samba is using TLS in | connecting to LDAP service. Because some of the network | names were not resolvable, I changed "passdb backend = | ldapsam:ldap://ldap.server.name/"; to "passdb backend = | ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have | ldap.server.name also in /etc/hosts, just in case. In | file /etc/nsswitch.conf I have line "hosts: files dns". | After I restarted Samba, I just couldn't login to | domain anymore either with any machine or domain user accounts. | Samba gave me errors like | | smbd[1956]: [2005/10/24 11:03:17, 0] | lib/smbldap.c:smbldap_open_connection(677) | smbd[1956]: Failed to issue the StartTLS instruction: Connect error My immediate guess would be that the conect failed due to a mismatch in the server name's cert. Make sure you can run 'ldapsearch -ZZ -h 127.0.0.1 ...' Yes I can. Any other way to connect to LDAP service via TLS works fine except Samba. Jukka -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + TLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jukka Hienola wrote: | So, our name server was unavailable this morning due | to OS update. Division's Samba and LDAP services are | running on same server, and Samba is using TLS in | connecting to LDAP service. Because some of the network | names were not resolvable, I changed "passdb backend = | ldapsam:ldap://ldap.server.name/"; to "passdb backend = | ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have | ldap.server.name also in /etc/hosts, just in case. In | file /etc/nsswitch.conf I have line "hosts: files dns". | After I restarted Samba, I just couldn't login to | domain anymore either with any machine or domain user accounts. | Samba gave me errors like | | smbd[1956]: [2005/10/24 11:03:17, 0] | lib/smbldap.c:smbldap_open_connection(677) | smbd[1956]: Failed to issue the StartTLS instruction: Connect error My immediate guess would be that the conect failed due to a mismatch in the server name's cert. Make sure you can run 'ldapsearch -ZZ -h 127.0.0.1 ...' cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "There's an anonymous coward in all of us." --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDXNlMIR7qMdg1EfYRAoiOAKDRMkCzkiI6/0m+rkGSd67q+e65pACg5Lre V6QHbrkidy2wUxlBuou3+OE= =6G47 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP + TLS
Hi! I'm a bit new to Samba+LDAP integration, and most likely because of that I experienced this morning something I can't fully understand. I would appreciate if someone could explain to me what was really wrong. So, our name server was unavailable this morning due to OS update. Division's Samba and LDAP services are running on same server, and Samba is using TLS in connecting to LDAP service. Because some of the network names were not resolvable, I changed "passdb backend = ldapsam:ldap://ldap.server.name/"; to "passdb backend = ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have ldap.server.name also in /etc/hosts, just in case. In file /etc/nsswitch.conf I have line "hosts: files dns". After I restarted Samba, I just couldn't login to domain anymore either with any machine or domain user accounts. Samba gave me errors like smbd[1956]: [2005/10/24 11:03:17, 0] lib/smbldap.c:smbldap_open_connection(677) smbd[1956]: Failed to issue the StartTLS instruction: Connect error smbd[1956]: [2005/10/24 11:03:17, 1] lib/smbldap.c:another_ldap_try(1011) smbd[1956]: Connection to LDAP server failed for the 1 try! smbd[1956]: [2005/10/24 11:03:18, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) smbd[1956]: init_sam_from_ldap: Entry found for user: myusr smbd[1956]: [2005/10/24 11:03:18, 1] passdb/pdb_ldap.c:init_sam_from_ldap(553) smbd[1956]: init_sam_from_ldap: no sambaSID or sambaSID attribute found for this user myusr smbd[1956]: [2005/10/24 11:03:18, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1346) smbd[1956]: ldapsam_getsampwnam: init_sam_from_ldap failed for user 'myusr'! smbd[1956]: [2005/10/24 11:03:18, 2] auth/auth.c:check_ntlm_password(312) smbd[1956]: check_ntlm_password: Authentication for user [myusr] -> [myusr] FAILED with error NT_STATUS_NO_SUCH_USER so I assume that this issue was somehow related to changes I made in smb.conf file. At the same time I could login to server using ssh, and also e,g, command "smbclient -L ldap.server.name -U myusr" gave me list of all available services. Also I could authenticate myself through Apache, which also uses TLS to connect to LDAP server. My question is, how changing "passdb backend" from ldap.server,name to 127.0.0.1 can have this effect, since the server name should have been resolvable with /etc/hosts file? Does it has something to do with my certificate files, which are generated using ldap.server.name? However, I was able to login with TLS and Apache, so I don't think that's the case. Thanks in advance, Jukka Hienola -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-LDAP TLS problems with inofficial Debian OpenLDAP 2.2 packages
Paul Coray: > Three days ago I switched our domain from a NT 4 domaincontroller to > Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the > following inofficial Debian OpenLDAP 2.2 packages (I know these are not > supported, but TLS with OpenSSL is essential to us...): > > Package: slapd > Version: 2.2.20-1.hrz.1 > > > Package: libldap2.2 > Version: 2.2.20-1.hrz.1 > > > Package: ldap-utils > Version: 2.2.20-1.hrz.1 I'm a Red Hat person don't know Debian at all ... However: To use OL 2.2 you'll have to have Sleepycat BDB 4.2.52 + patches ,too. > In order to keep apt from lamenting over missing dependencies, i left > the official libldap2 package on the system, but I made sure, libldap and > liblber are linked to version 2.2: [...] > This LDAP master does replication with slurpd to a slave (Solaris 9, > SunSparc, with blastwave.org OpenLDAP 2.1.27, linked to OpenSSL, > pam-ldap and nss-ldap from PADL). This system also is hosting samba backup > domain control (blastwave.org Samba 3.0.10). > > As soon as the LDAP-replication is active, my windows users are > experiencing problems logging on to the domain, often they only manage to > log in with locally cached credentials/profiles. I suspect there are > problems with TLS, as I see a lot of messages like this in the Samba > machine logs: [...] > And, why does this go away as soon as I stop slurpd on the master and > slapd on the slave? IIRC OL 2.2 won't replicate (slurpd) to a 2.1 slave and the slave can't update a 2.2 server. 2.2 compiles fine on Solaris 7/8/9, so the gurus on the OL list say (I've no experience), as long as one uses GNU gcc and tools. Try to go that way - and don't forget BDB 4.2.52 (Cyrus SASL if you need it). --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-LDAP TLS problems with inofficial Debian OpenLDAP 2.2 packages
Dear Torsten, dear samba list reader Three days ago I switched our domain from a NT 4 domaincontroller to Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the following inofficial Debian OpenLDAP 2.2 packages (I know these are not supported, but TLS with OpenSSL is essential to us...): Package: slapd Version: 2.2.20-1.hrz.1 Package: libldap2.2 Version: 2.2.20-1.hrz.1 Package: ldap-utils Version: 2.2.20-1.hrz.1 In order to keep apt from lamenting over missing dependencies, i left the official libldap2 package on the system, but I made sure, libldap and liblber are linked to version 2.2: Package: libldap2 Version: 2.1.30-3 Samba domain control (PDC) is running on the same system: Package: samba Version: 3.0.10-1 This LDAP master does replication with slurpd to a slave (Solaris 9, SunSparc, with blastwave.org OpenLDAP 2.1.27, linked to OpenSSL, pam-ldap and nss-ldap from PADL). This system also is hosting samba backup domain control (blastwave.org Samba 3.0.10). As soon as the LDAP-replication is active, my windows users are experiencing problems logging on to the domain, often they only manage to log in with locally cached credentials/profiles. I suspect there are problems with TLS, as I see a lot of messages like this in the Samba machine logs: [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(36) === [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 6 in pid 15289 (3.0.10-Debian) Please read the appendix Bugs of the Samba HOWTO collection [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(39) === [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1482) PANIC: internal error [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1490) BACKTRACE: 34 stack frames: #0 /usr/sbin/smbd(smb_panic2+0x111) [0x81e05e1] #1 /usr/sbin/smbd(smb_panic+0x1a) [0x81e04ca] #2 /usr/sbin/smbd [0x81cc8e8] #3 [0xe420] #4 /lib/tls/libc.so.6(abort+0x1d2) [0x401b5f12] #5 /lib/tls/libc.so.6(__assert_fail+0x10f) [0x401ae26f] #6 /usr/lib/libldap.so.2 [0x4002b12d] #7 /usr/lib/libldap.so.2(ldap_int_open_connection+0x11e) [0x400257ee] #8 /usr/lib/libldap.so.2(ldap_new_connection+0x89) [0x400374c9] #9 /usr/lib/libldap.so.2(ldap_open_defconn+0x41) [0x400252a1] #10 /usr/lib/libldap.so.2(ldap_send_initial_request+0x8f) [0x4003703f] #11 /usr/lib/libldap.so.2(ldap_sasl_bind+0x177) [0x4002d387] #12 /usr/lib/libldap.so.2(ldap_simple_bind+0x80) [0x4002dd80] #13 /lib/libnss_ldap.so.2 [0x409ad423] #14 /lib/libnss_ldap.so.2 [0x409acefc] #15 /lib/libnss_ldap.so.2 [0x409ae24a] #16 /lib/libnss_ldap.so.2 [0x409ae81b] #17 /lib/libnss_ldap.so.2(_nss_ldap_getpwnam_r+0x69) [0x409af9e9] #18 /lib/tls/libc.so.6(getpwnam_r+0xfc) [0x4023475c] #19 /lib/tls/libc.so.6(getpwnam+0x91) [0x40234081] #20 /usr/sbin/smbd(getpwnam_alloc+0x11) [0x81d3d21] #21 /usr/sbin/smbd(make_server_info_sam+0x59) [0x821e779] #22 /usr/sbin/smbd(make_server_info_guest+0xbb) [0x821eaab] #23 /usr/sbin/smbd [0x821c882] #24 /usr/sbin/smbd [0x821705f] #25 /usr/sbin/smbd [0x80ad98e] #26 /usr/sbin/smbd(reply_sesssetup_and_X+0x788) [0x80af5b8] #27 /usr/sbin/smbd [0x80d3306] #28 /usr/sbin/smbd [0x80d3590] #29 /usr/sbin/smbd(process_smb+0x8c) [0x80d379c] #30 /usr/sbin/smbd(smbd_process+0x168) [0x80d44d8] #31 /usr/sbin/smbd(main+0x4ea) [0x82579ba] #32 /lib/tls/libc.so.6(__libc_start_main+0xf4) [0x401a1904] #33 /usr/sbin/smbd [0x8078b41] smbd: /home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/libraries/libldap/cyrus.c:468: ldap_int_sasl_open: Assertio n `lc->lconn_sasl_ctx == ((void *)0)' failed. Is samba using the 'original' OpenLDAP 2.1.30 TLS libraries, even if I have the ldap libraries linked to 2.2? # ll /usr/lib/liblber* lrwxrwxrwx 1 root root21 2005-01-19 15:20 /usr/lib/liblber-2.2.so.7 -> liblber-2.2.so.7.0.13 -rw-r--r-- 1 root root 49712 2005-01-07 14:07 /usr/lib/liblber-2.2.so.7.0.13 -rw-r--r-- 1 root root 62152 2004-07-27 08:07 /usr/lib/liblber.a lrwxrwxrwx 1 root root21 2005-03-22 20:28 /usr/lib/liblber.so -> liblber-2.2.so.7.0.13 lrwxrwxrwx 1 root root21 2005-03-22 20:28 /usr/lib/liblber.so.2 -> liblber-2.2.so.7.0.13 -rw-r--r-- 1 root root 47312 2004-07-27 08:07 /usr/lib/liblber.so.2.0.130 # ll /usr/lib/libldap* lrwxrwxrwx 1 root root 21 2005-01-19 15:20 /usr/lib/libldap-2.2.so.7 -> libldap-2.2.so.7.0.13 -rw-r--r-- 1 root root 209212 2005-01-07 14:07 /usr/lib/libldap-2.2.so.7.0.13 -rw-r--r-- 1 root root 290604 2004-07-27 08:07 /usr/lib/libldap.a lrwxrwxrwx 1 root root 23 2005-01-19 15:20 /usr/lib/libldap_r-2.2.so.7 -> libldap_r-2.2.so.7.0.13 -rw-r--r-- 1 root root 220944 2005-01-07 14:07 /usr/lib/libldap_r-2.2.so.7.0.13 -rw-r--r-- 1 root root 309850 2004-07-27 08:07 /usr/lib/libldap_r.a lrwxrwxrwx 1 root root 23 2005-03-22 20:22 /usr/lib/libldap_r.so
Re: [Samba] samba, ldap, tls and certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pierre Gambarotto wrote: | Hello, a litlle question from a newcomer on this list : | | I've deployed samba 3.0.x together with opendlap. | | In the process of improving the security, I used : | | ldap ssl = start tls | | in the smb.conf | | How can I specify to samba where to find the CA certificate ? | | On my samba server (Debian), samba "magically" finds the | /etc/ldap/ldap.conf | and read the configuration. | | But the targeted platform is Solaris. | Any hint how to configure samba to use a specific file | to reads its tls configuration ? The start_tls op and hence the CA cert is used by the OpenLDAP client libs. So this is really an OpenLDAP question. The configuration for these libs is the same on solaris and linux. Just depends on what configure options you used when compiling openldap on solaris. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBkixEIR7qMdg1EfYRAkRqAJwIyJ2wc9u+KDLxkhb1kaNWKypblwCg2gpn NrmjuQ9iEP/lX06Nulzrb4o= =nN4z -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba, ldap, tls and certificates
Hello, a litlle question from a newcomer on this list : I've deployed samba 3.0.x together with opendlap. In the process of improving the security, I used : ldap ssl = start tls in the smb.conf How can I specify to samba where to find the CA certificate ? On my samba server (Debian), samba "magically" finds the /etc/ldap/ldap.conf and read the configuration. But the targeted platform is Solaris. Any hint how to configure samba to use a specific file to reads its tls configuration ? Thanks in advance Pierre -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Ldap tls/ssl problem
Hi Peter, as you can see from your logs your samba server does not like the SSL certificate because it is self signed. If you are using self signed certificates you must copy some data onto all clients which are going to connect to your server over SSL. Or as I have done you can create your own CA authority using OpenSSL which I think is a cleaner way to configure things, take a look at these instructions maybe you'll find them helpfull, http://www.octaldream.com/~scottm/talks/ssl/opensslca.html thanks Andy. Hi! I know this should be asked to the Openldap mailing list but: I'm trying to set up a Samba/ldap environment were the Samba server is separated from the ldap server. Everything seams to work on the ldap server and when I do a ldapsearch like this: ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x Everything works on both. But when I do: ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x It works on the ldap server without errors, but on the Samba server I get the following error: TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 : 15 03 01 00 02 02 30 ..0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile /usr/local/etc/openldap/server.pem. I created a CA certificate called server.pem on the ldap server with FQDN as "Common Name". I simply copied it to the Samba server. Both my ldap.conf looks like this: # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. HOST130.237.179.25 BASEdc=dbb, dc=su, dc=se #URIldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /usr/local/etc/openldap/server.pem # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" tls_cacertfile /usr/local/etc/openldap/server.pem #tls_cacertdir /etc/ssl/certs I'm very grateful for your answer Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Ldap tls/ssl problem
Hi! I know this should be asked to the Openldap mailing list but: Im trying to set up a Samba/ldap environment were the Samba server is separated from the ldap server. Everything seams to work on the ldap server and when I do a ldapsearch like this: ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se x Everything works on both. But when I do: ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se x It works on the ldap server without errors, but on the Samba server I get the following error: TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 : 15 03 01 00 02 02 30 ..0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile /usr/local/etc/openldap/server.pem. I created a CA certificate called server.pem on the ldap server with FQDN as Common Name. I simply copied it to the Samba server. Both my ldap.conf looks like this: # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. HOST130.237.179.25 BASEdc=dbb, dc=su, dc=se #URIldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /usr/local/etc/openldap/server.pem # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" tls_cacertfile /usr/local/etc/openldap/server.pem #tls_cacertdir /etc/ssl/certs Im very grateful for your answer Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba