Jose Gilberto Torres
2006-Jul-18 18:39 UTC
[Samba] Weird statup probems TLS & SSL openldap and samba 3.0.23
Hello, I am kind of confused with this situation. I am attempting to build a PDC using TLS/SSL with the following version of software. Samba 3.0.23 OpenLDAP 2.3.19 Fedora Core 5 When I startup the Samba server via the "service" command (service smb start) I get the following errors in my logs. Using SSL: Jul 13 09:52:34 prism smbd[23161]: smbldap_search_suffix: Problem during the LDAP search: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (Time limit exceeded) Jul 13 09:52:34 prism smbd[23161]: [2006/07/13 09:52:34, 0] lib/smbldap.c:smb_ldap_start_tls(546) Jul 13 09:52:34 prism smbd[23161]: Failed to issue the StartTLS instruction: Can't contact LDAP server Using TLS Jul 18 10:32:09 prism smbd[7441]: [2006/07/18 10:32:09, 0] lib/smbldap.c:smb_ldap_start_tls(612) Jul 18 10:32:09 prism smbd[7441]: Failed to issue the StartTLS instruction: Connect error But when I start up Samba issuing this command "/etc/init.d/smb start", it works. This this a bug in the "service" command. Did I mis-configured something? Is there any thing I can try to debug this problem? I've included the configuration files for samba and ldap. I've hid the actual hostname and DIT. Thanks! /etc/openldap/ldap.conf ********************** URI ldaps://yyyy.com <- BASE dc=xxxx,dc=xxxx,dc=com TLS_REQCERT demand TLS_CACERT /etc/openldap/ca.crt TLS_CERT /etc/openldap/server.crt TLS_KEY /etc/openldap/server.key /etc/openldap/slap.conf ****************** include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args database bdb suffix dc=xxxx,dc=xxxx,dc=com rootdn "cn=Manager,dc=xxxx,dc=xxxx,dc=com" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx directory /var/lib/ldap index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index objectClass eq index memberUid eq,subinitial index mail eq,subinitial index givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub #Access to read the root DSE (DSA [Directory System Agent] Specific Entry) access to dn.base="" by self write by * auth access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read by anonymous auth security tls=1 TLSCACertificateFile /etc/openldap/ca.crt TLSCertificateFile /etc/openldap/server.crt TLSCertificateKeyFile /etc/openldap/server.key TLSVerifyClient demand /etc/ldap.conf *********** uri ldap://yyyy.com host yyyy.com port 389 ssl start_tls tls_reqcert demand tls_checkpeer yes tls_cert /etc/openldap/server.crt tls_key /etc/openldap/server.key tls_cacertfile /etc/openldap/ca.crt base dc=xxxx,dc=xxxx,dc=com binddn cn=Manager,dc=xxxx,dc=xxxx,dc=com bindpw TTTTT nss_base_passwd ou=Users,dc=xxxx,dc=xxxx,dc=com?one nss_base_passwd ou=Computers,dc=xxxx,dc=xxxx,dc=com?one nss_base_shadow ou=Users,dc=xxxx,dc=xxxx,dc=com?one nss_base_group ou=Groups,dc=xxxx,dc=xxxx,dc=com?one nss_base_hosts ou=Hosts,dc=xxxx,dc=xxxx,dc=com?one pam_password md5 /etc/samba/smb.conf - Just the global portion. *********************************** [global] # Your Workgroup Name workgroup = TEST-PURPLE # Server name netbios name = TEST-PURPLE passdb backend = ldapsam:ldap://yyyy.com username map = /etc/samba/smbusers printcap name = cups add user script = /usr/local/sbin/smbldap-useradd -m '%u' delete user script = /usr/local/sbin/smbldap-userdel %u add group script = /usr/local/sbin/smbldap-groupadd -p '%g' delete group script = /usr/local/sbin/smbldap-groupdel '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' enable privileges = yes #Domain Controller setup domain logons = Yes os level = 44 preferred master = Yes domain master = Yes show add printer wizard = Yes #OpenLdap ldap suffix = dc=xxxx,dc=xxxx,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=xxxx,dc=xxxx,dc=com ldap passwd sync = Yes ldap ssl = start_tls # ldap ssl = on idmap uid = 15000-20000 idmap gid = 15000-20000
Jose Gilberto Torres
2006-Jul-21 18:09 UTC
[Samba] Weird statup probems TLS & SSL openldap and samba 3.0.23
Finally figured it out. I have to startup nscd. I guess nscd is required. Jose> Hello, > I am kind of confused with this situation. I am attempting to build a > PDC using TLS/SSL with the following version of software. > > Samba 3.0.23 > OpenLDAP 2.3.19 > Fedora Core 5 > > When I startup the Samba server via the "service" command (service smb > start) I get the following errors in my logs. > > Using SSL: > > Jul 13 09:52:34 prism smbd[23161]: smbldap_search_suffix: Problem > during the LDAP search: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure (Time limit > exceeded) > Jul 13 09:52:34 prism smbd[23161]: [2006/07/13 09:52:34, 0] > lib/smbldap.c:smb_ldap_start_tls(546) > Jul 13 09:52:34 prism smbd[23161]: Failed to issue the StartTLS > instruction: Can't contact LDAP server > > Using TLS > > Jul 18 10:32:09 prism smbd[7441]: [2006/07/18 10:32:09, 0] > lib/smbldap.c:smb_ldap_start_tls(612) > Jul 18 10:32:09 prism smbd[7441]: Failed to issue the StartTLS > instruction: Connect error > > But when I start up Samba issuing this command "/etc/init.d/smb start", > it works. This this a bug in the "service" command. Did I > mis-configured something? Is there any thing I can try to debug this > problem? I've included the configuration files for samba and ldap. > I've hid the actual hostname and DIT. Thanks! > > /etc/openldap/ldap.conf > ********************** > URI ldaps://yyyy.com <- > BASE dc=xxxx,dc=xxxx,dc=com > TLS_REQCERT demand > TLS_CACERT /etc/openldap/ca.crt > TLS_CERT /etc/openldap/server.crt > TLS_KEY /etc/openldap/server.key > > /etc/openldap/slap.conf > ****************** > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > pidfile /var/run/slapd/slapd.pid > argsfile /var/run/slapd/slapd.args > > database bdb > suffix dc=xxxx,dc=xxxx,dc=com > rootdn "cn=Manager,dc=xxxx,dc=xxxx,dc=com" > rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > directory /var/lib/ldap > > index cn pres,sub,eq > index sn pres,sub,eq > index uid pres,sub,eq > index displayName pres,sub,eq > index uidNumber eq > index gidNumber eq > index objectClass eq > index memberUid eq,subinitial > index mail eq,subinitial > index givenname eq,subinitial > index sambaSID eq > index sambaPrimaryGroupSID eq > index sambaDomainName eq > index default sub > > #Access to read the root DSE (DSA [Directory System Agent] Specific > Entry) > access to dn.base="" > by self write > by * auth > access to attrs=userPassword,sambaLMPassword,sambaNTPassword > by self write > by anonymous auth > by * none > access to * > by * read > by anonymous auth > > security tls=1 > TLSCACertificateFile /etc/openldap/ca.crt > TLSCertificateFile /etc/openldap/server.crt > TLSCertificateKeyFile /etc/openldap/server.key > TLSVerifyClient demand > > /etc/ldap.conf > *********** > uri ldap://yyyy.com > host yyyy.com > port 389 > ssl start_tls > tls_reqcert demand > tls_checkpeer yes > tls_cert /etc/openldap/server.crt > tls_key /etc/openldap/server.key > tls_cacertfile /etc/openldap/ca.crt > base dc=xxxx,dc=xxxx,dc=com > binddn cn=Manager,dc=xxxx,dc=xxxx,dc=com > bindpw TTTTT > nss_base_passwd ou=Users,dc=xxxx,dc=xxxx,dc=com?one > nss_base_passwd ou=Computers,dc=xxxx,dc=xxxx,dc=com?one > nss_base_shadow ou=Users,dc=xxxx,dc=xxxx,dc=com?one > nss_base_group ou=Groups,dc=xxxx,dc=xxxx,dc=com?one > nss_base_hosts ou=Hosts,dc=xxxx,dc=xxxx,dc=com?one > pam_password md5 > > /etc/samba/smb.conf - Just the global portion. > *********************************** > [global] > # Your Workgroup Name > workgroup = TEST-PURPLE > # Server name > netbios name = TEST-PURPLE > passdb backend = ldapsam:ldap://yyyy.com > username map = /etc/samba/smbusers > printcap name = cups > add user script = /usr/local/sbin/smbldap-useradd -m '%u' > delete user script = /usr/local/sbin/smbldap-userdel %u > add group script = /usr/local/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/local/sbin/smbldap-groupdel '%g' > add user to group script = /usr/local/sbin/smbldap-groupmod -m > '%u' '%g' > delete user from group script = > /usr/local/sbin/smbldap-groupmod > -x '%u' '%g' > set primary group script = /usr/local/sbin/smbldap-usermod -g > '%g' '%u' > add machine script = /usr/local/sbin/smbldap-useradd -w '%u' > enable privileges = yes > #Domain Controller setup > domain logons = Yes > os level = 44 > preferred master = Yes > domain master = Yes > show add printer wizard = Yes > #OpenLdap > ldap suffix = dc=xxxx,dc=xxxx,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=xxxx,dc=xxxx,dc=com > ldap passwd sync = Yes > ldap ssl = start_tls > # ldap ssl = on > idmap uid = 15000-20000 > idmap gid = 15000-20000 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba