Hello List, I am attempting to resolve a problem with my samba / ldap setup when a user attempts to change their samba password. I am running smbd version: 3.0.22 on RHEL4. When a user attempts to change their windows password the following shows up in the smbd.log file: ldapsam_modify_entry: LDAP Password could not be changed for user sland: Confidentiality required Operation requires a secure connection. Since my ldap server is setup with ldaps using a self-signed certificate I figured all I need to do is turn ssl on with: ldap ssl = on and the passdb backend set with "ldap://host" but that still returned the same error messages in the log. Next I tried changing the passdb backend to use "ldaps://host" but then I started getting the following message in the log: LDAP error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Time limit exceeded) and using: openssl s_client -connect server-cert:636 -showcerts -state ends with: Verify return code: 19 (self signed certificate in certificate chain) Which works ok with /etc/ldap.conf by turning off certificate checking. So I am not sure which way to go at this point. Since the ldap authentication for the operating system works through ldaps with no problem, I have it set to not verify the certificate in ldap.conf, then it seems I need to be able to tell samba to not verify the certificate? I looked through the docs and did not see a parameter for that. Is there such a parameter. Any ideas or suggestions? TIA -- Jim Summers School of Computer Science-University of Oklahoma -------------------------------------------------
UPDATE: I just finished troubleshooting a login problem with the user from the password change problem below. He could not login today. It eventually was discovered that he could login with the new password he was changing to when the messages below were being generated. We did not think the password change was successful because on the windows machine he is using he was getting errors during the transaction yesterday. So it appears that smbd is not handling the return code from the self-signed properly or it needs to be able to ignore the verification somehow similar to how the /etc/ldap.conf / openldap does. Ideas / Suggestions? Thanks Jim Summers wrote:> Hello List, > > I am attempting to resolve a problem with my samba / ldap setup when a > user attempts to change their samba password. I am running smbd > version: 3.0.22 on RHEL4. When a user attempts to change their windows > password the following shows up in the smbd.log file: > > ldapsam_modify_entry: LDAP Password could not be changed for user sland: > Confidentiality required > Operation requires a secure connection. > > Since my ldap server is setup with ldaps using a self-signed certificate > I figured all I need to do is turn ssl on with: > > ldap ssl = on > > and the passdb backend set with "ldap://host" > > but that still returned the same error messages in the log. > > Next I tried changing the passdb backend to use "ldaps://host" > > but then I started getting the following message in the log: > LDAP error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Time > limit exceeded) > > and using: openssl s_client -connect server-cert:636 -showcerts -state > > ends with: Verify return code: 19 (self signed certificate in > certificate chain) > > Which works ok with /etc/ldap.conf by turning off certificate checking. > > So I am not sure which way to go at this point. Since the ldap > authentication for the operating system works through ldaps with no > problem, I have it set to not verify the certificate in ldap.conf, then > it seems I need to be able to tell samba to not verify the certificate? > I looked through the docs and did not see a parameter for that. Is > there such a parameter. > > Any ideas or suggestions? > > TIA-- Jim Summers School of Computer Science-University of Oklahoma -------------------------------------------------