Re: [Samba] SAMBA + LDAP + TLS

[Zach]

Samba is a client to slapd, so it needs a properly configured ldap.conf.

On 10/9/06, Net Warrior <[EMAIL PROTECTED]> wrote:

Ok, thanks I'll try that.
I did not modify ldap.conf, cause I thought that ldap.conf is a client
setting and not a server seting,



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA + LDAP + TLS

[Net Warrior]

Ok, thanks I'll try that.
I did not modify ldap.conf, cause I thought that ldap.conf is a client
setting and not a server seting,
I'll try that anyway.
And one me thing :
wha't right like this -> passdb backend = ldapsam:ldap://127.0.0.1,
or like this -> ldaps://127.0.0.1:636 ?

Thanks for your time, very kind of you.

2006/10/9, Guillaume <[EMAIL PROTECTED]>:


Net Warrior a écrit :
> Hi there guys, do not know if post this here or in openldap list, sorry
> if I
> disturb you.
>
> I configured samba+ldap as a PDC and byt now it's working fine, so, I
> decided to put some security to the stuff.
> The problem is that I coudl not make it work, here I what I've done.
>
> This is what netstat shows.
>
> tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
> tcp 0 0 :::389 :::* LISTEN
> tcp 0 0 :::636 :::* LISTEN
>
>
> in slapd.conf i have
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
> VerifyClient demand
>
> I created the certificate like this:
>
> openssl genrsa 2048 -out > server.key
> openssl req -new -key server.key -out server.csr
> openssl req -in server.csr -key server.key -x509 -out server.crt
>
>
> openssl s_client -connect localhost:636 -showcerts
>
> CONNECTED(0003)
> ---
> Certificate chain
> 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> -BEGIN CERTIFICATE-
> the garbage
> -END CERTIFICATE-
>
>
> subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1115 bytes and written 468 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A
> Session-ID-ctx:
> Master-Key:
>
6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623
>
>
> Key-Arg : None
> Start Time: 1160232704
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
>
> ---
> closed
>
>
> smb.conf
> passdb backend = ldapsam:ldap://127.0.0.1
> Does it hae to be ldaps://127.0.0.1:636 ?
>
>
> Is this enought to establish a secure conection? I never see , with
> netstat,
> 636 ESTABLISHED
>
> If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
> how-to's I get
> for example with pdbedit -Lv or trying to login from an XP machine the
> followigin in the server:
>
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
> smbldap_open_connection: connection opened
> failed to bind to server ldaps://127.0.0.1:636 with
> dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
> failed
> Connection to LDAP server failed for the 1 try!
> and on, and on. and on..
>
> What am I missing?
>
> My clients are XP machines
>
>
> Thanks in advance, sorry for the noise and for my very basic question.

Hi

I think you have a problem because you sign your certificat by yourself.

Just try to put this line in you ldap.conf file the client config
file... not the slapd.conf !!
-
TLS_REQCERT allow
-

Regards
Guillaume


--
Guillaume
E-mail: silencer__free-4ever__net
Blog: http://guillaume.free-4ever.net

Site: http://www.free-4ever.net
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA + LDAP + TLS

[Guillaume]

Net Warrior a écrit :
Hi there guys, do not know if post this here or in openldap list, sorry 
if I

disturb you.

I configured samba+ldap as a PDC and byt now it's working fine, so, I
decided to put some security to the stuff.
The problem is that I coudl not make it work, here I what I've done.

This is what netstat shows.

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
tcp 0 0 :::389 :::* LISTEN
tcp 0 0 :::636 :::* LISTEN


in slapd.conf i have

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
VerifyClient demand

I created the certificate like this:

openssl genrsa 2048 -out > server.key
openssl req -new -key server.key -out server.csr
openssl req -in server.csr -key server.key -x509 -out server.crt


openssl s_client -connect localhost:636 -showcerts

CONNECTED(0003)
---
Certificate chain
0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
-BEGIN CERTIFICATE-
the garbage
-END CERTIFICATE-


subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
---
SSL handshake has read 1115 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 
F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A

Session-ID-ctx:
Master-Key:
6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 



Key-Arg : None
Start Time: 1160232704
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

---
closed


smb.conf
passdb backend = ldapsam:ldap://127.0.0.1
Does it hae to be ldaps://127.0.0.1:636 ?


Is this enought to establish a secure conection? I never see , with 
netstat,

636 ESTABLISHED

If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
how-to's I get
for example with pdbedit -Lv or trying to login from an XP machine the
followigin in the server:

Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
smbldap_open_connection: connection opened
failed to bind to server ldaps://127.0.0.1:636 with
dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Connection to LDAP server failed for the 1 try!
and on, and on. and on..

What am I missing?

My clients are XP machines


Thanks in advance, sorry for the noise and for my very basic question.


Hi

I think you have a problem because you sign your certificat by yourself.

Just try to put this line in you ldap.conf file the client config 
file... not the slapd.conf !!

-
TLS_REQCERT allow
-

Regards
Guillaume


--
Guillaume
E-mail: silencer__free-4ever__net
Blog: http://guillaume.free-4ever.net

Site: http://www.free-4ever.net
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SAMBA + LDAP + TLS

[Net Warrior]

Hi there guys, do not know if post this here or in openldap list, sorry if I
disturb you.

I configured samba+ldap as a PDC and byt now it's working fine, so, I
decided to put some security to the stuff.
The problem is that I coudl not make it work, here I what I've done.

This is what netstat shows.

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
tcp 0 0 :::389 :::* LISTEN
tcp 0 0 :::636 :::* LISTEN


in slapd.conf i have

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
VerifyClient demand

I created the certificate like this:

openssl genrsa 2048 -out > server.key
openssl req -new -key server.key -out server.csr
openssl req -in server.csr -key server.key -x509 -out server.crt


openssl s_client -connect localhost:636 -showcerts

CONNECTED(0003)
---
Certificate chain
0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
-BEGIN CERTIFICATE-
the garbage
-END CERTIFICATE-


subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
---
SSL handshake has read 1115 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A
Session-ID-ctx:
Master-Key:
6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623

Key-Arg : None
Start Time: 1160232704
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

---
closed


smb.conf
passdb backend = ldapsam:ldap://127.0.0.1
Does it hae to be ldaps://127.0.0.1:636 ?


Is this enought to establish a secure conection? I never see , with netstat,
636 ESTABLISHED

If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
how-to's I get
for example with pdbedit -Lv or trying to login from an XP machine the
followigin in the server:

Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
smbldap_open_connection: connection opened
failed to bind to server ldaps://127.0.0.1:636 with
dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Connection to LDAP server failed for the 1 try!
and on, and on. and on..

What am I missing?

My clients are XP machines


Thanks in advance, sorry for the noise and for my very basic question.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + TLS

[Josh Kelley]

On 10/24/05, Jukka Hienola <[EMAIL PROTECTED]> wrote:
> My question is, how changing "passdb backend" from ldap.server,name to
> 127.0.0.1 can have this effect, since the server name should have been
> resolvable with /etc/hosts file? Does it has something to do with my
> certificate files, which are generated using ldap.server.name? However,
> I was able to login with TLS and Apache, so I don't think that's the case.

Some LDAP clients are more or less forgiving of certificate name
mismatches.  OpenLDAP 2.0.27 will work if the name mismatches;
OpenLDAP 2.2.23 won't; IIRC, pam_ldap won't, even if linked against
OpenLDAP 2.0.27 libraries.  So that may explain why some software
works and some doesn't.

Josh Kelley
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + TLS

[Jukka Hienola]

Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jukka Hienola wrote:

| So, our name server was unavailable this morning due
| to OS update. Division's Samba and LDAP services are
| running on same server, and Samba  is using TLS in
| connecting to LDAP service. Because some of the network
| names were not resolvable, I changed "passdb backend =
| ldapsam:ldap://ldap.server.name/"; to "passdb backend =
| ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have
| ldap.server.name  also in /etc/hosts, just in case. In
| file /etc/nsswitch.conf  I have line "hosts:  files dns".
| After I restarted Samba, I just couldn't login to
| domain anymore either with any machine or domain user accounts.
| Samba gave me errors like
|
| smbd[1956]: [2005/10/24 11:03:17, 0]
| lib/smbldap.c:smbldap_open_connection(677)
| smbd[1956]:   Failed to issue the StartTLS instruction: Connect error

My immediate guess would be that the conect failed due to
a mismatch in the server name's cert.  Make sure you can
run 'ldapsearch -ZZ -h 127.0.0.1 ...'

Yes I can. Any other way to connect to LDAP service via TLS works fine 
except Samba.


Jukka
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + TLS

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jukka Hienola wrote:

| So, our name server was unavailable this morning due
| to OS update. Division's Samba and LDAP services are
| running on same server, and Samba  is using TLS in
| connecting to LDAP service. Because some of the network
| names were not resolvable, I changed "passdb backend =
| ldapsam:ldap://ldap.server.name/"; to "passdb backend =
| ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have
| ldap.server.name  also in /etc/hosts, just in case. In
| file /etc/nsswitch.conf  I have line "hosts:  files dns".
| After I restarted Samba, I just couldn't login to
| domain anymore either with any machine or domain user accounts.
| Samba gave me errors like
|
| smbd[1956]: [2005/10/24 11:03:17, 0]
| lib/smbldap.c:smbldap_open_connection(677)
| smbd[1956]:   Failed to issue the StartTLS instruction: Connect error

My immediate guess would be that the conect failed due to
a mismatch in the server name's cert.  Make sure you can
run 'ldapsearch -ZZ -h 127.0.0.1 ...'









cheers, jerry
=
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."   --anonymous
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDXNlMIR7qMdg1EfYRAoiOAKDRMkCzkiI6/0m+rkGSd67q+e65pACg5Lre
V6QHbrkidy2wUxlBuou3+OE=
=6G47
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + LDAP + TLS

[Jukka Hienola]

Hi!

I'm a bit new to Samba+LDAP integration, and most likely because of that 
I experienced this morning something I can't fully understand. I would 
appreciate if someone could explain to me what was really wrong.


So, our name server was unavailable this morning due to OS update. 
Division's Samba and LDAP services are running on same server, and Samba 
is using TLS in connecting to LDAP service. Because some of the network 
names were not resolvable, I changed "passdb backend = 
ldapsam:ldap://ldap.server.name/"; to "passdb backend = 
ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have ldap.server.name 
also in /etc/hosts, just in case. In file /etc/nsswitch.conf  I have 
line "hosts:  files dns". After I restarted Samba, I just couldn't 
login to domain anymore either with any machine or domain user accounts. 
Samba gave me errors like


smbd[1956]: [2005/10/24 11:03:17, 0] 
lib/smbldap.c:smbldap_open_connection(677)

smbd[1956]:   Failed to issue the StartTLS instruction: Connect error
smbd[1956]: [2005/10/24 11:03:17, 1] lib/smbldap.c:another_ldap_try(1011)
smbd[1956]:   Connection to LDAP server failed for the 1 try!
smbd[1956]: [2005/10/24 11:03:18, 2] 
passdb/pdb_ldap.c:init_sam_from_ldap(499)

smbd[1956]:   init_sam_from_ldap: Entry found for user: myusr
smbd[1956]: [2005/10/24 11:03:18, 1] 
passdb/pdb_ldap.c:init_sam_from_ldap(553)
smbd[1956]:   init_sam_from_ldap: no sambaSID or sambaSID attribute 
found for this user myusr
smbd[1956]: [2005/10/24 11:03:18, 1] 
passdb/pdb_ldap.c:ldapsam_getsampwnam(1346)
smbd[1956]:   ldapsam_getsampwnam: init_sam_from_ldap failed for user 
'myusr'!

smbd[1956]: [2005/10/24 11:03:18, 2] auth/auth.c:check_ntlm_password(312)
smbd[1956]:   check_ntlm_password:  Authentication for user [myusr] -> 
[myusr] FAILED with error NT_STATUS_NO_SUCH_USER


so I assume that this issue was somehow related to changes I made in 
smb.conf file. At the same time I could login to server using ssh, and 
also e,g, command "smbclient -L ldap.server.name -U myusr" gave me list 
of all available services. Also I could authenticate myself through 
Apache, which also uses TLS to connect to LDAP server.


My question is, how changing "passdb backend" from ldap.server,name to 
127.0.0.1 can have this effect, since the server name should have been 
resolvable with /etc/hosts file? Does it has something to do with my 
certificate files, which are generated using ldap.server.name? However, 
I was able to login with TLS and Apache, so I don't think that's the case.


Thanks in advance,
Jukka Hienola
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba-LDAP TLS problems with inofficial Debian OpenLDAP 2.2 packages

[Tony Earnshaw]

Paul Coray:

> Three days ago I switched our domain from a NT 4 domaincontroller to
> Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the
> following inofficial Debian OpenLDAP 2.2 packages (I know these are not
> supported, but TLS with OpenSSL is essential to us...):
>
> Package: slapd
> Version: 2.2.20-1.hrz.1
>
>
> Package: libldap2.2
> Version: 2.2.20-1.hrz.1
>
>
> Package: ldap-utils
> Version: 2.2.20-1.hrz.1

I'm a Red Hat person don't know Debian at all ... However:

To use OL 2.2 you'll have to have Sleepycat BDB 4.2.52 + patches ,too.

> In order to keep apt from lamenting over missing dependencies, i left
> the official libldap2 package on the system, but I made sure, libldap and
> liblber are linked to version 2.2:

[...]

> This LDAP master does replication with slurpd to a slave (Solaris 9,
> SunSparc, with blastwave.org OpenLDAP 2.1.27, linked to OpenSSL,
> pam-ldap and nss-ldap from PADL). This system also is hosting samba backup
> domain control (blastwave.org Samba 3.0.10).
>
> As soon as the LDAP-replication is active, my windows users are
> experiencing problems logging on to the domain, often they only manage to
> log in with locally cached credentials/profiles. I suspect there are
> problems with TLS, as I see a lot of messages like this in the Samba
> machine logs:

[...]

> And, why does this go away as soon as I stop slurpd on the master and
> slapd on the slave?

IIRC OL 2.2 won't replicate (slurpd) to a 2.1 slave and the slave can't
update a 2.2 server.

2.2 compiles fine on Solaris 7/8/9, so the gurus on the OL list say (I've
no experience), as long as one uses GNU gcc and tools. Try to go that way
- and don't forget BDB 4.2.52 (Cyrus SASL if you need it).

--Tonni

--
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba-LDAP TLS problems with inofficial Debian OpenLDAP 2.2 packages

[Paul Coray]

Dear Torsten, dear samba list reader
Three days ago I switched our domain from a NT 4 domaincontroller to 
Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the 
following inofficial Debian OpenLDAP 2.2 packages (I know these are not 
supported, but TLS with OpenSSL is essential to us...):

Package: slapd
Version: 2.2.20-1.hrz.1
Package: libldap2.2
Version: 2.2.20-1.hrz.1
Package: ldap-utils
Version: 2.2.20-1.hrz.1
In order to keep apt from lamenting over missing dependencies, i left 
the official libldap2 package on the system, but I made sure, libldap 
and liblber are linked to version 2.2:

Package: libldap2
Version: 2.1.30-3
Samba domain control (PDC) is running on the same system:
Package: samba
Version: 3.0.10-1
This LDAP master does replication with slurpd to a slave (Solaris 9, 
SunSparc, with blastwave.org OpenLDAP 2.1.27, linked to OpenSSL, 
pam-ldap and nss-ldap from PADL). This system also is hosting samba 
backup domain control (blastwave.org Samba 3.0.10).

As soon as the LDAP-replication is active, my windows users are 
experiencing problems logging on to the domain, often they only manage 
to log in with locally cached credentials/profiles. I suspect there are 
problems with TLS, as I see a lot of messages like this in the Samba 
machine logs:

[2005/03/23 08:18:44, 0] lib/fault.c:fault_report(36)
  ===
[2005/03/23 08:18:44, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 6 in pid 15289 (3.0.10-Debian)
  Please read the appendix Bugs of the Samba HOWTO collection
[2005/03/23 08:18:44, 0] lib/fault.c:fault_report(39)
  ===
[2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1482)
  PANIC: internal error
[2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1490)
  BACKTRACE: 34 stack frames:
   #0 /usr/sbin/smbd(smb_panic2+0x111) [0x81e05e1]
   #1 /usr/sbin/smbd(smb_panic+0x1a) [0x81e04ca]
   #2 /usr/sbin/smbd [0x81cc8e8]
   #3 [0xe420]
   #4 /lib/tls/libc.so.6(abort+0x1d2) [0x401b5f12]
   #5 /lib/tls/libc.so.6(__assert_fail+0x10f) [0x401ae26f]
   #6 /usr/lib/libldap.so.2 [0x4002b12d]
   #7 /usr/lib/libldap.so.2(ldap_int_open_connection+0x11e) [0x400257ee]
   #8 /usr/lib/libldap.so.2(ldap_new_connection+0x89) [0x400374c9]
   #9 /usr/lib/libldap.so.2(ldap_open_defconn+0x41) [0x400252a1]
   #10 /usr/lib/libldap.so.2(ldap_send_initial_request+0x8f) [0x4003703f]
   #11 /usr/lib/libldap.so.2(ldap_sasl_bind+0x177) [0x4002d387]
   #12 /usr/lib/libldap.so.2(ldap_simple_bind+0x80) [0x4002dd80]
   #13 /lib/libnss_ldap.so.2 [0x409ad423]
   #14 /lib/libnss_ldap.so.2 [0x409acefc]
   #15 /lib/libnss_ldap.so.2 [0x409ae24a]
   #16 /lib/libnss_ldap.so.2 [0x409ae81b]
   #17 /lib/libnss_ldap.so.2(_nss_ldap_getpwnam_r+0x69) [0x409af9e9]
   #18 /lib/tls/libc.so.6(getpwnam_r+0xfc) [0x4023475c]
   #19 /lib/tls/libc.so.6(getpwnam+0x91) [0x40234081]
   #20 /usr/sbin/smbd(getpwnam_alloc+0x11) [0x81d3d21]
   #21 /usr/sbin/smbd(make_server_info_sam+0x59) [0x821e779]
   #22 /usr/sbin/smbd(make_server_info_guest+0xbb) [0x821eaab]
   #23 /usr/sbin/smbd [0x821c882]
   #24 /usr/sbin/smbd [0x821705f]
   #25 /usr/sbin/smbd [0x80ad98e]
   #26 /usr/sbin/smbd(reply_sesssetup_and_X+0x788) [0x80af5b8]
   #27 /usr/sbin/smbd [0x80d3306]
   #28 /usr/sbin/smbd [0x80d3590]
   #29 /usr/sbin/smbd(process_smb+0x8c) [0x80d379c]
   #30 /usr/sbin/smbd(smbd_process+0x168) [0x80d44d8]
   #31 /usr/sbin/smbd(main+0x4ea) [0x82579ba]
   #32 /lib/tls/libc.so.6(__libc_start_main+0xf4) [0x401a1904]
   #33 /usr/sbin/smbd [0x8078b41]
smbd: 
/home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/libraries/libldap/cyrus.c:468: 
ldap_int_sasl_open: Assertio
n `lc->lconn_sasl_ctx == ((void *)0)' failed.

Is samba using the 'original' OpenLDAP 2.1.30 TLS libraries, even if I 
have the ldap libraries linked to 2.2?

# ll /usr/lib/liblber*
lrwxrwxrwx  1 root root21 2005-01-19 15:20 /usr/lib/liblber-2.2.so.7 
-> liblber-2.2.so.7.0.13
-rw-r--r--  1 root root 49712 2005-01-07 14:07 
/usr/lib/liblber-2.2.so.7.0.13
-rw-r--r--  1 root root 62152 2004-07-27 08:07 /usr/lib/liblber.a
lrwxrwxrwx  1 root root21 2005-03-22 20:28 /usr/lib/liblber.so -> 
liblber-2.2.so.7.0.13
lrwxrwxrwx  1 root root21 2005-03-22 20:28 /usr/lib/liblber.so.2 -> 
liblber-2.2.so.7.0.13
-rw-r--r--  1 root root 47312 2004-07-27 08:07 /usr/lib/liblber.so.2.0.130

# ll /usr/lib/libldap*
lrwxrwxrwx  1 root root 21 2005-01-19 15:20 
/usr/lib/libldap-2.2.so.7 -> libldap-2.2.so.7.0.13
-rw-r--r--  1 root root 209212 2005-01-07 14:07 
/usr/lib/libldap-2.2.so.7.0.13
-rw-r--r--  1 root root 290604 2004-07-27 08:07 /usr/lib/libldap.a
lrwxrwxrwx  1 root root 23 2005-01-19 15:20 
/usr/lib/libldap_r-2.2.so.7 -> libldap_r-2.2.so.7.0.13
-rw-r--r--  1 root root 220944 2005-01-07 14:07 
/usr/lib/libldap_r-2.2.so.7.0.13
-rw-r--r--  1 root root 309850 2004-07-27 08:07 /usr/lib/libldap_r.a
lrwxrwxrwx  1 root root 23 2005-03-22 20:22 /usr/lib/libldap_r.so 

Re: [Samba] samba, ldap, tls and certificates

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pierre Gambarotto wrote:
| Hello, a litlle question from a newcomer on this list :
|
| I've deployed samba 3.0.x together with opendlap.
|
| In the process of improving the security, I used :
|
| ldap ssl = start tls
|
| in the smb.conf
|
| How can I specify to samba where to find the CA certificate ?
|
| On my samba server (Debian), samba "magically" finds the
| /etc/ldap/ldap.conf
| and read the configuration.
|
| But the targeted platform is Solaris.
| Any hint how to configure samba to  use a specific file
| to reads its tls configuration ?
The start_tls op and hence the CA cert is used by the
OpenLDAP client libs.  So this is really an OpenLDAP
question.  The configuration for these libs is the same
on solaris and linux.  Just depends on what configure
options you used when compiling openldap on solaris.


cheers, jerry
- -
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBkixEIR7qMdg1EfYRAkRqAJwIyJ2wc9u+KDLxkhb1kaNWKypblwCg2gpn
NrmjuQ9iEP/lX06Nulzrb4o=
=nN4z
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba, ldap, tls and certificates

[Pierre Gambarotto]

Hello, a litlle question from a newcomer on this list :
I've deployed samba 3.0.x together with opendlap.
In the process of improving the security, I used :
ldap ssl = start tls
in the smb.conf
How can I specify to samba where to find the CA certificate ?
On my samba server (Debian), samba "magically" finds the 
/etc/ldap/ldap.conf
and read the configuration.

But the targeted platform is Solaris.
Any hint how to configure samba to  use a specific file to reads its 
tls configuration ?

Thanks in advance
Pierre
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba Ldap tls/ssl problem

[ww m-pubsyssamba]

Hi Peter,

as you can see from your logs your samba server does not like the SSL
certificate because it is self signed. If you are using self signed certificates
you must copy some data onto all clients which are going to connect to your server
over SSL. Or as I have done you can create your own CA authority using OpenSSL which
I think is a cleaner way to configure things, take a look at these instructions maybe
you'll find them helpfull,

http://www.octaldream.com/~scottm/talks/ssl/opensslca.html

thanks Andy.



Hi!
I know this should be asked to the Openldap mailing list but:
I'm trying to set up a Samba/ldap environment were the Samba server is separated
from the ldap server. Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
It works on the ldap server without errors, but on the Samba server I get the
following error:

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  :  15 03 01 00 02 02 30   ..0   
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile
/usr/local/etc/openldap/server.pem.

I created a CA certificate called server.pem on the ldap server with FQDN as
"Common Name". I simply copied it to the Samba server.
Both my ldap.conf looks like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
HOST130.237.179.25
BASEdc=dbb, dc=su, dc=se
#URIldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT  12
#TIMELIMIT  15
#DEREF  never

TLS_CACERT  /usr/local/etc/openldap/server.pem
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/etc/openldap/server.pem
#tls_cacertdir /etc/ssl/certs

I'm very grateful for your answer



Peter Nyberg
Institutionen för Biokemi och Biofysik (DBB)
Sv.Arrhenius vägen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which 
are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy 
or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors 
e-mails sent or received.
Further communication will signify your consent to this.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Ldap tls/ssl problem

[Peter Nyberg]

Hi!
I know this should be asked to the Openldap mailing list but:
I’m trying to set up a Samba/ldap environment were the Samba server is separated
from the ldap server. Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se –x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se –x
It works on the ldap server without errors, but on the Samba server I get the
following error:

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  :  15 03 01 00 02 02 30   ..0   
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile
/usr/local/etc/openldap/server.pem.

I created a CA certificate called server.pem on the ldap server with FQDN as
“Common Name”. I simply copied it to the Samba server.
Both my ldap.conf looks like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
HOST130.237.179.25
BASEdc=dbb, dc=su, dc=se
#URIldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT  12
#TIMELIMIT  15
#DEREF  never

TLS_CACERT  /usr/local/etc/openldap/server.pem
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/etc/openldap/server.pem
#tls_cacertdir /etc/ssl/certs

I’m very grateful for your answer



Peter Nyberg
Institutionen för Biokemi och Biofysik (DBB)
Sv.Arrhenius vägen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba