Jose Gilberto Torres
2006-Jul-18 18:39 UTC
[Samba] Weird statup probems TLS & SSL openldap and samba 3.0.23
Hello,
I am kind of confused with this situation. I am attempting to build a
PDC using TLS/SSL with the following version of software.
Samba 3.0.23
OpenLDAP 2.3.19
Fedora Core 5
When I startup the Samba server via the "service" command (service smb
start) I get the following errors in my logs.
Using SSL:
Jul 13 09:52:34 prism smbd[23161]: smbldap_search_suffix: Problem
during the LDAP search: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure (Time limit exceeded)
Jul 13 09:52:34 prism smbd[23161]: [2006/07/13 09:52:34, 0]
lib/smbldap.c:smb_ldap_start_tls(546)
Jul 13 09:52:34 prism smbd[23161]: Failed to issue the StartTLS
instruction: Can't contact LDAP server
Using TLS
Jul 18 10:32:09 prism smbd[7441]: [2006/07/18 10:32:09, 0]
lib/smbldap.c:smb_ldap_start_tls(612)
Jul 18 10:32:09 prism smbd[7441]: Failed to issue the StartTLS
instruction: Connect error
But when I start up Samba issuing this command "/etc/init.d/smb
start",
it works. This this a bug in the "service" command. Did I
mis-configured something? Is there any thing I can try to debug this
problem? I've included the configuration files for samba and ldap.
I've hid the actual hostname and DIT. Thanks!
/etc/openldap/ldap.conf
**********************
URI ldaps://yyyy.com <-
BASE dc=xxxx,dc=xxxx,dc=com
TLS_REQCERT demand
TLS_CACERT /etc/openldap/ca.crt
TLS_CERT /etc/openldap/server.crt
TLS_KEY /etc/openldap/server.key
/etc/openldap/slap.conf
******************
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix dc=xxxx,dc=xxxx,dc=com
rootdn "cn=Manager,dc=xxxx,dc=xxxx,dc=com"
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
directory /var/lib/ldap
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index objectClass eq
index memberUid eq,subinitial
index mail eq,subinitial
index givenname eq,subinitial
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
#Access to read the root DSE (DSA [Directory System Agent] Specific Entry)
access to dn.base=""
by self write
by * auth
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
by anonymous auth
security tls=1
TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/server.crt
TLSCertificateKeyFile /etc/openldap/server.key
TLSVerifyClient demand
/etc/ldap.conf
***********
uri ldap://yyyy.com
host yyyy.com
port 389
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cert /etc/openldap/server.crt
tls_key /etc/openldap/server.key
tls_cacertfile /etc/openldap/ca.crt
base dc=xxxx,dc=xxxx,dc=com
binddn cn=Manager,dc=xxxx,dc=xxxx,dc=com
bindpw TTTTT
nss_base_passwd ou=Users,dc=xxxx,dc=xxxx,dc=com?one
nss_base_passwd ou=Computers,dc=xxxx,dc=xxxx,dc=com?one
nss_base_shadow ou=Users,dc=xxxx,dc=xxxx,dc=com?one
nss_base_group ou=Groups,dc=xxxx,dc=xxxx,dc=com?one
nss_base_hosts ou=Hosts,dc=xxxx,dc=xxxx,dc=com?one
pam_password md5
/etc/samba/smb.conf - Just the global portion.
***********************************
[global]
# Your Workgroup Name
workgroup = TEST-PURPLE
# Server name
netbios name = TEST-PURPLE
passdb backend = ldapsam:ldap://yyyy.com
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m
'%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod
-x '%u' '%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g
'%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
enable privileges = yes
#Domain Controller setup
domain logons = Yes
os level = 44
preferred master = Yes
domain master = Yes
show add printer wizard = Yes
#OpenLdap
ldap suffix = dc=xxxx,dc=xxxx,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=xxxx,dc=xxxx,dc=com
ldap passwd sync = Yes
ldap ssl = start_tls
# ldap ssl = on
idmap uid = 15000-20000
idmap gid = 15000-20000
Jose Gilberto Torres
2006-Jul-21 18:09 UTC
[Samba] Weird statup probems TLS & SSL openldap and samba 3.0.23
Finally figured it out. I have to startup nscd. I guess nscd is required. Jose> Hello, > I am kind of confused with this situation. I am attempting to build a > PDC using TLS/SSL with the following version of software. > > Samba 3.0.23 > OpenLDAP 2.3.19 > Fedora Core 5 > > When I startup the Samba server via the "service" command (service smb > start) I get the following errors in my logs. > > Using SSL: > > Jul 13 09:52:34 prism smbd[23161]: smbldap_search_suffix: Problem > during the LDAP search: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure (Time limit > exceeded) > Jul 13 09:52:34 prism smbd[23161]: [2006/07/13 09:52:34, 0] > lib/smbldap.c:smb_ldap_start_tls(546) > Jul 13 09:52:34 prism smbd[23161]: Failed to issue the StartTLS > instruction: Can't contact LDAP server > > Using TLS > > Jul 18 10:32:09 prism smbd[7441]: [2006/07/18 10:32:09, 0] > lib/smbldap.c:smb_ldap_start_tls(612) > Jul 18 10:32:09 prism smbd[7441]: Failed to issue the StartTLS > instruction: Connect error > > But when I start up Samba issuing this command "/etc/init.d/smb start", > it works. This this a bug in the "service" command. Did I > mis-configured something? Is there any thing I can try to debug this > problem? I've included the configuration files for samba and ldap. > I've hid the actual hostname and DIT. Thanks! > > /etc/openldap/ldap.conf > ********************** > URI ldaps://yyyy.com <- > BASE dc=xxxx,dc=xxxx,dc=com > TLS_REQCERT demand > TLS_CACERT /etc/openldap/ca.crt > TLS_CERT /etc/openldap/server.crt > TLS_KEY /etc/openldap/server.key > > /etc/openldap/slap.conf > ****************** > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > pidfile /var/run/slapd/slapd.pid > argsfile /var/run/slapd/slapd.args > > database bdb > suffix dc=xxxx,dc=xxxx,dc=com > rootdn "cn=Manager,dc=xxxx,dc=xxxx,dc=com" > rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > directory /var/lib/ldap > > index cn pres,sub,eq > index sn pres,sub,eq > index uid pres,sub,eq > index displayName pres,sub,eq > index uidNumber eq > index gidNumber eq > index objectClass eq > index memberUid eq,subinitial > index mail eq,subinitial > index givenname eq,subinitial > index sambaSID eq > index sambaPrimaryGroupSID eq > index sambaDomainName eq > index default sub > > #Access to read the root DSE (DSA [Directory System Agent] Specific > Entry) > access to dn.base="" > by self write > by * auth > access to attrs=userPassword,sambaLMPassword,sambaNTPassword > by self write > by anonymous auth > by * none > access to * > by * read > by anonymous auth > > security tls=1 > TLSCACertificateFile /etc/openldap/ca.crt > TLSCertificateFile /etc/openldap/server.crt > TLSCertificateKeyFile /etc/openldap/server.key > TLSVerifyClient demand > > /etc/ldap.conf > *********** > uri ldap://yyyy.com > host yyyy.com > port 389 > ssl start_tls > tls_reqcert demand > tls_checkpeer yes > tls_cert /etc/openldap/server.crt > tls_key /etc/openldap/server.key > tls_cacertfile /etc/openldap/ca.crt > base dc=xxxx,dc=xxxx,dc=com > binddn cn=Manager,dc=xxxx,dc=xxxx,dc=com > bindpw TTTTT > nss_base_passwd ou=Users,dc=xxxx,dc=xxxx,dc=com?one > nss_base_passwd ou=Computers,dc=xxxx,dc=xxxx,dc=com?one > nss_base_shadow ou=Users,dc=xxxx,dc=xxxx,dc=com?one > nss_base_group ou=Groups,dc=xxxx,dc=xxxx,dc=com?one > nss_base_hosts ou=Hosts,dc=xxxx,dc=xxxx,dc=com?one > pam_password md5 > > /etc/samba/smb.conf - Just the global portion. > *********************************** > [global] > # Your Workgroup Name > workgroup = TEST-PURPLE > # Server name > netbios name = TEST-PURPLE > passdb backend = ldapsam:ldap://yyyy.com > username map = /etc/samba/smbusers > printcap name = cups > add user script = /usr/local/sbin/smbldap-useradd -m '%u' > delete user script = /usr/local/sbin/smbldap-userdel %u > add group script = /usr/local/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/local/sbin/smbldap-groupdel '%g' > add user to group script = /usr/local/sbin/smbldap-groupmod -m > '%u' '%g' > delete user from group script = > /usr/local/sbin/smbldap-groupmod > -x '%u' '%g' > set primary group script = /usr/local/sbin/smbldap-usermod -g > '%g' '%u' > add machine script = /usr/local/sbin/smbldap-useradd -w '%u' > enable privileges = yes > #Domain Controller setup > domain logons = Yes > os level = 44 > preferred master = Yes > domain master = Yes > show add printer wizard = Yes > #OpenLdap > ldap suffix = dc=xxxx,dc=xxxx,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=xxxx,dc=xxxx,dc=com > ldap passwd sync = Yes > ldap ssl = start_tls > # ldap ssl = on > idmap uid = 15000-20000 > idmap gid = 15000-20000 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba