Antoine Jacoutot
2003-Oct-14 09:25 UTC
[Samba] smbldap_search_suffix: certificate verify failed
Hi :) I'm using samba-3.0 with LDAP as a PDC under FreeBSD-5.1. Note that I compiled samba --with-ldap, not --with-ldapsam. I'm having a strange problem with TLS ldap certificates. If I set the following option in smb.conf: "ldap ssl = start_tls", I get errors like this: $ pdbedit -L Failed to issue the StartTLS instruction: Connect error Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Connect error) Failed to issue the StartTLS instruction: Connect error Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Connect error) Failed to issue the StartTLS instruction: Connect error Connection to LDAP Server failed for the 7 try! smbldap_search_suffix: Problem during the LDAP search: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Connect error) ldapsam_setsampwent: LDAP search failed: Connect error nss_ldap and pam_ldap both work well using TLS. For your information, here is ma configuration concerning TLS in: slapd.conf --> TLSCertificateFile /usr/local/etc/openldap/ldap.cert TLSCertificateKeyFile /usr/local/etc/openldap/ldap.key TLSCACertificateFile /usr/local/etc/openldap/ca.cert ldap.conf --> BASE dc=domain, dc=com URI ldap://server.domain.com TLS_CACERT /usr/local/etc/openldap/ca.cert smb.conf --> ldap passwd sync = yes passdb backend = ldapsam:ldap://server.domain.com guest ldap machine suffix = ou=Computers,dc=domain,dc=com ldap user suffix = ou=People,dc=domain,dc=com ldap group suffix = ou=Groups,dc=domain,dc=com ldap suffix = "dc=domain,dc=com" ldap admin dn = "cn=Manager,dc=domain,dc=com" ldap ssl = start_tls I get no error using ldapsearch, so I really think this is a Samba problem. If I set the option "ldap ssl = no", then everything works fine. If you have any idea concerning this issue, I would really appreciate. Thanks. Regards. Antoine
Antoine Jacoutot
2003-Oct-14 10:32 UTC
[Samba] smbldap_search_suffix: certificate verify failed
On Tue, 2003-10-14 at 11:32, jean-marc pouchoulon wrote:> Just a stupid idea : > passdb backend = ldapsam:ldaps://server.domain.com guest > Instead of > passdb backend = ldapsam:ldap://server.domain.com guestNo no ! I'm using the start_tls option. But anyway, I found the problem, there seemed to be an error with my server certificate; I re-created all certificates and it nom works great :) Antoine