Graham Allan
2016-Jan-06 15:53 UTC
[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
On 1/5/2016 7:19 PM, Lee Brown wrote:> > A total guess would be to use either ldaps:// and don't bother with > start_tls, or add the :636 to the end of the ldap:// specification as it > seems to me that start_tls is pretty agnostic regarding whatever > protocol it works against (SMTP, LDAP, etc.). ie > > passdb backend = ldapsam:"ldaps://ldap-server-fqdn" > #ldap ssl = start_tls > > OR > > passdb backend = ldapsam:"ldap://ldap-server-fqdn:636" > ldap ssl = start_tls > > Otherwise I'd suggest a packet dump on the ldap machine to see what the > difference is between what works and what doesn't to provide some clue. > >The packet dump is a good idea. I get the same failure using straight SSL to port 636, but wireshark might be able to decode any StartTLS negotiation attempt on the default port. Failing that I guess I'll resort to running smbd in gdb... Graham --
Graham Allan
2016-Jan-06 18:36 UTC
[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
On 01/06/2016 09:53 AM, Graham Allan wrote:> > The packet dump is a good idea. I get the same failure using straight > SSL to port 636, but wireshark might be able to decode any StartTLS > negotiation attempt on the default port. Failing that I guess I'll > resort to running smbd in gdb...tshark tells me the (smbd) client sends a decrypt error (TLS alert code 51) to the ldap server after receiving the certificate, while the working "ldapsearch -ZZ" moves on to client key exchange etc. Puzzling, it doesn't seem like a certificate validation error, I'd expect that to result in something like codes 42-48. Graham
Lee Brown
2016-Jan-06 19:34 UTC
[Samba] Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
On Wed, Jan 6, 2016 at 10:36 AM, Graham Allan <allan at physics.umn.edu> wrote:> On 01/06/2016 09:53 AM, Graham Allan wrote: > >> >> The packet dump is a good idea. I get the same failure using straight >> SSL to port 636, but wireshark might be able to decode any StartTLS >> negotiation attempt on the default port. Failing that I guess I'll >> resort to running smbd in gdb... >> > > tshark tells me the (smbd) client sends a decrypt error (TLS alert code > 51) to the ldap server after receiving the certificate, while the working > "ldapsearch -ZZ" moves on to client key exchange etc. > > Puzzling, it doesn't seem like a certificate validation error, I'd expect > that to result in something like codes 42-48. > > > I'd be very interested to see how you troubleshoot this. I'm runningFreeBSD 10.1, samba 4.2.3, but I don't use openldap as the backend, samba is my LDAP now as it does Active Directory. I've found SSL to be incredibly hard to troubleshoot, especially when client certs get involved as it gets hard to determine if the problem is on the server side not liking the client cert, or the client side not liking the server cert. In some cases I've had to bundle the entire chain in a single file, while others I've had to point to a directory of certs. Good luck and please keep us updated.