samba - May 2002 - samba + openldap + tls

Hi,

I using openldap 2.0.23 and samba 2.2.4 on a Redhat 7.2 Linux distrib.

I've compiled with ldap support dans It works fine in clear mode. I've 
configured unix auth. in order to use ldap on TLS mode, and it works also.

When I try to use TLS more (or SSL on 636), it doesn't work. LDAP 
doesn't seem to have an error (see logs below), but samba tells "Failed
to issue the StartTLS instruction: Connect error".

Any idea???
Have I to use the "--with-ssl" option? It's said no.

##############################################
LDAP CONF:
--------------------------

########################
# certificats et clefs

TLSCertificateKeyFile      /opt/openldap/pem/ldapuckey.pem
TLSCertificateFile          /opt/openldap/pem/ldapcert.pem
TLSCACertificateFile       /opt/openldap/pem/demoCA/cacert.pem


##############################################
SMB CONF:
--------------------------

# LDAP:
    ldap server = obiwan
    ldap port = 389
    ldap suffix = "ou=samba, dc=obiwan,dc=fr"

# LDAP SSL:
    ldap ssl = no

# Root LDAP
    ldap admin dn = "cn=Manager,dc=obiwan,dc=fr"





##############################################
SAMBA LOGS
--------------------------

[2002/05/17 16:24:16, 0] passdb/pdb_ldap.c:ldap_open_connection(120)
  Failed to issue the StartTLS instruction: Connect error
[2002/05/17 16:24:16, 1] smbd/password.c:pass_check_smb(545)
  Couldn't find user 'lblin' in passdb.
[2002/05/17 16:24:16, 2] smbd/reply.c:reply_sesssetup_and_X(963)
  NT Password did not match for user 'lblin'!





#############################################
LDAP LOGS:

-------------------------

ldap_pvt_gethostbyname_a: host=obiwan, r=0
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
ber_get_next
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 9
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data

Sorry for replying to my own question, but I've found that, in SSL mode,
LDAP says:

LDAP LOGS:
-------------------

ldap_pvt_gethostbyname_a: host=obiwan, r=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:634
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:634
connection_read(10): TLS accept error error=-1 id=1, closing
connection_closing: readying conn=1 sd=10 for close
connection_close: conn=1 sd=10


SMB LOGS:
------------------

[2002/05/17 16:50:17, 0] passdb/pdb_ldap.c:ldap_open_connection(130)
   Failed to setup a TLS session
[2002/05/17 16:50:17, 2] passdb/pdb_ldap.c:ldap_open_connection(143)
   ldap_open_connection: connection opened
[2002/05/17 16:50:17, 10] passdb/pdb_ldap.c:ldap_connect_system(167)
   ldap_connect_system: Binding to ldap server as
"cn=Manager,dc=obiwan,dc=fr"
[2002/05/17 16:50:17, 0] passdb/pdb_ldap.c:ldap_connect_system(173)
   Bind failed: Can't contact LDAP server
[2002/05/17 16:50:17, 1] smbd/password.c:pass_check_smb(545)
   Couldn't find user 'lblin' in passdb.
[2002/05/17 16:50:17, 2] smbd/reply.c:reply_sesssetup_and_X(963)
   NT Password did not match for user 'lblin'!
[2002/05/17 16:50:17, 2] smbd/reply.c:reply_sesssetup_and_X(973)
   Defaulting to Lanman password for lblin

For the life of me, this works at my home where i set it up.
But at work where i also set this up, i can't get it
to do SSL.    weird.



On Fri, 17 May 2002, Laurent BLIN wrote:
> Hi,
> 
> I using openldap 2.0.23 and samba 2.2.4 on a Redhat 7.2 Linux distrib.
> 
> I've compiled with ldap support dans It works fine in clear mode.
I've
> configured unix auth. in order to use ldap on TLS mode, and it works also.
> 
> When I try to use TLS more (or SSL on 636), it doesn't work. LDAP 
> doesn't seem to have an error (see logs below), but samba tells
"Failed
> to issue the StartTLS instruction: Connect error".
> 
> Any idea???
> Have I to use the "--with-ssl" option? It's said no.
> 
> ##############################################
> LDAP CONF:
> --------------------------
> 
> ########################
> # certificats et clefs
> 
> TLSCertificateKeyFile      /opt/openldap/pem/ldapuckey.pem
> TLSCertificateFile          /opt/openldap/pem/ldapcert.pem
> TLSCACertificateFile       /opt/openldap/pem/demoCA/cacert.pem
> 
> 
> ##############################################
> SMB CONF:
> --------------------------
> 
> # LDAP:
>     ldap server = obiwan
>     ldap port = 389
>     ldap suffix = "ou=samba, dc=obiwan,dc=fr"
> 
> # LDAP SSL:
>     ldap ssl = no
> 
> # Root LDAP
>     ldap admin dn = "cn=Manager,dc=obiwan,dc=fr"
> 
> 
> 
> 
> 
> ##############################################
> SAMBA LOGS
> --------------------------
> 
> [2002/05/17 16:24:16, 0] passdb/pdb_ldap.c:ldap_open_connection(120)
>   Failed to issue the StartTLS instruction: Connect error
> [2002/05/17 16:24:16, 1] smbd/password.c:pass_check_smb(545)
>   Couldn't find user 'lblin' in passdb.
> [2002/05/17 16:24:16, 2] smbd/reply.c:reply_sesssetup_and_X(963)
>   NT Password did not match for user 'lblin'!
> 
> 
> 
> 
> 
> #############################################
> LDAP LOGS:
> 
> -------------------------
> 
> ldap_pvt_gethostbyname_a: host=obiwan, r=0
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 29 contents:
> do_extended
> ber_scanf fmt ({a) ber:
> ber_get_next
> ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
> send_ldap_extended 0: (0)
> send_ldap_response: msgid=1 tag=120 err=0
> ber_flush: 14 bytes to sd 9
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_get(10): got connid=1
> connection_read(10): checking for input on id=1
> ber_get_next
> ber_get_next: tag 0x30 len 29 contents:
> ber_get_next
> ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
> do_extended
> ber_scanf fmt ({a) ber:
> send_ldap_extended 0: (0)
> send_ldap_response: msgid=1 tag=120 err=0
> ber_flush: 14 bytes to sd 10
> connection_get(10): got connid=1
> connection_read(10): checking for input on id=1
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> 
> 
> 
>

I've resolved my problem, compiling samba with "-g" option in
order to
use gdb. The pb was samba was detecting ldap v2 on my ldap server, and 
could'nt set it to  ldapv3.
Actually, the dynamic librairies used by samba are located in /lib, and 
not /usr/lib. And under /lib, there were old (!!) dynamic libraries 
(from 1998!!!). Just copied the /openldap/lib/* to /lib, and both SSL 
and TLS are working.

I saw in some howto that I had to copy openldap/lib/*/ and 
openldap/include/* to /usr/lib and /usr/include... Should also copy 
files to /lib, or configure samba in order to /usr/lib!

  Laurent